Uploaded image for project: 'camunda BPM'
  1. camunda BPM
  2. CAM-9589

AuthenticationFilter swallows errors in CSRF Filter

    XMLWordPrintable

    Details

    • Type: Bug Report
    • Status: Open
    • Priority: L3 - Default
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: webapp
    • Labels:
      None

      Description

      When an invalid CSRF token is submitted, the CSRF Filter invalidates the current session and an error should be sent back. The actual exception is swallowed by the Authentication Filter though.

      Steps to reproduce:

      1. start a Camunda distribution using Tomcat
      2. do a POST request without providing any CSRF token (or with an invalid CSRF token), like
        POST http://localhost:8080/camunda/api/admin/setup/default/user/create
        
        {
          "profile": {
            "id": "foo",
            "firstName": "foo",
            "lastName": "foo",
            "email": ""
          },
          "credentials": {
            "password": "foo"
          }
        }
        

      Observed Behavior:
      A response code 500 is returned along with a stacktrace

      <!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Cannot create a session after the response has been committed</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>java.lang.IllegalStateException: Cannot create a session after the response has been committed
      	org.apache.catalina.connector.Request.doGetSession(Request.java:2974)
      	org.apache.catalina.connector.Request.getSession(Request.java:2416)
      	org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:908)
      	org.apache.catalina.connector.RequestFacade.getSession(RequestFacade.java:920)
      	org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:67)
      </pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/9.0.12</h3></body></html>
      

      Expected Behavior:

      • The actual error (i.e. "Token provided via HTTP Header is absent/empty." or "Invalid HTTP Header Token.") is returned.
      • The status code is 403

      Hint:

      • The function call req.getSession() throws an IllegalStateException because it would try to create a new session as the actual session already has been invalided. However, creating a new session fails because the response is already committed.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              Unassigned
              Reporter:
              roman.smirnov Roman Smirnov
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated: