jackrabbit-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Julian Reschke <julian.resc...@gmx.de>
Subject Re: Jackalope fails with Jackrabbit since 2.12.4
Date Mon, 21 Nov 2016 08:27:49 GMT
Hi there,

yes, this has probably to do with the CSRF related fixes.

Jackrabbit hasn't got any support for CSRF tokens, so there's no point 
in trying that.

The simplest possible thing that should work is adding a Referer header 
field (keep in mind that CSRF protection is about avoiding misbehaving 
browsers; for non-browser clients you should be able to just modify the 
request header fields so that the server is happy).

Best regards, Julian


On 2016-11-21 07:41, Daniel Rotter wrote:
> Hey there,
>
> I have been using Jackrabbit in combination with Jackalope (https://github.com/jackalope/jackalope-jackrabbit
<https://github.com/jackalope/jackalope-jackrabbit>), but this starts to fail since
Jackrabbit 2.12.4.
>
> When trying to write something to the workspace, I always get an error like that:
>
> [PHPCR\RepositoryException]
>           Unexpected error:
>           CURL Error:
>           Response (HTTP 403): POST
>           --uri: --
>           array (
>             0 => 'http://localhost:8080/server/default/jcr:root/',
>           )
>           --curl getinfo: --
>           array (
>             'url' => 'http://localhost:8080/server/default/jcr:root/',
>             'content_type' => 'text/html; charset=iso-8859-1',
>             'http_code' => 403,
>             'header_size' => 165,
>             'request_size' => 7846,
>             'filetime' => -1,
>             'ssl_verify_result' => 0,
>             'redirect_count' => 0,
>             'total_time' => 0.002591,
>             'namelookup_time' => 1.7E-5,
>             'connect_time' => 0.000165,
>             'pretransfer_time' => 0.000192,
>             'size_upload' => 7588.0,
>             'size_download' => 1389.0,
>             'speed_download' => 536086.0,
>             'speed_upload' => 2928598.0,
>             'download_content_length' => 1389.0,
>             'upload_content_length' => 7588.0,
>             'starttransfer_time' => 0.0025690000000000001,
>             'redirect_time' => 0.0,
>             'redirect_url' => '',
>             'primary_ip' => '::1',
>             'certinfo' =>
>             array (
>             ),
>             'primary_port' => 8080,
>             'local_ip' => '::1',
>             'local_port' => 64122,
>           )
>           --request body (size: 7588 bytes): --
>           --07d542fbc64b7d5ee6f9362454e670f5
>           Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:en-created"
>           Content-Type: jcr-value/date; charset=UTF-8
>           Content-Transfer-Encoding: 8bit
>           2016-11-16T10:10:21.000+00:00
>           --07d542fbc64b7d5ee6f9362454e670f5
>           Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:en-changed"
>           Content-Type: jcr-value/date; charset=UTF-8
>           Content-Transfer-Encoding: 8bit
>           2016-11-16T10:10:21.000+00:00
>           --07d542fbc64b7d5ee6f9362454e670f5
>           Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:en-published"
>           Content-Type: jcr-value/date; charset=UTF-8
>           Content-Transfer-Encoding: 8bit
>           2016-11-16T10:10:21.000+00:00
>           --07d542fbc64b7d5ee6f9362454e670f5
>           Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-title"
>           Content-Type: jcr-value/string; charset=UTF-8
>           Content-Transfer-Encoding: 8bit
>           --07d542fbc64b7d5ee6f9362454e670f5
>           Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-description"
>           Content-Type: jcr-value/string; charset=UTF-8
>           Content-Transfer-Encoding: 8bit
>           --07d542fbc64b7d5ee6f9362454e670f5
>           Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-keywords"
>           Content-Type: jcr-value/string; charset=UTF-8
>           Content-Transfer-Encoding: 8bit
>           --07d542fbc64b7d5ee6f9362454e670f5
>           Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-canonicalUrl"
>           Content-Type: jcr-value/string; charset=UTF-8
>           Content-Transfer-Encoding: 8bit
>           --07d542fbc64b7d5ee6f9362454e670f5
>           Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-noIndex"
>           Content-Type: jcr-value/boolean; charset=UTF-8
>           Content-Transfer-Encoding: 8bit
>           --07d542fbc64b7d5ee6f9362454e670f5
>           Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n:de-seo-noFollow"
>           Content-Type: jcr-value/boolean; charset=UTF-8
>           Content-Transfer-Encoding: 8bit
>           --07d542fbc64b7d5ee6f9362454e670f5
>           Content-Disposition: form-data; name="/cmf/sulu_io/contents/i18n
>            (truncated)
>           --response body (size: 1389 bytes): --
>           <html>
>           <head>
>           <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"/>
>           <title>Error 403 FORBIDDEN</title>
>           </head>
>           <body><h2>HTTP ERROR 403</h2>
>           <p>Problem accessing /server/default/jcr:root/. Reason:
>           <pre>    FORBIDDEN</pre></p><hr /><i><small>Powered
by Jetty://</small></i><br/>
>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           <br/>
>           </body>
>           </html>
>           --end response body—
>
> If I am informed correctly jackalope-jackrabbit uses the WebDAV interface of Jackrabbit.
Also, I have seen that the only issue fixed in the 2.12.4 release was https://issues.apache.org/jira/browse/JCR-4009
<https://issues.apache.org/jira/browse/JCR-4009>, which is handling some CSRF stuff.
So I think the 403 error we are getting could be related with the fix of that issue (and obviously
is, since it is the only thing that changed).
>
> I talked to David Buchmann, the main author of jackalope-jackrabbit, and he said there
is probably no CSRF handling, and after digging a bit in the code I cannot say otherwise.
So I assume that this part is missing.
>
> I have already looked at the different requests sent between the jackalope internal client
and one delivered by PHPCR, and I see some differences there. For a simple list of nodes command
the jackrabbit internal client is sending a GET request, while the implementation of jackalope
uses a POST with the content type application/x-www-form-urlencoded. I tried to change that,
but I was still not lucky (have explained that in more detail in this issue: https://github.com/jackalope/jackalope-jackrabbit/issues/138#issuecomment-261295082
<https://github.com/jackalope/jackalope-jackrabbit/issues/138#issuecomment-261295082>)
>
> Now my question is how we would have to provide a CSRF token in order to get that working
again. It’s a little bit hard to find the missing bits in wireshark without having a clue
at all :-)
>
> Or am I searching in a completely different path?
>
> Kind Regards
> Daniel
>


Mime
View raw message