javax.servlet.ServletException:可能的 CSRF 攻击。参考 header :
javax.servlet.ServletException: Possible CSRF attack. Refer header :
我正在为 back-end 和 Apache HTTP 使用两个 WSO2 身份服务器作为 front-end 负载均衡器
在测试浏览器 URL https://lab1.xx.xx/dashboard 时,我在 WSO2 控制台日志中看到以下错误:
TID: [0] [IS] [2015-09-10 16:59:22,846] ERROR {org.wso2.carbon.tomcat.ext.valves.CompositeValve} - Could not handle request: /portal/gadgets/user_profile/js/main.js {org.wso2.carbon.tomcat.ext.valves.CompositeValve}
javax.servlet.ServletException: Possible CSRF attack. Refer header : https://lab1.xx.xx/dashboard/
at org.wso2.carbon.ui.valve.CSRFValve.validateRefererHeader(CSRFValve.java:123)
at org.wso2.carbon.ui.valve.CSRFValve.validatePatterns(CSRFValve.java:96)
at org.wso2.carbon.ui.valve.CSRFValve.invoke(CSRFValve.java:71)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
我应用了补丁 ID:WSO2-CARBON-PATCH-4.2.0-1256 和 WSO2-IS-5.0.0-SP01
<CSRFPreventionConfig>
<Enabled>true</Enabled>
<Rule>allow</Rule>
<Patterns>
<Pattern>carbon</Pattern>
<Pattern>commonauth</Pattern>
<Pattern>samlsso</Pattern>
<Pattern>authenticationendpoint</Pattern>
<Pattern>wso2</Pattern>
<Pattern>oauth2</Pattern>
<Pattern>openid</Pattern>
<Pattern>openidserver</Pattern>
<Pattern>passivests</Pattern>
<Pattern>services</Pattern>
</Patterns>
<WhiteList>
<Url>https://localhost:9443</Url>
</WhiteList>
</CSRFPreventionConfig>
任何关于如何设置 CSRF 白名单的提示?
问候,Raybar
更改您的 /repository/conf/carbon.xml 文件并在 WhiteList 元素上添加带有文本 https://lab1.xx.xx.
的 Url 元素
更改该部分后必须显示如下内容:
<WhiteList>
<Url>https://localhost:9443</Url>
<Url>https://lab1.xx.xx</Url>
</WhiteList>
我添加了白名单,但是没有用,我仍然看到同样的错误日志。
它可能会添加到其他地方?
我的/repository/conf/carbon.xml 文件:
<CSRFPreventionConfig>
<Enabled>false</Enabled>
<Rule>allow</Rule>
<Patterns>
<Pattern>carbon</Pattern>
<Pattern>commonauth</Pattern>
<Pattern>samlsso</Pattern>
<Pattern>authenticationendpoint</Pattern>
<Pattern>wso2</Pattern>
<Pattern>oauth2</Pattern>
<Pattern>openid</Pattern>
<Pattern>openidserver</Pattern>
<Pattern>passivests</Pattern>
<Pattern>services</Pattern>
<Pattern>dashboard</Pattern>
</Patterns>
<WhiteList>
<Url>https://localhost:9443</Url>
<Url>https://ssohalab2.xx.xx:9443</Url>
<Url>https://lab1.xx.xx/dashboard/*</Url>
</WhiteList>
</CSRFPreventionConfig>
https://ssohalab2.xx.xx:9443 ---> SSO 服务器
https://lab1.xx.xx/dashboard/* ---> 反向代理
问候,Raybar
我正在为 back-end 和 Apache HTTP 使用两个 WSO2 身份服务器作为 front-end 负载均衡器
在测试浏览器 URL https://lab1.xx.xx/dashboard 时,我在 WSO2 控制台日志中看到以下错误:
TID: [0] [IS] [2015-09-10 16:59:22,846] ERROR {org.wso2.carbon.tomcat.ext.valves.CompositeValve} - Could not handle request: /portal/gadgets/user_profile/js/main.js {org.wso2.carbon.tomcat.ext.valves.CompositeValve}
javax.servlet.ServletException: Possible CSRF attack. Refer header : https://lab1.xx.xx/dashboard/
at org.wso2.carbon.ui.valve.CSRFValve.validateRefererHeader(CSRFValve.java:123)
at org.wso2.carbon.ui.valve.CSRFValve.validatePatterns(CSRFValve.java:96)
at org.wso2.carbon.ui.valve.CSRFValve.invoke(CSRFValve.java:71)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:178)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:141)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:156)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:52)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1070)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1736)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1695)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
我应用了补丁 ID:WSO2-CARBON-PATCH-4.2.0-1256 和 WSO2-IS-5.0.0-SP01
<CSRFPreventionConfig>
<Enabled>true</Enabled>
<Rule>allow</Rule>
<Patterns>
<Pattern>carbon</Pattern>
<Pattern>commonauth</Pattern>
<Pattern>samlsso</Pattern>
<Pattern>authenticationendpoint</Pattern>
<Pattern>wso2</Pattern>
<Pattern>oauth2</Pattern>
<Pattern>openid</Pattern>
<Pattern>openidserver</Pattern>
<Pattern>passivests</Pattern>
<Pattern>services</Pattern>
</Patterns>
<WhiteList>
<Url>https://localhost:9443</Url>
</WhiteList>
</CSRFPreventionConfig>
任何关于如何设置 CSRF 白名单的提示?
问候,Raybar
更改您的 /repository/conf/carbon.xml 文件并在 WhiteList 元素上添加带有文本 https://lab1.xx.xx.
的 Url 元素更改该部分后必须显示如下内容:
<WhiteList>
<Url>https://localhost:9443</Url>
<Url>https://lab1.xx.xx</Url>
</WhiteList>
我添加了白名单,但是没有用,我仍然看到同样的错误日志。 它可能会添加到其他地方?
我的/repository/conf/carbon.xml 文件:
<CSRFPreventionConfig>
<Enabled>false</Enabled>
<Rule>allow</Rule>
<Patterns>
<Pattern>carbon</Pattern>
<Pattern>commonauth</Pattern>
<Pattern>samlsso</Pattern>
<Pattern>authenticationendpoint</Pattern>
<Pattern>wso2</Pattern>
<Pattern>oauth2</Pattern>
<Pattern>openid</Pattern>
<Pattern>openidserver</Pattern>
<Pattern>passivests</Pattern>
<Pattern>services</Pattern>
<Pattern>dashboard</Pattern>
</Patterns>
<WhiteList>
<Url>https://localhost:9443</Url>
<Url>https://ssohalab2.xx.xx:9443</Url>
<Url>https://lab1.xx.xx/dashboard/*</Url>
</WhiteList>
</CSRFPreventionConfig>
https://ssohalab2.xx.xx:9443 ---> SSO 服务器
https://lab1.xx.xx/dashboard/* ---> 反向代理
问候,Raybar