[keycloak-dev] Keycloak 1.0.3 branch problem

Bill Burke bburke at redhat.com
Fri Oct 24 10:09:57 EDT 2014 

What you're describing isn't CSRF, it is an injection attack.  So CSRF 
doesn't apply.

In 1.1 you can't post directly to processLogin or processRegister as you 
have to have a client session set up and the client session's state must 
be AUTHENTICATE




On 10/24/2014 9:47 AM, Stian Thorgersen wrote:
> Not sure TBH
>
> I was thinking that someone could post from an external page and inject a JS script to capture the username/password. Basically post an invalid username (<script>...</script>) where the script also removes the invalid user/password warning. Then when the user enters username/password the script could capture the username/password and send it somewhere.
>
> But, then once I'd done that I realised that we should escape any html entered in input fields any ways so I fixed that, which kinda made the other fix pointless.
>
> I reckon I'll remove it! Unless for some reason we want to prevent folks from posting directly to login/registration endpoints?
>
> ----- Original Message -----
>> From: "Bill Burke" <bburke at redhat.com>
>> To: keycloak-dev at lists.jboss.org
>> Sent: Friday, 24 October, 2014 2:41:05 PM
>> Subject: Re: [keycloak-dev] Keycloak 1.0.3 branch problem
>>
>> Why is there a CSRF check in processLogin?  The user isn't even logged
>> in yet and no credentials have been processed.
>>
>> On 10/24/2014 6:54 AM, Matthias Wessendorf wrote:
>>> Hi,
>>>
>>> I tried picking up KC 1.0.3.Final on our 1.0.x branch:
>>>
>>> * deployment of both WARs went fine
>>> * accessing the `http://localhost:8080/ag-push`  offers me the initial
>>> login for admin:123
>>> * clicking login did _NOT_ redirect me to the form where I am supposed to
>>> update the default password.
>>>
>>>
>>> On WildFly, I got a blank page and this stack-trace:
>>> ```
>>> 12:47:35,859 WARN  [org.jboss.resteasy.core.ExceptionHandler] (default
>>> task-10) Failed executing POST /realms/aerogear/tokens/auth/request/login:
>>> org.keycloak.services.ForbiddenException
>>> 	at org.keycloak.services.util.CsrfHelper.csrfCheck(CsrfHelper.java:39)
>>> 	[keycloak-services-1.0.3.Final.jar:]
>>> 	at
>>> 	org.keycloak.services.resources.TokenService.processLogin(TokenService.java:479)
>>> 	[keycloak-services-1.0.3.Final.jar:]
>>> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> 	[rt.jar:1.7.0_65]
>>> 	at
>>> 	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>> 	[rt.jar:1.7.0_65]
>>> 	at
>>> 	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> 	[rt.jar:1.7.0_65]
>>> 	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_65]
>>> 	at
>>> 	org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137)
>>> 	[resteasy-jaxrs-3.0.8.Final.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:296)
>>> 	[resteasy-jaxrs-3.0.8.Final.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:250)
>>> 	[resteasy-jaxrs-3.0.8.Final.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:140)
>>> 	[resteasy-jaxrs-3.0.8.Final.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:103)
>>> 	[resteasy-jaxrs-3.0.8.Final.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356)
>>> 	[resteasy-jaxrs-3.0.8.Final.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
>>> 	[resteasy-jaxrs-3.0.8.Final.jar:]
>>> 	at
>>> 	org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220)
>>> 	[resteasy-jaxrs-3.0.8.Final.jar:]
>>> 	at
>>> 	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56)
>>> 	[resteasy-jaxrs-3.0.8.Final.jar:]
>>> 	at
>>> 	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51)
>>> 	[resteasy-jaxrs-3.0.8.Final.jar:]
>>> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
>>> 	[jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:85)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:130)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>>> 	[keycloak-services-1.0.3.Final.jar:]
>>> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>>> 	[keycloak-services-1.0.3.Final.jar:]
>>> 	at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:60)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:132)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:85)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:61)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	org.wildfly.extension.undertow.security.SecurityContextAssociationHandler.handleRequest(SecurityContextAssociationHandler.java:78)
>>> 	at
>>> 	io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
>>> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:113)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:56)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
>>> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:45)
>>> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:58)
>>> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:70)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.security.handlers.SecurityInitialHandler.handleRequest(SecurityInitialHandler.java:76)
>>> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
>>> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:61)
>>> 	at
>>> 	io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
>>> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:25)
>>> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:240)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:227)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:73)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:146)
>>> 	[undertow-servlet-1.0.15.Final.jar:1.0.15.Final]
>>> 	at io.undertow.server.Connectors.executeRootHandler(Connectors.java:177)
>>> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:727)
>>> 	[undertow-core-1.0.15.Final.jar:1.0.15.Final]
>>> 	at
>>> 	java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
>>> 	[rt.jar:1.7.0_65]
>>> 	at
>>> 	java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
>>> 	[rt.jar:1.7.0_65]
>>> 	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
>>> ```
>>>
>>> On EAP 6.3. I got a 403, with this stack-trace:
>>> ```
>>> 12:50:06,377 WARN  [org.jboss.resteasy.core.SynchronousDispatcher]
>>> (http-/0.0.0.0:8080-3) Failed executing POST
>>> /realms/aerogear/tokens/auth/request/login:
>>> org.keycloak.services.ForbiddenException
>>> 	at org.keycloak.services.util.CsrfHelper.csrfCheck(CsrfHelper.java:39)
>>> 	[keycloak-services-1.0.3.Final.jar:]
>>> 	at
>>> 	org.keycloak.services.resources.TokenService.processLogin(TokenService.java:479)
>>> 	[keycloak-services-1.0.3.Final.jar:]
>>> 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>> 	[rt.jar:1.7.0_65]
>>> 	at
>>> 	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>>> 	[rt.jar:1.7.0_65]
>>> 	at
>>> 	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>>> 	[rt.jar:1.7.0_65]
>>> 	at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_65]
>>> 	at
>>> 	org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:269)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:227)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceLocator.java:159)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:92)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at
>>> 	org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at
>>> 	org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at
>>> 	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at
>>> 	org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
>>> 	[resteasy-jaxrs-2.3.8.Final-redhat-3.jar:]
>>> 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
>>> 	[jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redhat-1]
>>> 	at
>>> 	org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientConnectionFilter.java:41)
>>> 	[keycloak-services-1.0.3.Final.jar:]
>>> 	at
>>> 	org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(KeycloakSessionServletFilter.java:40)
>>> 	[keycloak-services-1.0.3.Final.jar:]
>>> 	at
>>> 	org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
>>> 	[jboss-as-jpa-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
>>> 	at
>>> 	org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
>>> 	[jboss-as-jpa-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
>>> 	at
>>> 	org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
>>> 	[jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19]
>>> 	at
>>> 	org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:145)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:856)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at
>>> 	org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:653)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
>>> 	[jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4]
>>> 	at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65]
>>> ```
>>>
>>>
>>>
>>> --
>>> Matthias Wessendorf
>>>
>>> blog: http://matthiaswessendorf.wordpress.com/
>>> sessions: http://www.slideshare.net/mwessendorf
>>> twitter: http://twitter.com/mwessendorf
>>>
>>>
>>> _______________________________________________
>>> keycloak-dev mailing list
>>> keycloak-dev at lists.jboss.org
>>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>>
>>
>> --
>> Bill Burke
>> JBoss, a division of Red Hat
>> http://bill.burkecentral.com
>> _______________________________________________
>> keycloak-dev mailing list
>> keycloak-dev at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-dev
>>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the keycloak-dev mailing list