[Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc

Alon Bar-Lev alonbl at redhat.com
Thu Aug 1 17:57:21 UTC 2013


Should be fixed by[1]


[1] http://gerrit.ovirt.org/#/c/17567/

----- Original Message -----
> From: "Vojtech Szocs" <vszocs at redhat.com>
> To: "Hans-Joachim" <rni at chef.net>
> Cc: "Juan Hernandez" <jhernand at redhat.com>, users at ovirt.org
> Sent: Thursday, August 1, 2013 8:55:33 PM
> Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with gwt.rpc
> 
> Hi,
> 
> the problem here was following:
> 
> - GWT RPC requests include X-GWT-* headers to provide additional meta-data,
> i.e. [X-GWT-Module-Base: https://whatever/webadmin/webadmin/]
> - when processing GWT RPC request, server (RpcServlet) gets X-GWT-Module-Base
> value and compares it with current request's context path
> - if comparison fails, for example due to extra leading [/ovirt-engine] path
> element, it blocks the request as invalid (potential XSRF attack)
> 
> Vojtech
> 
> 
> ----- Original Message -----
> > From: "Hans-Joachim" <rni at chef.net>
> > To: "Juan Hernandez" <jhernand at redhat.com>
> > Cc: users at ovirt.org
> > Sent: Thursday, August 1, 2013 1:54:55 PM
> > Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with
> > gwt.rpc
> > 
> > Hello,
> > 
> > thank you... solved....
> > 
> > Hans-Joachim
> > 
> > 
> > 
> > 
> > 
> > ----- Original Message -----
> > 
> > From: Juan Hernandez
> > 
> > Sent: 08/01/13 12:58 PM
> > 
> > To: Hans-Joachim
> > 
> > Subject: Re: [Users] 3.3 Nightly Built July 31st: Still problems with
> > gwt.rpc
> > On 08/01/2013 10:48 AM, Hans-Joachim wrote:
> > > Hello,
> > > 
> > > I'm just installing 3.3 Nightly as of July 31st on my CentOS 6.4 server.
> > > 
> > > When I try to login to the Web I got 'Error 500'
> > > 
> > > Here the part of server.log
> > > 
> > > ......
> > > 2013-08-01 10:40:05,098 ERROR
> > > [org.apache.catalina.core.ContainerBase.[jboss.web].[default-host].[/webadmin]]
> > > (ajp--127.0.0.1-8702-6) Exception while dispatching incoming RPC call:
> > > java.lang.SecurityException: Blocked request without GWT base path
> > > header (XSRF attack?)
> > >          at
> > > com.google.gwt.rpc.server.RpcServlet.getClientOracle(RpcServlet.java:95)
> > > [gwt-servlet.jar:]
> > >          at
> > > com.google.gwt.rpc.server.RpcServlet.processPost(RpcServlet.java:205)
> > > [gwt-servlet.jar:]
> > >          at
> > > com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
> > > [gwt-servlet.jar:]
> > >          at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
> > > [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
> > > .......
> > > 
> > > Hans-Joachim
> > > 
> > 
> > Actually this isn't a problem with GWT RPC, but with the redirection
> > that is performed from / to /ovirt-engine in the web server. You
> > probably ended up with the following URL:
> > 
> > https://whatever/ovirt-engine/webadmin/webadmin/WebAdmin.html
> > 
> > This adds an extra "ovirt-engine" path element to the request, that the
> > server side doesn't expect, so it assumes that there is a XSFR attach
> > going on. Type an URL like this manually in the browser and it should work:
> > 
> > https://whatever/webadmin/webadmin/WebAdmin.html
> > 
> > --
> > Dirección Comercial: C/Jose Bardasano Baos, 9, Edif. Gorbea 3, planta
> > 3ºD, 28016 Madrid, Spain
> > Inscrita en el Reg. Mercantil de Madrid – C.I.F. B82657941 - Red Hat S.L.
> > 
> > 
> > 
> > 
> > _______________________________________________
> > Users mailing list
> > Users at ovirt.org
> > http://lists.ovirt.org/mailman/listinfo/users
> > 
> _______________________________________________
> Users mailing list
> Users at ovirt.org
> http://lists.ovirt.org/mailman/listinfo/users
> 



More information about the Users mailing list