Hi!
I encountered a problem that a new security filter was added when updating the new version (from 7.10 to 7.11):
With Camunda BPM 7.11.0 we have added the XSS Protection Header to all server responses in conjunction with the Webapps.
So, when i am running my pet-project, it’s not a big deal, all works as expected. But on my real work project there are some security conflicts. Honestly, I got confused and do not know what to do. And yes, i found thread with the same problem, but could not solve the problem.
Let me show the use case.
- Update camunda engine from 7.10 to 7.11:
was
<camunda-version>3.2.1</camunda-version>
now
<camunda-version>3.3.1</camunda-version>
Spring-Boot: (v2.1.5.RELEASE)
Camunda BPM: (v7.11.0)
Camunda BPM Spring Boot Starter: (v3.3.1)
- Run Camunda cockpit on localhost, login and click on cockpit (or admin) button and got this:
As you can see, Cockpit not responding.
/api/cockpit/plugin/cockpitPlugins/static/app/plugin.css
throws 404 error.
/api/cockpit/plugin/cockpitPlugins/static/app/plugin.js?bust=7.11.0
throws 404 error.
And some more logs:
org.camunda.bpm.engine.rest.exception.RestException: It was not able to load the following file 'app/plugin.css'.
org.camunda.bpm.engine.rest.exception.RestException: It was not able to load the following file 'app/plugin.js'.
And more logs about filtering…
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:45)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.camunda.bpm.engine.rest.filter.EmptyBodyFilter.doFilter(EmptyBodyFilter.java:101)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.camunda.bpm.webapp.impl.engine.ProcessEnginesFilter.applyFilter(ProcessEnginesFilter.java:130)\r\n\tat org.camunda.bpm.webapp.impl.filter.AbstractTemplateFilter.doFilter(AbstractTemplateFilter.java:58)\r\n\tat org.camunda.bpm.spring.boot.starter.webapp.filter.LazyDelegateFilter.doFilter(LazyDelegateFilter.java:60)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.camunda.bpm.webapp.impl.security.filter.headersec.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:83)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:71)\r\n\tat org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:55)\r\n\tat org.camunda.bpm.spring.boot.starter.webapp.filter.LazyDelegateFilter.doFilter(LazyDelegateFilter.java:60)\
I’ve tried to use solution from another forum thread (filter disabling):
@Bean
public ServletContextInitializer csrfOverwrite() {
return servletContext -> servletContext.addFilter(CSRF_PREVENTION_FILTER, (request, response, chain) -> chain.doFilter(request, response));
}
So, in debug mode i found filtering method and add breakpoint from org.camunda.bpm.webapp.impl.security.filter.CsrfPreventionFilter
:
With filter disabling config bean (bellow) this doFilter
method doesn’t matches when i login and when i use cockip. But page still not responding.
From @Gregor
Ok, after experimenting a lot with different Web Security configurations I started to set breakpoints inside
SpringBootCsrfPreventionFilter
and as far as I can tell the issue is not connected to CSRF validation. Visiting/app/welcome/default/
works as expected; The application generates a CSRF token, validates it etc. pp. and shows me the page requested. But once I click on “Cockpit” mySpringBootCsrfPreventionFilter
breakpoints are not reached and I get the above pasted exception. I feel like there is a mapping missing or something like that, i.e. the requested filehttp://localhost:8090/api/cockpit/plugin/cockpitPlugins/static/app/plugin.js?bust=7.11.0
is just not mapped to right JAR (camunda-webapp-webjar-7.11.0.jar).
Also in our project there is a common module (bom file) for all dependencies and configs. It seemed to me that it was there that conflicts, but when i am disabled all security configs, nothing happened. Please tell me what could be the problem?