I am having a problem with the latest out-of-the-box APIM 2.1 running on Microsoft Windows Server 2012 R2 Standard.
If I try to login to the carbon console I get a "Error 403 - Forbidden" on page https://server-url:9443/carbon/admin/login_action.jsp.
Console output is:
WARN - JavaLogger potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.20.30.40, method:POST, uri:/carbon/admin/login_action.jsp, error:required token is missing from the request)
Chrome network console shows:
login.jsp:43 GET https://server-url:9443/carbon/admin/js/csrfPrevention.js net::ERR_CONTENT_DECODING_FAILED
username and password are correct. I can login into the publisher and store.
As a workaround I disable the POST verification in the Owasp.CsrfGuard.Carbon.properties and login to the carbon console works.
Any ideas what can cause the problem and how to really correct it?
This is a known issue with JDK 1.8.0_151. (Fixed in JDK 1.8.0_162ea)
Please use JDK 1.8.0_144 instead.