Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9589

AuthenticationFilter swallows errors in CSRF Filter

XMLWordPrintable

    • Icon: Bug Report Bug Report
    • Resolution: Unresolved
    • Icon: L3 - Default L3 - Default
    • None
    • None
    • webapp
    • None

      When an invalid CSRF token is submitted, the CSRF Filter invalidates the current session and an error should be sent back. The actual exception is swallowed by the Authentication Filter though.

      Steps to reproduce:

      1. start a Camunda distribution using Tomcat
      2. do a POST request without providing any CSRF token (or with an invalid CSRF token), like 
        POST http://localhost:8080/camunda/api/admin/setup/default/user/create

{
  "profile": {
    "id": "foo",
    "firstName": "foo",
    "lastName": "foo",
    "email": ""
  },
  "credentials": {
    "password": "foo"
  }
}

      Observed Behavior:
      A response code 500 is returned along with a stacktrace

      <!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Cannot create a session after the response has been committed</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>java.lang.IllegalStateException: Cannot create a session after the response has been committed
	org.apache.catalina.connector.Request.doGetSession(Request.java:2974)
	org.apache.catalina.connector.Request.getSession(Request.java:2416)
	org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908)
	org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:920)
	org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:67)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.12</h3></body></html>

      Expected Behavior:

      • The actual error (i.e. "Token provided via HTTP Header is absent/empty." or "Invalid HTTP Header Token.") is returned.
      • The status code is 403

      Hint:

      • The function call req.getSession() throws an IllegalStateException because it would try to create a new session as the actual session already has been invalided. However, creating a new session fails because the response is already committed.

        This is the controller panel for Smart Panels app

              Unassigned Unassigned
              roman.smirnov Roman Smirnov
              Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: