Message |
|
Do you know what uses guava-11.0.2.jar in WEB-INF\lib ?
I use a newer version in my application that runs on Amazon AWS.
I recently had a problem updating to a newer version OS. After going beyond v2.2.0 my application could not find some functions that were in the newer version of guava but not in 11. For some reason, Amazon v2.3.0, v2.3.1, and v2.4.0 were finding and using guava 11 but v2.2.0 and earlier found and used my newer version of guava.
After replacing the jforum guava with the newer version I have been able to go to the newer Amazon OS.
I am just letting anyone know in case they have similar problems.
Also, if I know what in jforum uses guava, I can test it to make sure it is working with the newer version.
|
|
|
In csrfguard.properties I changed:
org.owasp.csrfguard.Config.Print = false
And re enabled the CSRFGuard filter-mapping in web.xml. I did still need to limit it to *.page to prevent interference with my application.
Initial tests seem OK.
|
|
|
Nevermind ...
It was just a coincidental change in my dynamic IP address and I needed to set a security rule for the new address.
Thanks for your help.
Best Regards,
Spencer
|
|
|
I have a strange problem. I recently upgraded to 2.4.1 on my local machine and had not yet finished testing it.
A friend was going to try using jforum for his site. I was going to tell him how to set it up and created a project in Netbeans and took it to the install.jsp. I closed it and never completed the install.
Then when I tried to load my app NetBeans also started the temp project which had also switched the java version being used by glassfish. After correcting those problems, I still have a problem with jforum.
Could starting the install of a different project cause problems with C3P0?
When I try to access jforum it has a long hang but eventually reports:
Severe: WebModule[/MapBake8]StandardWrapper.Throwable
net.jforum.exceptions.ForumStartupException: Error while starting jforum
at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:118)
at com.mchange.v2.sql.SqlUtils.toSQLException(SqlUtils.java:77)
at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:690)
at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:140)
at net.jforum.C3P0PooledConnection.getConnection(C3P0PooledConnection.java:156)
at net.jforum.JForum.init(JForum.java:121)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1583)
at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:1212)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:237)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
at java.lang.Thread.run(Thread.java:745)
Caused by: net.jforum.exceptions.DatabaseException: java.sql.SQLException: An attempt by a client to checkout a Connection has timed out.
... 34 more
Caused by: java.sql.SQLException: An attempt by a client to checkout a Connection has timed out.
... 34 more
Caused by: com.mchange.v2.resourcepool.TimeoutException: A client timed out while waiting to acquire a resource from com.mchange.v2.resourcepool.BasicResourcePool@49dfa305 -- timeout at awaitAvailable()
at com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1467)
at com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:644)
at com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:554)
at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutAndMarkConnectionInUse(C3P0PooledConnectionPool.java:758)
at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:685)
... 31 more
Warning: StandardWrapperValve[jforum]: Allocate exception for servlet jforum
com.mchange.v2.resourcepool.TimeoutException: A client timed out while waiting to acquire a resource from com.mchange.v2.resourcepool.BasicResourcePool@49dfa305 -- timeout at awaitAvailable()
at com.mchange.v2.resourcepool.BasicResourcePool.awaitAvailable(BasicResourcePool.java:1467)
at com.mchange.v2.resourcepool.BasicResourcePool.prelimCheckoutResource(BasicResourcePool.java:644)
at com.mchange.v2.resourcepool.BasicResourcePool.checkoutResource(BasicResourcePool.java:554)
at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutAndMarkConnectionInUse(C3P0PooledConnectionPool.java:758)
at com.mchange.v2.c3p0.impl.C3P0PooledConnectionPool.checkoutPooledConnection(C3P0PooledConnectionPool.java:685)
at com.mchange.v2.c3p0.impl.AbstractPoolBackedDataSource.getConnection(AbstractPoolBackedDataSource.java:140)
at net.jforum.C3P0PooledConnection.getConnection(C3P0PooledConnection.java:156)
at net.jforum.JForum.init(JForum.java:121)
at org.apache.catalina.core.StandardWrapper.initServlet(StandardWrapper.java:1583)
at org.apache.catalina.core.StandardWrapper.allocate(StandardWrapper.java:1212)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:237)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
at java.lang.Thread.run(Thread.java:745)
|
|
|
The changes had no effect. The same problems occur.
My unprotected settings (which seem to have no effect) are:
org.owasp.csrfguard.unprotected.Default=%servletContext%/
org.owasp.csrfguard.unprotected.Local=%servletContext%/MapBake
org.owasp.csrfguard.unprotected.Ajax=%servletContext%/MB1*
org.owasp.csrfguard.unprotected.Ajax2=/MB1*
org.owasp.csrfguard.unprotected.AjaxLocal=%servletContext%/MapBake/MB1*
org.owasp.csrfguard.unprotected.AjaxLocal2=/MapBake/MB1*
org.owasp.csrfguard.unprotected.MB1=MB1*
org.owasp.csrfguard.unprotected.allMB1=*MB1
org.owasp.csrfguard.unprotected.Jsp=*.jsp
org.owasp.csrfguard.unprotected.Jpeg=*.jpg
org.owasp.csrfguard.unprotected.Gif=*.gif
org.owasp.csrfguard.unprotected.Png=*.png
org.owasp.csrfguard.unprotected.Css=*.css
org.owasp.csrfguard.unprotected.Flash=*.swf
org.owasp.csrfguard.unprotected.JavaScript=*.js
The /MapBake is only on my local testing server and will not be needed/used on the live server.
|
|
|
When I enable csrf, in addition to breaking my site, on the server I get many of the following errors:
Warning: StandardWrapperValve[default]: Servlet.service() for servlet default threw exception
java.lang.IllegalStateException: Cannot create a session after the response has been committed
at org.apache.catalina.connector.Request.doGetSession(Request.java:3251)
at org.apache.catalina.connector.Request.getSession(Request.java:2884)
at org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908)
at net.jforum.csrf.CsrfFilter.doFilter(CsrfFilter.java:72)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
at java.lang.Thread.run(Thread.java:745)
Then if I try to reload the page it intercepts the ajax calls (even if I turn off ajax and unprotect them in the csrfguard.properties) and I get:
Info: [Mon May 11 13:32:06 EDT 2015] [Info] CsrfGuard analyzing request /MapBake/MB1
Severe: [Mon May 11 13:32:06 EDT 2015] [Error] potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:0:0:0:0:0:0:0:1, method:%request_method%, uri:unknown module for /MapBake/MB1, error:required token is missing from the request)
Severe: An exception or error occurred in the container during the request processing
java.lang.IllegalStateException: isHexDigit
at org.glassfish.grizzly.http.util.URLDecoder.decode(URLDecoder.java:243)
at org.glassfish.grizzly.http.util.URLDecoder.decodeAscii(URLDecoder.java:159)
at org.glassfish.grizzly.http.util.URLDecoder.decode(URLDecoder.java:71)
at org.glassfish.grizzly.http.util.HttpRequestURIDecoder.decode(HttpRequestURIDecoder.java:160)
at org.glassfish.grizzly.http.util.RequestURIRef.getDecodedRequestURIBC(RequestURIRef.java:133)
at org.glassfish.grizzly.http.util.RequestURIRef.getDecodedRequestURIBC(RequestURIRef.java:114)
at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:435)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:297)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
at java.lang.Thread.run(Thread.java:745)
|
|
|
Yes, I did limit it to *.page
When I did not do this the token interfered with the functionality of the site.
I will see if I can isolate the csrf so it does not interfere.
It would be good to have a test scenario for when csrf does prevent access to ensure that has proper behavior (and maybe an email notification of any problems).
|
|
|
I finally enabled csrf a couple days ago on my live site and from the logs I see it analyzing requests.
Then today I got an error and had this in the log:
[Sun May 10 01:28:10 UTC 2015] [Info] CsrfGuard analyzing request /forums/list.page
May 10, 2015 1:28:10 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [jforum] in context with path [] threw exception
java.lang.IllegalStateException: CsrfGuard expects the token to exist in session at this point
at org.owasp.csrfguard.CsrfGuard.isValidRequest(CsrfGuard.java:386)
at net.jforum.csrf.CsrfFilter.doFilter(CsrfFilter.java:95)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:683)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:314)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
|
|
|
It seems to be working. Is there a way to simulate a Cross Site Request Forgery for testing? When it was incorrectly identifying a csrf it seemed to redirect to a non-existent page.
Also, I set the web.xml to map the filtering of csrfguard to *.page. Are there any others that should also be checked?
|
|
|
In cfrs.properties I set list=AddToken
Since I changed the index.jsp that came with jforum to forum.jsp in cfrsguard.properties I set org.owasp.csrfguard.NewTokenLandingPage=%servletContext%/forum.jsp
I did get further. I was able to go through the forums but when I try to open a post it thinks it is a cross-site request forgery and directs the browser to %servletContext%/error.html?OWASP_CSRFTOKEN=PBDD-410O-6Z38-IB97-MU6N-HCIG-IUT6-R8D2
On the server it has:
Info: [Wed Apr 15 19:15:59 EDT 2015] [Info] CsrfGuard analyzing request /MapBake/forums/show/1.page
Info: [Wed Apr 15 19:16:04 EDT 2015] [Info] CsrfGuard analyzing request /MapBake/posts/list/16.page
Severe: [Wed Apr 15 19:16:04 EDT 2015] [Error] potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:0:0:0:0:0:0:0:1, method:%request_method%, uri:list, error:required token is missing from the request)
Severe: An exception or error occurred in the container during the request processing
java.lang.IllegalStateException: isHexDigit
at org.glassfish.grizzly.http.util.URLDecoder.decode(URLDecoder.java:243)
at org.glassfish.grizzly.http.util.URLDecoder.decodeAscii(URLDecoder.java:159)
at org.glassfish.grizzly.http.util.URLDecoder.decode(URLDecoder.java:71)
at org.glassfish.grizzly.http.util.HttpRequestURIDecoder.decode(HttpRequestURIDecoder.java:160)
at org.glassfish.grizzly.http.util.RequestURIRef.getDecodedRequestURIBC(RequestURIRef.java:133)
at org.glassfish.grizzly.http.util.RequestURIRef.getDecodedRequestURIBC(RequestURIRef.java:114)
at org.apache.catalina.connector.CoyoteAdapter.postParseRequest(CoyoteAdapter.java:435)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:297)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
at java.lang.Thread.run(Thread.java:745)
|
|
|
I am trying to upgrade to 2.4.0.
It interferes with my application. I tried changing various settings in csrfguard.properties but they did not seem to have any effect.
Everything seems to work if I disable the CSRFGuard filter mapping in web.xml. But even if I only have it filter map the forum pages it has problems that report "HTTP Status 500 - Internal Server Error" with the following on the server:
Info: [Tue Apr 14 00:34:57 EDT 2015] [Info] CsrfGuard analyzing request /MapBake/forums/list.page
Warning: StandardWrapperValve[jforum]: Servlet.service() for servlet jforum threw exception
java.lang.IllegalStateException: CsrfGuard expects the token to exist in session at this point
at org.owasp.csrfguard.CsrfGuard.isValidRequest(CsrfGuard.java:386)
at net.jforum.csrf.CsrfFilter.doFilter(CsrfFilter.java:95)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:256)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:316)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:160)
at org.apache.catalina.core.StandardPipeline.doInvoke(StandardPipeline.java:734)
at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:673)
at com.sun.enterprise.web.WebPipeline.invoke(WebPipeline.java:99)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:174)
at org.apache.catalina.connector.CoyoteAdapter.doService(CoyoteAdapter.java:357)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:260)
at com.sun.enterprise.v3.services.impl.ContainerMapper.service(ContainerMapper.java:188)
at org.glassfish.grizzly.http.server.HttpHandler.runService(HttpHandler.java:191)
at org.glassfish.grizzly.http.server.HttpHandler.doHandle(HttpHandler.java:168)
at org.glassfish.grizzly.http.server.HttpServerFilter.handleRead(HttpServerFilter.java:189)
at org.glassfish.grizzly.filterchain.ExecutorResolver$9.execute(ExecutorResolver.java:119)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeFilter(DefaultFilterChain.java:288)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.executeChainPart(DefaultFilterChain.java:206)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.execute(DefaultFilterChain.java:136)
at org.glassfish.grizzly.filterchain.DefaultFilterChain.process(DefaultFilterChain.java:114)
at org.glassfish.grizzly.ProcessorExecutor.execute(ProcessorExecutor.java:77)
at org.glassfish.grizzly.nio.transport.TCPNIOTransport.fireIOEvent(TCPNIOTransport.java:838)
at org.glassfish.grizzly.strategies.AbstractIOStrategy.fireIOEvent(AbstractIOStrategy.java:113)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.run0(WorkerThreadIOStrategy.java:115)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy.access$100(WorkerThreadIOStrategy.java:55)
at org.glassfish.grizzly.strategies.WorkerThreadIOStrategy$WorkerThreadRunnable.run(WorkerThreadIOStrategy.java:135)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.doWork(AbstractThreadPool.java:564)
at org.glassfish.grizzly.threadpool.AbstractThreadPool$Worker.run(AbstractThreadPool.java:544)
at java.lang.Thread.run(Thread.java:745)
Is there something that needs to be done to have the token created?
Thanks,
Spencer
|
|
|
If I make the schema change in advance, will 2.3.4 still run OK?
|
|
|
In preparation for upgrading to 2.3.5 I want to know if I need to do the database schema change or is it done for me?
|
|
|
It was the incorrect setting of forum link.
It is working now.
Thank you again.
Spencer
|
|
|
I saw that jforum servlets are mapped to *.page. I may have mis-stated what was happening. When I went to the domain with no page specified it was going to jforum and not the index.htm which I specified in the <welcome-file-list> of web.xml.
There are 3 jsp files provided with jforum (index.jsp, install.jsp, and ping_session.jsp) in web. I changed index.jsp to forum.jsp and it now goes to my index.htm instead of jforum.
I posted about this on another thread (<welcome-file-list> ignored).
I think setting SystemGlobals.properties as:
forum.link = http://www.mapbake.com/
homepage.link = http://www.mapbake.com/
may fix it. It worked locally...
I will do some more testing before deploying live later today.
Thanks for your help.
Spencer
|
|
|