Details
-
Bug
-
Resolution: Fixed
-
Low
-
None
-
5.3
-
None
Description
The new feature to enable XSRF protection introduced in Bamboo 5.3, causes a crash if the tomcat proxy config are wrongly configured.
Steps to reproduced
- Configure Bamboo to use mod_proxy as detailed here: https://confluence.atlassian.com/display/BAMBOO/Integrating+Bamboo+with+Apache+HTTP+server
- my current settings is like this:
ProxyRequests Off ProxyPreserveHost On <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /bamboo53 http://localhost:1053/bamboo53 ProxyPassReverse /bamboo53 http://localhost:1053/bamboo53 <Location /bamboo53> Order allow,deny Allow from all </Location>
- The tomcat connector for Bamboo has proxy related parameters:
scheme="http" proxyName="sultan-PC" proxyPort="80"
- Set the base_url of Bamboo as appropriately using the proxy url. In my case : http://sultan-pc/bamboo53/
- Try editing the security settings page in Bamboo or even try changing the base URL and you will hit in to the errors below:
2013-12-23 22:35:36,365 INFO [http-bio-1053-exec-4] [AccessLogFilter] bamboo GET http://sultan-PC/bamboo53/rest/menu/latest/appswitcher?_=1387809336291 246387kb 2013-12-23 22:35:39,562 INFO [http-bio-1053-exec-7] [AccessLogFilter] bamboo POST http://sultan-PC/bamboo53/admin/configureSecurity.action 245406kb 2013-12-23 22:35:39,564 WARN [http-bio-1053-exec-7] [BambooXsrfTokenInterceptor] XSRF token validation failed in session:CB91741D0541AB8DEFACB782990944F5 due to XSRF_FAILURE_BAD_REFERRER 2013-12-23 22:35:39,564 ERROR [http-bio-1053-exec-7] [ExceptionMappingInterceptor] XSRF Token Validation failed (XSRF_FAILURE_BAD_REFERRER). java.lang.IllegalArgumentException: XSRF Token Validation failed (XSRF_FAILURE_BAD_REFERRER). at com.atlassian.bamboo.ww2.interceptors.BambooXsrfTokenInterceptor.doIntercept(BambooXsrfTokenInterceptor.java:64) at com.atlassian.bamboo.ww2.interceptors.AbstractBambooInterceptor.intercept(AbstractBambooInterceptor.java:34) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com.atlassian.xwork.interceptors.AroundInterceptor.intercept(AroundInterceptor.java:25) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at org.apache.struts2.interceptor.FileUploadInterceptor.intercept(FileUploadInterceptor.java:252) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com.opensymphony.xwork2.interceptor.ModelDrivenInterceptor.intercept(ModelDrivenInterceptor.java:100) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com.opensymphony.xwork2.interceptor.ChainingInterceptor.intercept(ChainingInterceptor.java:145) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com.opensymphony.xwork2.interceptor.PrepareInterceptor.doIntercept(PrepareInterceptor.java:171) at com.opensymphony.xwork2.interceptor.MethodFilterInterceptor.intercept(MethodFilterInterceptor.java:98) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com.opensymphony.xwork2.interceptor.I18nInterceptor.intercept(I18nInterceptor.java:161) at com.opensymphony.xwork2.DefaultActionInvocation.invoke(DefaultActionInvocation.java:246) at com.atlassian.bamboo.ww2.interceptors.GlobalAdminInterceptor.doIntercept(GlobalAdminInterceptor.java:22) at com.atlassian.bamboo.ww2.interceptors.AbstractBambooInterceptor.intercept(AbstractBambooInterceptor.java:34)
What is happening in the above example is that because the proxyName is specified as "sultan-PC" the incoming request 'HOST' header value is changed to "sultan-PC" where as the referrer will have a host of "sultan-pc". As the host comparison is case sensitive the 'referer' check fails. I think just to be safe we should perform a case insensitive comparison of the 'referer' and the 'host' headers host.
Note
If one does not configure tomcat to have proxy configuration and passes through the HOST header by using the apache httpd 'ProxyPreserveHost' configuration directive then this issue can be avoided. Because ProxyPreserveHost does not cause the scheme or port to be properly set one has to explicitly configure the tomcat connector to include scheme="https" and the proxyPort="443" when using bamboo behind a https proxy. In such a setup we also recommend setting secure="true" in the tomcat connector configuration.