Return-Path: X-Original-To: apmail-activemq-users-archive@www.apache.org Delivered-To: apmail-activemq-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7213F18895 for ; Thu, 17 Mar 2016 15:50:58 +0000 (UTC) Received: (qmail 6310 invoked by uid 500); 17 Mar 2016 15:50:58 -0000 Delivered-To: apmail-activemq-users-archive@activemq.apache.org Received: (qmail 6271 invoked by uid 500); 17 Mar 2016 15:50:58 -0000 Mailing-List: contact users-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@activemq.apache.org Delivered-To: mailing list users@activemq.apache.org Received: (qmail 6253 invoked by uid 99); 17 Mar 2016 15:50:57 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 17 Mar 2016 15:50:57 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 202E5C32F5 for ; Thu, 17 Mar 2016 15:50:57 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.181 X-Spam-Level: * X-Spam-Status: No, score=1.181 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KAM_BADIPHTTP=2, NORMAL_HTTP_TO_IP=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, WEIRD_PORT=0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id A_phqvT04aKI for ; Thu, 17 Mar 2016 15:50:56 +0000 (UTC) Received: from mail-vk0-f41.google.com (mail-vk0-f41.google.com [209.85.213.41]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id 4276A5F250 for ; Thu, 17 Mar 2016 15:50:55 +0000 (UTC) Received: by mail-vk0-f41.google.com with SMTP id k1so107572840vkb.0 for ; Thu, 17 Mar 2016 08:50:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=TnUHGPsF0k1Iy6kmKh9T71I5xkO5nSjsaYaKKBRsZCM=; b=JtdXiD6mf18QzxPpqfJxb4VfI8Yw8/Gb9FvPUGqIB3KckwqAH57AuCZ4zq/V5lt84D TPhiCSMYtEEtkhzMktTXaRCYSWIHRFVvOAhYlwk6EVf9AIhouIW5wDH/Dp+VApXk57S0 PqV89E7AeUoL41OW5HTlNZMUlwC4mmFEgoHo8U0SD4OHdyyg8Qfyk0SZfZ+XaT8YysUS WSjuy42AjpKMYuqStwgx7KbD/HwYUxSFssIyd//P2W9rJ10W8aytJWOB6SNuAVdUC1KZ HQCEbC816bLYaj7YKQPgp/n1gK4a/WU+CFm46F2V5PHsODXtVY9zi4zFRddf4jmp2Ecp Vgxg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=TnUHGPsF0k1Iy6kmKh9T71I5xkO5nSjsaYaKKBRsZCM=; b=Lx5eqIqbEO/gLPjRnLet90LnYkRkwqHGqPRS8tMZTNe20+ziKlbPsp74qg0fwXVpeY OhUjXaFA26EBLjquA2rXXUr406f31qtiLJ+kWsjupTmDV9ZmGe1NlJ4zOVkOlblyz6OR UxgNiUWU7NUnQyiCg2loQzNN59scmZO7/FccM6UnC5plkEIRnTa5sv3nEM+3B1QR64ZT STrgmy0FgaJ0Dm0jDS96IH+t3zv3R+fvEKqokljrCYjpBOk8VVUKnmjzcqLmMUtsBBb9 xtxoi8YzvKoIoE7MpNgAeSRSGO16749esNwuEJXkApyy0NP4daO0uTs2gTOQJ2x06xj2 TEsg== X-Gm-Message-State: AD7BkJIyTsvAHY+u7B3+G1j/h7JFWGPCe1Q9vPclyOM8uuYOrS1W/jvhGn4XUYUkryoTbYMgag2U3fXio9uhOQ== MIME-Version: 1.0 X-Received: by 10.31.139.1 with SMTP id n1mr12098128vkd.33.1458229854386; Thu, 17 Mar 2016 08:50:54 -0700 (PDT) Received: by 10.176.4.7 with HTTP; Thu, 17 Mar 2016 08:50:54 -0700 (PDT) In-Reply-To: References: Date: Thu, 17 Mar 2016 11:50:54 -0400 Message-ID: Subject: Re: ActiveMQ 5.13.1 Web Console, purge message queue, UnsupportedOperationException (possible CSRF attack) From: Derek Mahar To: users@activemq.apache.org Content-Type: text/plain; charset=UTF-8 Please note that I encountered this exception when using Firefox 45.0 to access ActiveMQ Web Console. On 17 March 2016 at 11:44, Derek Mahar wrote: > What might be the cause of the following UnsupportedOperationException > that ActiveMQ 5.13.1 Web Console reports when I attempt to > unsuccessfully purge the contents of a queue, but after browsing that > same queue? > > URL sequence: > > http://0.0.0.0:8161/admin/browse.jsp?JMSDestination=client.order.queue > http://0.0.0.0:8161/admin/purgeDestination.action?JMSDestination=client.order.queue&JMSDestinationType=queue&secret=5b118f61-5f26-4f49-ab54-7ca682eb5b7c > > > WARN | > org.springframework.web.util.NestedServletException: Request > processing failed; nested exception is > java.lang.UnsupportedOperationException: Possible CSRF attack > at org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:977)[spring-webmvc-4.1.9.RELEASE.jar:4.1.9.RELEASE] > at org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:856)[spring-webmvc-4.1.9.RELEASE.jar:4.1.9.RELEASE] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:622)[tomcat-servlet-api-8.0.24.jar:] > at org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:841)[spring-webmvc-4.1.9.RELEASE.jar:4.1.9.RELEASE] > at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)[tomcat-servlet-api-8.0.24.jar:] > at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:808)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1669)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.apache.activemq.web.AuditFilter.doFilter(AuditFilter.java:59)[activemq-web-5.13.1.jar:5.13.1] > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:99)[spring-web-4.1.9.RELEASE.jar:4.1.9.RELEASE] > at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)[spring-web-4.1.9.RELEASE.jar:4.1.9.RELEASE] > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.apache.activemq.web.filter.ApplicationContextFilter.doFilter(ApplicationContextFilter.java:102)[file:/opt/apache-activemq-5.13.1/webapps/admin/WEB-INF/classes/:] > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.apache.activemq.web.XFrameOptionsFilter.doFilter(XFrameOptionsFilter.java:47)[activemq-web-5.13.1.jar:5.13.1] > at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:542)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:542)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.Server.handle(Server.java:499)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:310)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)[jetty-all-9.2.13.v20150730.jar:9.2.13.v20150730] > at java.lang.Thread.run(Thread.java:745)[:1.8.0_66-internal] > > Is it a merely a coincidence that other URLs that I clicked that did > not cause a similar error did not include the "secret" parameter? For > example: > > http://0.0.0.0:8161/admin/send.jsp?JMSDestination=client.order.queue&JMSDestinationType=queue > http://0.0.0.0:8161/admin/queueConsumers.jsp?JMSDestination=client.order.queue > > > Thank you, > > Derek