Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc
Hi,
the problem here was following:
- GWT RPC requests include X-GWT-* headers to provide additional meta-data, i.e.
[X-GWT-Module-Base: https://whatever/webadmin/webadmin/]
- when processing GWT RPC request, server (RpcServlet) gets X-GWT-Module-Base value and
compares it with current request's context path
- if comparison fails, for example due to extra leading [/ovirt-engine] path element, it
blocks the request as invalid (potential XSRF attack)
Vojtech
----- Original Message -----
From: "Hans-Joachim" <rni(a)chef.net>
To: "Juan Hernandez" <jhernand(a)redhat.com>
Cc: users(a)ovirt.org
Sent: Thursday, August 1, 2013 1:54:55 PM
Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc
Hello,
thank you... solved....
Hans-Joachim
----- Original Message -----
From: Juan Hernandez
Sent: 08/01/13 12:58 PM
To: Hans-Joachim
Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc
On 08/01/2013 10:48 AM, Hans-Joachim wrote:
> Hello,
>
> I'm just installing 3.3 Nightly as of July 31st on my CentOS 6.4 server.
>
> When I try to login to the Web I got 'Error 500'
>
> Here the part of server.log
>
> ......
> 2013-08-01 10:40:05,098 ERROR
> [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/webadmin]]
> (ajp--127.0.0.1-8702-6) Exception while dispatching incoming RPC call:
> java.lang.SecurityException: Blocked request without GWT base path
> header (XSRF attack?)
> at
> com.google.gwt.rpc.server.RpcServlet.getClientOracle(RpcServlet.java:95)
> [gwt-servlet.jar:]
> at
> com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:205)
> [gwt-servlet.jar:]
> at
>
com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
> [gwt-servlet.jar:]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
> .......
>
> Hans-Joachim
>
Actually this isn't a problem with GWT RPC, but with the redirection
that is performed from / to /ovirt-engine in the web server. You
probably ended up with the following URL:
https://whatever/ovirt-engine/webadmin/webadmin/WebAdmin.html
This adds an extra "ovirt-engine" path element to the request, that the
server side doesn't expect, so it assumes that there is a XSFR attach
going on. Type an URL like this manually in the browser and it should work:
https://whatever/webadmin/webadmin/WebAdmin.html
--
Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
3ºD, 28016 Madrid, Spain
Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
_______________________________________________
Users mailing list
Users(a)ovirt.org
http://lists.ovirt.org/mailman/listinfo/users