From stian at redhat.com Mon Oct 27 03:21:13 2014 Content-Type: multipart/mixed; boundary="===============8665194406490367586==" MIME-Version: 1.0 From: Stian Thorgersen To: keycloak-dev at lists.jboss.org Subject: Re: [keycloak-dev] Keycloak 1.0.3 branch problem Date: Mon, 27 Oct 2014 03:21:13 -0400 Message-ID: <1805880846.497049.1414394473464.JavaMail.zimbra@redhat.com> In-Reply-To: 544A5DB5.7030804@redhat.com --===============8665194406490367586== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable ----- Original Message ----- > From: "Bill Burke" > To: "Stian Thorgersen" > Cc: keycloak-dev(a)lists.jboss.org > Sent: Friday, 24 October, 2014 4:09:57 PM > Subject: Re: [keycloak-dev] Keycloak 1.0.3 branch problem > = > What you're describing isn't CSRF, it is an injection attack. So CSRF > doesn't apply. Yep, I know. It was a moment of brain malfunctioning! > = > In 1.1 you can't post directly to processLogin or processRegister as you > have to have a client session set up and the client session's state must > be AUTHENTICATE I'll remove it - as you say it's being added in 1.1 in any case, and 1.0.x = shouldn't change how things functions any ways. > = > = > = > = > On 10/24/2014 9:47 AM, Stian Thorgersen wrote: > > Not sure TBH > > > > I was thinking that someone could post from an external page and inject= a > > JS script to capture the username/password. Basically post an invalid > > username () where the script also removes the inval= id > > user/password warning. Then when the user enters username/password the > > script could capture the username/password and send it somewhere. > > > > But, then once I'd done that I realised that we should escape any html > > entered in input fields any ways so I fixed that, which kinda made the > > other fix pointless. > > > > I reckon I'll remove it! Unless for some reason we want to prevent folks > > from posting directly to login/registration endpoints? > > > > ----- Original Message ----- > >> From: "Bill Burke" > >> To: keycloak-dev(a)lists.jboss.org > >> Sent: Friday, 24 October, 2014 2:41:05 PM > >> Subject: Re: [keycloak-dev] Keycloak 1.0.3 branch problem > >> > >> Why is there a CSRF check in processLogin? The user isn't even logged > >> in yet and no credentials have been processed. > >> > >> On 10/24/2014 6:54 AM, Matthias Wessendorf wrote: > >>> Hi, > >>> > >>> I tried picking up KC 1.0.3.Final on our 1.0.x branch: > >>> > >>> * deployment of both WARs went fine > >>> * accessing the `http://localhost:8080/ag-push` offers me the initial > >>> login for admin:123 > >>> * clicking login did _NOT_ redirect me to the form where I am suppose= d to > >>> update the default password. > >>> > >>> > >>> On WildFly, I got a blank page and this stack-trace: > >>> ``` > >>> 12:47:35,859 WARN [org.jboss.resteasy.core.ExceptionHandler] (default > >>> task-10) Failed executing POST > >>> /realms/aerogear/tokens/auth/request/login: > >>> org.keycloak.services.ForbiddenException > >>> at org.keycloak.services.util.CsrfHelper.csrfCheck(CsrfHelper.java:3= 9) > >>> [keycloak-services-1.0.3.Final.jar:] > >>> at > >>> org.keycloak.services.resources.TokenService.processLogin(TokenServi= ce.java:479) > >>> [keycloak-services-1.0.3.Final.jar:] > >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >>> [rt.jar:1.7.0_65] > >>> at > >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl= .java:57) > >>> [rt.jar:1.7.0_65] > >>> at > >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce= ssorImpl.java:43) > >>> [rt.jar:1.7.0_65] > >>> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_65] > >>> at > >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl= .java:137) > >>> [resteasy-jaxrs-3.0.8.Final.jar:] > >>> at > >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(Resourc= eMethodInvoker.java:296) > >>> [resteasy-jaxrs-3.0.8.Final.jar:] > >>> at > >>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodI= nvoker.java:250) > >>> [resteasy-jaxrs-3.0.8.Final.jar:] > >>> at > >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(= ResourceLocatorInvoker.java:140) > >>> [resteasy-jaxrs-3.0.8.Final.jar:] > >>> at > >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocato= rInvoker.java:103) > >>> [resteasy-jaxrs-3.0.8.Final.jar:] > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp= atcher.java:356) > >>> [resteasy-jaxrs-3.0.8.Final.jar:] > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp= atcher.java:179) > >>> [resteasy-jaxrs-3.0.8.Final.jar:] > >>> at > >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher= .service(ServletContainerDispatcher.java:220) > >>> [resteasy-jaxrs-3.0.8.Final.jar:] > >>> at > >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv= ice(HttpServletDispatcher.java:56) > >>> [resteasy-jaxrs-3.0.8.Final.jar:] > >>> at > >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv= ice(HttpServletDispatcher.java:51) > >>> [resteasy-jaxrs-3.0.8.Final.jar:] > >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) > >>> [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final] > >>> at > >>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHan= dler.java:85) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(= FilterHandler.java:130) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> org.keycloak.services.filters.ClientConnectionFilter.doFilter(Client= ConnectionFilter.java:41) > >>> [keycloak-services-1.0.3.Final.jar:] > >>> at > >>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:6= 0) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(= FilterHandler.java:132) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(= KeycloakSessionServletFilter.java:40) > >>> [keycloak-services-1.0.3.Final.jar:] > >>> at > >>> io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:6= 0) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(= FilterHandler.java:132) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandl= er.java:85) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.han= dleRequest(ServletSecurityRoleHandler.java:61) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest= (ServletDispatchingHandler.java:36) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> org.wildfly.extension.undertow.security.SecurityContextAssociationHa= ndler.handleRequest(SecurityContextAssociationHandler.java:78) > >>> at > >>> io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate= Handler.java:25) > >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandl= er.handleRequest(SSLInformationAssociationHandler.java:113) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandl= er.handleRequest(ServletAuthenticationCallHandler.java:56) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate= Handler.java:25) > >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleR= equest(AbstractConfidentialityHandler.java:45) > >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.security.ServletConfidentialityConstrai= ntHandler.handleRequest(ServletConfidentialityConstraintHandler.java:61) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handle= Request(AuthenticationMechanismsHandler.java:58) > >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHand= ler.handleRequest(CachedAuthenticatedSessionHandler.java:70) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(S= ecurityInitialHandler.java:76) > >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate= Handler.java:25) > >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.ha= ndleRequest(JACCContextIdHandler.java:61) > >>> at > >>> io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate= Handler.java:25) > >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.server.handlers.PredicateHandler.handleRequest(Predicate= Handler.java:25) > >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstReques= t(ServletInitialHandler.java:240) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(S= ervletInitialHandler.java:227) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(Servle= tInitialHandler.java:73) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(S= ervletInitialHandler.java:146) > >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] > >>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:= 177) > >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:= 727) > >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] > >>> at > >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor= .java:1145) > >>> [rt.jar:1.7.0_65] > >>> at > >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecuto= r.java:615) > >>> [rt.jar:1.7.0_65] > >>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65] > >>> ``` > >>> > >>> On EAP 6.3. I got a 403, with this stack-trace: > >>> ``` > >>> 12:50:06,377 WARN [org.jboss.resteasy.core.SynchronousDispatcher] > >>> (http-/0.0.0.0:8080-3) Failed executing POST > >>> /realms/aerogear/tokens/auth/request/login: > >>> org.keycloak.services.ForbiddenException > >>> at org.keycloak.services.util.CsrfHelper.csrfCheck(CsrfHelper.java:3= 9) > >>> [keycloak-services-1.0.3.Final.jar:] > >>> at > >>> org.keycloak.services.resources.TokenService.processLogin(TokenServi= ce.java:479) > >>> [keycloak-services-1.0.3.Final.jar:] > >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >>> [rt.jar:1.7.0_65] > >>> at > >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl= .java:57) > >>> [rt.jar:1.7.0_65] > >>> at > >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcce= ssorImpl.java:43) > >>> [rt.jar:1.7.0_65] > >>> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_65] > >>> at > >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl= .java:167) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at > >>> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod= .java:269) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at > >>> org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:22= 7) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at > >>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(Resourc= eLocator.java:159) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at > >>> org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java:= 92) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(Synchronou= sDispatcher.java:542) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp= atcher.java:524) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at > >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDisp= atcher.java:126) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at > >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher= .service(ServletContainerDispatcher.java:208) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at > >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv= ice(HttpServletDispatcher.java:55) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at > >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.serv= ice(HttpServletDispatcher.java:50) > >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] > >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > >>> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-red= hat-1] > >>> at > >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App= licationFilterChain.java:295) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Application= FilterChain.java:214) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.keycloak.services.filters.ClientConnectionFilter.doFilter(Client= ConnectionFilter.java:41) > >>> [keycloak-services-1.0.3.Final.jar:] > >>> at > >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App= licationFilterChain.java:246) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Application= FilterChain.java:214) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(= KeycloakSessionServletFilter.java:40) > >>> [keycloak-services-1.0.3.Final.jar:] > >>> at > >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(App= licationFilterChain.java:246) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(Application= FilterChain.java:214) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapper= Valve.java:231) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContext= Valve.java:149) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEm= CloserValve.java:50) > >>> [jboss-as-jpa-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] > >>> at > >>> org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEm= CloserValve.java:50) > >>> [jboss-as-jpa-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] > >>> at > >>> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(Sec= urityContextAssociationValve.java:169) > >>> [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] > >>> at > >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.= java:145) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.= java:97) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVa= lve.java:102) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.ja= va:344) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.jav= a:856) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proc= ess(Http11Protocol.java:653) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at > >>> org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:9= 26) > >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] > >>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65] > >>> ``` > >>> > >>> > >>> > >>> -- > >>> Matthias Wessendorf > >>> > >>> blog: http://matthiaswessendorf.wordpress.com/ > >>> sessions: http://www.slideshare.net/mwessendorf > >>> twitter: http://twitter.com/mwessendorf > >>> > >>> > >>> _______________________________________________ > >>> keycloak-dev mailing list > >>> keycloak-dev(a)lists.jboss.org > >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >>> > >> > >> -- > >> Bill Burke > >> JBoss, a division of Red Hat > >> http://bill.burkecentral.com > >> _______________________________________________ > >> keycloak-dev mailing list > >> keycloak-dev(a)lists.jboss.org > >> https://lists.jboss.org/mailman/listinfo/keycloak-dev > >> > = > -- > Bill Burke > JBoss, a division of Red Hat > http://bill.burkecentral.com >=20 --===============8665194406490367586==--