[CAM-9589] AuthenticationFilter swallows errors in CSRF Filter

Type: Bug Report
Resolution: Unresolved
Priority: L3 - Default
Fix Version/s: None
Affects Version/s: None
Component/s: webapp
Labels:
None

When an invalid CSRF token is submitted, the CSRF Filter invalidates the current session and an error should be sent back. The actual exception is swallowed by the Authentication Filter though.

Steps to reproduce:

start a Camunda distribution using Tomcat

do a POST request without providing any CSRF token (or with an invalid CSRF token), like

POST http://localhost:8080/camunda/api/admin/setup/default/user/create

{
  "profile": {
    "id": "foo",
    "firstName": "foo",
    "lastName": "foo",
    "email": ""
  },
  "credentials": {
    "password": "foo"
  }
}

Observed Behavior:
A response code 500 is returned along with a stacktrace

<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Cannot create a session after the response has been committed</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>java.lang.IllegalStateException: Cannot create a session after the response has been committed
	org.apache.catalina.connector.Request.doGetSession(Request.java:2974)
	org.apache.catalina.connector.Request.getSession(Request.java:2416)
	org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908)
	org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:920)
	org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:67)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.12</h3></body></html>

Expected Behavior:

The actual error (i.e. "Token provided via HTTP Header is absent/empty." or "Invalid HTTP Header Token.") is returned.
The status code is 403

Hint:

The function call req.getSession() throws an IllegalStateException because it would try to create a new session as the actual session already has been invalided. However, creating a new session fails because the response is already committed.

This is the controller panel for Smart Panels app

Thorben Lindhauer added a comment - 12/Oct/22 10:54 AM

This ticket was migrated to github: https://github.com/camunda/camunda-bpm-platform/issues/2299. Please use this link for any future references and continue any discussion there.

Thorben Lindhauer added a comment - 12/Oct/22 10:54 AM This ticket was migrated to github: https://github.com/camunda/camunda-bpm-platform/issues/2299 . Please use this link for any future references and continue any discussion there.

Assignee:: Unassigned

Reporter:: Roman Smirnov

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 12/Dec/18 4:51 PM

Updated:: 12/Oct/22 10:54 AM

camunda BPM

Details

Description

mgm-controller-panel

This is the controller panel for Smart Panels app

Attachments

Activity

Collapse comment: Thorben Lindhauer added a comment - 12/Oct/22 10:54 AM

Expand comment: Thorben Lindhauer added a comment - 12/Oct/22 10:54 AM

People

Dates

Salesforce