It's all about the answers!

Ask a question

IBM Jazz + Eclipse Lyo = CSRF problem


Dmitry A. Lesin (24826696) | asked Sep 20 '23, 1:44 p.m.
edited Sep 20 '23, 1:45 p.m.

Hello!
We want to develop an OSLC Adapter based on Eclipse Lyo v5.1.1.Final to integrate our custom testing solution with IBM Jazz RM v.7.0.2. We created a toolchain model, generated the code. Everything works well until we deploy the adapter on the same server where Jazz is installed. But we need to deploy OSLC Testing Adapter on an external server. For that, we changed baseURI from localhost to centosflex in our case. After we changed localhost to another name, we get CSRF attack problem.


Problem description

Base URL of the adapter is in the whitelist of JTS.

oslc adapter in whitelist

I can not get how better to fix the problem. Could I please ask you guys give me an idea how better to go next?
Thank you!

Accepted answer


permanent link
Ralph Schoon (63.2k33646) | answered Sep 21 '23, 1:18 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

 The most important information is missing - the call that causes this. Method? What did you send and what did you get. Headers you sent. One of my biggest struggles with Lyo has been that it is very hard to see the HTTP data it sends and receives. You need to use a proxy to trace the communication, I think.

Some hints.

  1. Always use a fully qualified host name. Never use localhost, except for the most basic testing. You can always add entries to the hosts file to fake full qualified host names on your localhost.
  2. As far as I can tell, Jazz Servers require the header X-Jazz-CSRF-Prevent with the JSESSIONID sent as value for POST requests. 
  3. I would consider to setup your server with HTTPS from the very beginning as well. You eventually want to have this and the earlier you try it out and get the certificates done, the better.

Dmitry A. Lesin selected this answer as the correct answer

Comments
Ralph Schoon commented Sep 21 '23, 1:19 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

Dmitry A. Lesin commented Sep 21 '23, 10:04 a.m.

Ralph, sorry! You are right! I was trying to describe the case in detail and forgot to point where I started at.

The steps were next:
1. Register OSLC adapter in JTS as a friend (it was successful).
2. Go to project area (no GC context) and create an association.

create association

3. Provide administrator login and password defined in the adapter.

login to adapter

4. Confirm the administrator credentials.

get the error

The request can be intercepted in Eclipse IDE if OSLC adapter app is strted in debugging mode. But the control is getting out quickly and apparently transferred to the level of Lyo libraries, I think, at least.
Thank you!


Ralph Schoon commented Sep 21 '23, 10:55 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

The question is: Is this request a POST? If you know which call it is, you should be able to tell. I had to send the  X-Jazz-CSRF-Prevent in my Lyo code. 

You can also ask in the Lyo project.


Dmitry A. Lesin commented Sep 25 '23, 12:03 p.m.

It seems that Jazz doesn't participate in this communication. Apparently, CSRF case is detected by Oath application delivered within Eclipse Lyo libraries.
This is the request analyzed in Chrome DevTools:


Login Request

It was simulated with only Postman and OSLC adapter (no Jazz):

Postman simulated request


I believe that the main question can be now whether it's possible to add "X-CSRF-Prevent" header with Id of current session. Or I'm going in absolutely wrong way, I don't know.


Ralph Schoon commented Sep 26 '23, 4:55 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

If you use Lyo, you should be able to see the source code and be able to step through the authentication. You should also be able to see if you can add custom headers.

I would also suggest to ask here: https://forum.open-services.net/c/sdks/lyo/  


Ralph Schoon commented Sep 26 '23, 4:57 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER

You can also follow https://rsjazz.wordpress.com/2019/03/07/type-system-manager-part-2/ and find my code. Note that the code was created with an old version of lyo and the way I inject the header might no longer be available.
 


1
Dmitry A. Lesin commented Sep 28 '23, 2:15 p.m. | edited Sep 28 '23, 2:16 p.m.
Due to your tip, I have written an Email to Lyo team. They gave me another recommendation aimed to debugging the embedded Oauth app delivered with libraries within Eclipse. So, the problem was very like you were speaking but only "X-CSRF-Prevent" header was needed. It must contain JSESSIONID value. This is because we send request to Lyo adapter, but not Jazz itself.
Anyway, your two tips were very valuable for me and they moved me in right direction.
Thank you very much!

Dmitry A. Lesin commented Oct 10 '23, 6:52 a.m.

 Yes, a lot of problems gone out after testing the solution locally with HTTPS and a self-signed certificate. Thanks!


Dmitry A. Lesin commented Oct 10 '23, 6:54 a.m.

Yes, a lot of problems gone away after testing the solution locally with HTTPS and a self-signed certificate. Thanks! 

showing 5 of 9 show 4 more comments

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.