From bburke at redhat.com Fri Oct 24 10:09:56 2014 Content-Type: multipart/mixed; boundary="===============7072386220971187278==" MIME-Version: 1.0 From: Bill Burke To: keycloak-dev at lists.jboss.org Subject: Re: [keycloak-dev] Keycloak 1.0.3 branch problem Date: Fri, 24 Oct 2014 10:09:57 -0400 Message-ID: <544A5DB5.7030804@redhat.com> In-Reply-To: 1655650033.76072525.1414158436077.JavaMail.zimbra@redhat.com --===============7072386220971187278== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable What you're describing isn't CSRF, it is an injection attack. So CSRF = doesn't apply. In 1.1 you can't post directly to processLogin or processRegister as you = have to have a client session set up and the client session's state must = be AUTHENTICATE On 10/24/2014 9:47 AM, Stian Thorgersen wrote: > Not sure TBH > > I was thinking that someone could post from an external page and inject a= JS script to capture the username/password. Basically post an invalid user= name () where the script also removes the invalid user/= password warning. Then when the user enters username/password the script co= uld capture the username/password and send it somewhere. > > But, then once I'd done that I realised that we should escape any html en= tered in input fields any ways so I fixed that, which kinda made the other = fix pointless. > > I reckon I'll remove it! Unless for some reason we want to prevent folks = from posting directly to login/registration endpoints? > > ----- Original Message ----- >> From: "Bill Burke" >> To: keycloak-dev(a)lists.jboss.org >> Sent: Friday, 24 October, 2014 2:41:05 PM >> Subject: Re: [keycloak-dev] Keycloak 1.0.3 branch problem >> >> Why is there a CSRF check in processLogin? The user isn't even logged >> in yet and no credentials have been processed. >> >> On 10/24/2014 6:54 AM, Matthias Wessendorf wrote: >>> Hi, >>> >>> I tried picking up KC 1.0.3.Final on our 1.0.x branch: >>> >>> * deployment of both WARs went fine >>> * accessing the `http://localhost:8080/ag-push` offers me the initial >>> login for admin:123 >>> * clicking login did _NOT_ redirect me to the form where I am supposed = to >>> update the default password. >>> >>> >>> On WildFly, I got a blank page and this stack-trace: >>> ``` >>> 12:47:35,859 WARN [org.jboss.resteasy.core.ExceptionHandler] (default >>> task-10) Failed executing POST /realms/aerogear/tokens/auth/request/log= in: >>> org.keycloak.services.ForbiddenException >>> at org.keycloak.services.util.CsrfHelper.csrfCheck(CsrfHelper.java:39) >>> [keycloak-services-1.0.3.Final.jar:] >>> at >>> org.keycloak.services.resources.TokenService.processLogin(TokenService= .java:479) >>> [keycloak-services-1.0.3.Final.jar:] >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> [rt.jar:1.7.0_65] >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j= ava:57) >>> [rt.jar:1.7.0_65] >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess= orImpl.java:43) >>> [rt.jar:1.7.0_65] >>> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_65] >>> at >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.j= ava:137) >>> [resteasy-jaxrs-3.0.8.Final.jar:] >>> at >>> org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceM= ethodInvoker.java:296) >>> [resteasy-jaxrs-3.0.8.Final.jar:] >>> at >>> org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInv= oker.java:250) >>> [resteasy-jaxrs-3.0.8.Final.jar:] >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(Re= sourceLocatorInvoker.java:140) >>> [resteasy-jaxrs-3.0.8.Final.jar:] >>> at >>> org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorI= nvoker.java:103) >>> [resteasy-jaxrs-3.0.8.Final.jar:] >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat= cher.java:356) >>> [resteasy-jaxrs-3.0.8.Final.jar:] >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat= cher.java:179) >>> [resteasy-jaxrs-3.0.8.Final.jar:] >>> at >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.s= ervice(ServletContainerDispatcher.java:220) >>> [resteasy-jaxrs-3.0.8.Final.jar:] >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servic= e(HttpServletDispatcher.java:56) >>> [resteasy-jaxrs-3.0.8.Final.jar:] >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servic= e(HttpServletDispatcher.java:51) >>> [resteasy-jaxrs-3.0.8.Final.jar:] >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) >>> [jboss-servlet-api_3.1_spec-1.0.0.Final.jar:1.0.0.Final] >>> at >>> io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandl= er.java:85) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi= lterHandler.java:130) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientCo= nnectionFilter.java:41) >>> [keycloak-services-1.0.3.Final.jar:] >>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:= 60) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi= lterHandler.java:132) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(Ke= ycloakSessionServletFilter.java:40) >>> [keycloak-services-1.0.3.Final.jar:] >>> at io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:= 60) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(Fi= lterHandler.java:132) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler= .java:85) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handl= eRequest(ServletSecurityRoleHandler.java:61) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(S= ervletDispatchingHandler.java:36) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> org.wildfly.extension.undertow.security.SecurityContextAssociationHand= ler.handleRequest(SecurityContextAssociationHandler.java:78) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa= ndler.java:25) >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.security.SSLInformationAssociationHandler= .handleRequest(SSLInformationAssociationHandler.java:113) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler= .handleRequest(ServletAuthenticationCallHandler.java:56) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa= ndler.java:25) >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.security.handlers.AbstractConfidentialityHandler.handleReq= uest(AbstractConfidentialityHandler.java:45) >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.security.ServletConfidentialityConstraint= Handler.handleRequest(ServletConfidentialityConstraintHandler.java:61) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRe= quest(AuthenticationMechanismsHandler.java:58) >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandle= r.handleRequest(CachedAuthenticatedSessionHandler.java:70) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.security.handlers.SecurityInitialHandler.handleRequest(Sec= urityInitialHandler.java:76) >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa= ndler.java:25) >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] >>> at >>> org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.hand= leRequest(JACCContextIdHandler.java:61) >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa= ndler.java:25) >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHa= ndler.java:25) >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(= ServletInitialHandler.java:240) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(Ser= vletInitialHandler.java:227) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletI= nitialHandler.java:73) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(Ser= vletInitialHandler.java:146) >>> [undertow-servlet-1.0.15.Final.jar:1.0.15.Final] >>> at io.undertow.server.Connectors.executeRootHandler(Connectors.java:17= 7) >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] >>> at >>> io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:72= 7) >>> [undertow-core-1.0.15.Final.jar:1.0.15.Final] >>> at >>> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.j= ava:1145) >>> [rt.jar:1.7.0_65] >>> at >>> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.= java:615) >>> [rt.jar:1.7.0_65] >>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65] >>> ``` >>> >>> On EAP 6.3. I got a 403, with this stack-trace: >>> ``` >>> 12:50:06,377 WARN [org.jboss.resteasy.core.SynchronousDispatcher] >>> (http-/0.0.0.0:8080-3) Failed executing POST >>> /realms/aerogear/tokens/auth/request/login: >>> org.keycloak.services.ForbiddenException >>> at org.keycloak.services.util.CsrfHelper.csrfCheck(CsrfHelper.java:39) >>> [keycloak-services-1.0.3.Final.jar:] >>> at >>> org.keycloak.services.resources.TokenService.processLogin(TokenService= .java:479) >>> [keycloak-services-1.0.3.Final.jar:] >>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >>> [rt.jar:1.7.0_65] >>> at >>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j= ava:57) >>> [rt.jar:1.7.0_65] >>> at >>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess= orImpl.java:43) >>> [rt.jar:1.7.0_65] >>> at java.lang.reflect.Method.invoke(Method.java:606) [rt.jar:1.7.0_65] >>> at >>> org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.j= ava:167) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at >>> org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.j= ava:269) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:2= 27) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at >>> org.jboss.resteasy.core.ResourceLocator.invokeOnTargetObject(ResourceL= ocator.java:159) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at org.jboss.resteasy.core.ResourceLocator.invoke(ResourceLocator.java= :92) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousD= ispatcher.java:542) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat= cher.java:524) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at >>> org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispat= cher.java:126) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at >>> org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.s= ervice(ServletContainerDispatcher.java:208) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servic= e(HttpServletDispatcher.java:55) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at >>> org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.servic= e(HttpServletDispatcher.java:50) >>> [resteasy-jaxrs-2.3.8.Final-redhat-3.jar:] >>> at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) >>> [jboss-servlet-api_3.0_spec-1.0.2.Final-redhat-1.jar:1.0.2.Final-redha= t-1] >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli= cationFilterChain.java:295) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi= lterChain.java:214) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.keycloak.services.filters.ClientConnectionFilter.doFilter(ClientCo= nnectionFilter.java:41) >>> [keycloak-services-1.0.3.Final.jar:] >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli= cationFilterChain.java:246) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi= lterChain.java:214) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.keycloak.services.filters.KeycloakSessionServletFilter.doFilter(Ke= ycloakSessionServletFilter.java:40) >>> [keycloak-services-1.0.3.Final.jar:] >>> at >>> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appli= cationFilterChain.java:246) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFi= lterChain.java:214) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperVa= lve.java:231) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.apache.catalina.core.StandardContextValve.invoke(StandardContextVa= lve.java:149) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCl= oserValve.java:50) >>> [jboss-as-jpa-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] >>> at >>> org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCl= oserValve.java:50) >>> [jboss-as-jpa-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] >>> at >>> org.jboss.as.web.security.SecurityContextAssociationValve.invoke(Secur= ityContextAssociationValve.java:169) >>> [jboss-as-web-7.4.0.Final-redhat-19.jar:7.4.0.Final-redhat-19] >>> at >>> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.ja= va:145) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.ja= va:97) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValv= e.java:102) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java= :344) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:= 856) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at >>> org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proces= s(Http11Protocol.java:653) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:= 926) >>> [jbossweb-7.4.8.Final-redhat-4.jar:7.4.8.Final-redhat-4] >>> at java.lang.Thread.run(Thread.java:745) [rt.jar:1.7.0_65] >>> ``` >>> >>> >>> >>> -- >>> Matthias Wessendorf >>> >>> blog: http://matthiaswessendorf.wordpress.com/ >>> sessions: http://www.slideshare.net/mwessendorf >>> twitter: http://twitter.com/mwessendorf >>> >>> >>> _______________________________________________ >>> keycloak-dev mailing list >>> keycloak-dev(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/keycloak-dev >>> >> >> -- >> Bill Burke >> JBoss, a division of Red Hat >> http://bill.burkecentral.com >> _______________________________________________ >> keycloak-dev mailing list >> keycloak-dev(a)lists.jboss.org >> https://lists.jboss.org/mailman/listinfo/keycloak-dev >> -- = Bill Burke JBoss, a division of Red Hat http://bill.burkecentral.com --===============7072386220971187278==--