IBM Jazz + Eclipse Lyo = CSRF problem
Hello!
Base URL of the adapter is in the whitelist of JTS.
I can not get how better to fix the problem. Could I please ask you guys give me an idea how better to go next?
Thank you! |
Accepted answer
Ralph Schoon (62.7k●3●36●43)
| answered Sep 21, 1:18 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER The most important information is missing - the call that causes this. Method? What did you send and what did you get. Headers you sent. One of my biggest struggles with Lyo has been that it is very hard to see the HTTP data it sends and receives. You need to use a proxy to trace the communication, I think.
Dmitry A. Lesin selected this answer as the correct answer
Comments Here one of the may results if you google CSRF site:jazz.net: https://jazz.net/forum/questions/98072/x-jazz-csrf-prevent-header-is-required-to-create-a-work-item-via-oslc-on-version-4001 Ralph, sorry! You are right! I was trying to describe the case in detail and forgot to point where I started at.
The steps were next:
1. Register OSLC adapter in JTS as a friend (it was successful). 2. Go to project area (no GC context) and create an association. 
3. Provide administrator login and password defined in the adapter.
4. Confirm the administrator credentials.
The request can be intercepted in Eclipse IDE if OSLC adapter app is strted in debugging mode. But the control is getting out quickly and apparently transferred to the level of Lyo libraries, I think, at least.
Thank you! The question is: Is this request a POST? If you know which call it is, you should be able to tell. I had to send the X-Jazz-CSRF-Prevent in my Lyo code.
It seems that Jazz doesn't participate in this communication. Apparently, CSRF case is detected by Oath application delivered within Eclipse Lyo libraries.
It was simulated with only Postman and OSLC adapter (no Jazz):
I have found that there's a class responsible for blocks of CSRF attacks:
https://www.javatips.net/api/lyo.server-master/org.eclipse.lyo.server.oauth.webapp/src/main/java/org/eclipse/lyo/server/oauth/webapp/services/CSRFPrevent.java
I believe that the main question can be now whether it's possible to add "X-CSRF-Prevent" header with Id of current session. Or I'm going in absolutely wrong way, I don't know.
If you use Lyo, you should be able to see the source code and be able to step through the authentication. You should also be able to see if you can add custom headers.
You can also follow https://rsjazz.wordpress.com/2019/03/07/type-system-manager-part-2/ and find my code. Note that the code was created with an old version of lyo and the way I inject the header might no longer be available.
1
Due to your tip, I have written an Email to Lyo team. They gave me another recommendation aimed to debugging the embedded Oauth app delivered with libraries within Eclipse. So, the problem was very like you were speaking but only "X-CSRF-Prevent" header was needed. It must contain JSESSIONID value. This is because we send request to Lyo adapter, but not Jazz itself.
Anyway, your two tips were very valuable for me and they moved me in right direction.
Thank you very much! Yes, a lot of problems gone out after testing the solution locally with HTTPS and a self-signed certificate. Thanks! Yes, a lot of problems gone away after testing the solution locally with HTTPS and a self-signed certificate. Thanks!
showing 5 of 9
show 4 more comments
|