Upgraded to v3.0.1: Getting an Invalid CSRF Token HTTP 403 Error on WebAnno Application

[quig...@healthsciencessc.org]

I am updating my WebAnno Server installation from v2.3.1 to v3.0.1. 

I am using a Red Hat VM with:

- Java JRE 8

- MySQL 5.3

- Tomcat 8

- WebAnno is run behind Apache httpd

- Authentication for WebAnno: Shibboleth

My WebAnno v2.3.1 instance worked but once I updated to v3.0.1 it does not. I can login to the WebAnno application and taken to: https://mysite/welcome.html?0. If I click on Manager Users, I am taken to https://mysite/users.html?3 and see the users on the left-hand side. Once I click on a user I am sent to this url: https://mysite/users.html?3-1.IFormSubmitListener-selectionForm and  I get this error message: 

HTTP Status 403 - Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-CSRF-TOKEN'. Access to the specified resource has been forbidden.

This also happens if I go to Projects, Annotation, Curation, etc. I am having trouble figuring out how and why this is happening, especially since v2.3.1 was working fine. I'd appreciate any help.

Thanks,

Erin

[Richard Eckart de Castilho]

Hi Erin,

that sounds odd. CSRF protection is actually disabled in WebAnno (not the best solution, but that's currently the case).

Maybe you still have some remnants of v2.3.1 hanging around?

Is WebAnno the only application in your Tomcat?

When you installed the v3.0.1 WAR, did you make sure that the working directory of Tomcat was cleared (it contains persisted sessions). What I always do on upgrade is:

- delete the old WAR from webapps
- wait until Tomcat has automatically deleted the extracted directory of the webapp (that also clears the working dir)
- stop tomcat
- start tomcat
- place the new WAR into webapps

Also, did you try reloading WebAnno in your browser by-passing/clearing the browser cache? Depending on the browser, that may require pressing the shift or CTRL key while and pressing F5 or the reload button in the toolbar.

Cheers,

-- Richard

[Fabian Schmidt]

I ran into the same problem with a fresh installation of webanno 3.1. The apache username shows up fine in the tomcat access logs and if I pass the username in an extra header, e.g.:

   RewriteRule .* - [E=MY_REMOTE_USER:%{LA-U:REMOTE_USER}]
   RequestHeader add remote_user %{MY_REMOTE_USER}e

it will be recognized by WebAnno.
"Create Project" results in "Expected CSRF token not found. Has your session expired?" and a management of users leads to the 403 mentioned by Erin.

Is there a recommended apache config to pass the user name to WebAnno? As far as I understand tomcat, the username should be available via request.getRemoteUser() out of the box.

Cheers,

Fabian.

[Richard Eckart de Castilho]

You are using external pre-authentication?

-- Richard

[Fabian Schmidt]

Yes (using ldap).

Fabian.

[Richard Eckart de Castilho]

Aha!

Could you please manually edit the file WEB-INF/preAuthSecurity-context.xml in your deployed WebAnno instance and change this part here:

<http use-expressions="false" entry-point-ref="http403EntryPoint">

<csrf disabled="true" /> <!-- THIS IS A NEW LINE TO DISABLE CSRF -->

<intercept-url pattern="/**" access="ROLE_ADMIN, ROLE_USER" />
<custom-filter ref="ShibbolethHeaderFilter" position="PRE_AUTH_FILTER" />
</http>

Please let me know if it works. I think it should and if yes, I'll add this new line in the repo as well.

Cheers,

-- Richard

[Fabian Schmidt]

Works for me.

Thanks a lot!

Cheers, Fabian.

[Richard Eckart de Castilho]

Great. Thanks for bringing this up again and testing!

Erin, sorry that I didn't recognize this properly the first time!

Cheers,

-- Richard

[quig...@healthsciencessc.org]

Not a problem at all! Thanks for all your help and support. I am going to make this configuration change in my installation. Thanks again!