Search code examples
csrfreverse-proxycsrf-protectionwso2-identity-server

javax.servlet.ServletException: Possible CSRF attack. Refer header :

I am using two WSO2 Identity Server for back-end and Apache HTTP as front-end Load Balancer

When testing the browser the URL https://lab1.xx.xx/dashboard, I see the following error at the WSO2 console log: 

TID: [0] [IS] [2015-09-10 16:59:22,846] ERROR {org.wso2.carbon.tomcat.ext.valves.CompositeValve} -  Could not handle request: /portal/gadgets/user_profile/js/main.js {org.wso2.carbon.tomcat.ext.valves.CompositeValve}
javax.servlet.ServletException: Possible CSRF attack. Refer header : https://lab1.xx.xx/dashboard/
        at org.wso2.carbon.ui.valve.CSRFValve.validateRefererHeader(CSRFValve.java:123)
        at org.wso2.carbon.ui.valve.CSRFValve.validatePatterns(CSRFValve.java:96)
        at org.wso2.carbon.ui.valve.CSRFValve.invoke(CSRFValve.java:71)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
        at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
        at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
        at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
        at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
        at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
        at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
        at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
        at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
        at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)
        at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695)
        at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
        at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
        at java.lang.Thread.run(Thread.java:745)

I applied the Patch ID: WSO2-CARBON-PATCH-4.2.0-1256 and WSO2-IS-5.0.0-SP01

    <CSRFPreventionConfig>
            <Enabled>true</Enabled>
            <Rule>allow</Rule>

            <Patterns>
                    <Pattern>carbon</Pattern>
                    <Pattern>commonauth</Pattern>
                    <Pattern>samlsso</Pattern>
                    <Pattern>authenticationendpoint</Pattern>
                    <Pattern>wso2</Pattern>
                    <Pattern>oauth2</Pattern>
                    <Pattern>openid</Pattern>
                    <Pattern>openidserver</Pattern>
                    <Pattern>passivests</Pattern>
                    <Pattern>services</Pattern>
            </Patterns>

            <WhiteList>
                    <Url>https://localhost:9443</Url>
            </WhiteList>
    </CSRFPreventionConfig>

Any hint how to setup a CSRF Whitelist?

Regards, Raybar

Solution

  • Change your /repository/conf/carbon.xml file and on WhiteList element add the Url element with the text https://lab1.xx.xx.

    After changing that part must appears something like:

    <WhiteList>
    <Url>https://localhost:9443</Url>
    <Url>https://lab1.xx.xx</Url>
</WhiteList>