Cannot Create Initial User Error

Hello,
I have Camunda Tomcat running on a Linux box. It is a bit of a temporary situation for a demo. It is running on 8080, under a preexisting domain.

I access it via http://[domain.name]/camunda. I get greeted with the create initial user screen but when I try to submit, I get this error.

Screen Shot 2022-01-30 at 15.49.241279×663 30.9 KB

There is no errors in the log, but when I inspect the network traffic on the browser I see this under the /create request:

<html lang="en">
<head>
    <title>HTTP Status 403 – Forbidden</title>
    <style type="text/css">
    body {
        font-family: Tahoma, Arial, sans-serif;
    }

    h1, h2, h3, b {
        color: white;
        background-color: #525D76;
    }

    h1 {
        font-size: 22px;
    }

    h2 {
        font-size: 16px;
    }

    h3 {
        font-size: 14px;
    }

    p {
        font-size: 12px;
    }

    a {
        color: black;
    }

    .line {
        height: 1px;
        background-color: #525D76;
        border: none;
    }
    </style>
</head>
<body>
    <h1>HTTP Status 403 – Forbidden</h1>
    <hr class="line"/>
    <p>
        <b>Type</b>
         Status Report
    </p>
    <p>
        <b>Message</b>
         CSRFPreventionFilter: Invalid HTTP Header Token.
    </p>
    <p>
        <b>Description</b>
         The server understood the request but refuses to authorize it.
    </p>
    <hr class="line"/>
    <h3>Apache Tomcat/9.0.52</h3>
</body>
</html>

So it is obviously a csrf thing.
My question is how do I allow this domain in the CSRF config and which file does it go in? I have looked around but cant make much sense of it.

EDIT: I have found this guidance:

I dropped this in the web.xml

  <filter>
    <filter-name>CsrfPreventionFilter</filter-name>
    <filter-class>org.camunda.bpm.webapp.impl.security.filter.CsrfPreventionFilter</filter-class>
    <init-param>
      <param-name>targetOrigin</param-name>
      <param-value>http://example.com</param-value>
    </init-param>
    <init-param>
      <param-name>denyStatus</param-name>
      <param-value>404</param-value>
    </init-param>
    <init-param>
      <param-name>randomClass</param-name>
      <param-value>java.security.SecureRandom</param-value>
    </init-param>
    <init-param>
      <param-name>entryPoints</param-name>
      <param-value>/api/engine/engine/default/history/task/count, /api/engine/engine/default/history/variable/count</param-value>
    </init-param>
    <init-param>
      <param-name>enableSecureCookie</param-name>
      <param-value>true</param-value>               <!-- default value is false -->
    </init-param>
    <init-param>
      <param-name>enableSameSiteCookie</param-name>
      <param-value>true</param-value>               <!-- default value is true -->
    </init-param>
  </filter>
  <filter-mapping>
    <filter-name>CsrfPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

And change the targetOrigin to be my domain (with the :8080) tacked on the end.
However I now get a different error:

Screen Shot 2022-01-30 at 16.14.051274×220 10.7 KB

And the network response on the /camunda/api/admin/setup/default/user/create resource:

<html>
  <head>
    <style>

    .navbar-header {
      width: 100%;
      position: fixed;
      top: 0;
      left: 0;
      right: 0;
      min-height: 42px;
      z-index: 1030;
      margin-bottom: 0;
      border-top: 3px solid #b5152b;
      box-shadow: 0 2px 10px -4px #555;
      color: #777;
      background-color: #fff;
      font-size: 14px;
    }

    .navbar-header .logo {
      margin-right: 5px;
      fill: #666;
    }
    .navbar-header a {
      text-decoration: none;
    }

    .navbar-header .navbar-brand {
      display: flex;
      align-items: center;
      font-size: 21px;
      line-height: 42px;
      height: 42px;
      padding-top: 0;
      padding-bottom: 0;
      padding-left: 10.5px;
      padding-right: 15px;
      color: #000;
    }

    body {
      font-family: "Helvetica Neue",Helvetica,Arial,sans-serif;
      font-size: 14px;
      line-height: 1.42857143;
      color: #555;
      background-color: #fff;
    }

    .main {
      position: absolute;
      top: 45px;
      bottom: 24px;
      left: 0;
      right: 0;
      overflow: hidden;
      background-color: #e5e5e5;
    }

    .inner {
      margin: 15px 15px 30px 15px;
      background-color: #fff;
      padding: 15px;
      box-shadow: 0 2px 8px -4px #555;
    }

    footer {
      position: fixed;
      padding-right: 15px;
      z-index: 99;
      height: 24px;
      line-height: 24px;
      font-size: smaller;
      bottom: 0;
      left: 0;
      right: 0;
      background-color: #fff;
      border-top: 1px solid #eee;
      color: #777;
      text-align: right;
    }

    footer a {
      color: #155cb5;
      text-decoration: none;
    }

    header {
      overflow: hidden;
      border-bottom: 1px solid #e5e5e5;
      margin-bottom: 15px;
    }

    h1 {
      font-size: 28px;
      margin-top: 5px;
      margin-bottom: 10px;
      font-weight: 100;
    }

    h2 {
      font-weight: normal;
    }
    </style>

    <title>Camunda - Not Found</title>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body>
    <div class="navbar-header">
      <a class="navbar-brand" href="#/" title="Camunda - Not Found (404)">
        <svg width="26" height="26" viewBox="0 0 26 26" class="logo"><path d="M13,0 C20.1797017,0 26,5.82029825 26,13 C26,20.1797017 20.1797017,26 13,26 C5.82029825,26 0,20.1797017 0,13 C0,5.82029825 5.82029825,0 13,0 Z M15.9924973,18.7781515 L9.99320872,18.7781515 L9.99320872,22.1683591 L15.9924973,22.1683591 L15.9924973,18.7781515 Z M13,3.83248173 C11.0249014,3.83248173 10.0058211,4.99702477 9.99320872,7.04527521 L9.99320872,7.04527521 L9.99320872,13.69284 L9.99685,13.8998115 C10.0647928,15.8025897 11.0827733,16.8913395 12.985706,16.8913395 C14.9608046,16.8913395 15.9773624,15.7267965 15.9924973,13.678546 L15.9924973,13.678546 L15.9924973,11.9834422 L14.0913912,11.9834422 L14.0913912,13.8105556 L14.0867571,13.9750837 C14.0405969,14.7638347 13.6523228,15.0490913 13.0445637,15.0490913 C12.4105815,15.0490913 11.9977362,14.7245327 11.9977362,13.8105556 L11.9977362,13.8105556 L11.9977362,6.89476748 L12.0023704,6.72991255 C12.0485306,5.93798383 12.4368047,5.62774885 13.0445637,5.64193778 C13.678546,5.64193778 14.0913912,5.99592523 14.0913912,6.90990233 L14.0913912,6.90990233 L14.0913912,8.28044758 L15.9924973,8.28044758 L15.9924973,7.04527521 L15.9888705,6.83655109 C15.9211931,4.91809617 14.9069918,3.83248173 13,3.83248173 Z"></path></svg>
        <span class="brand-name ng-binding">Camunda</span>
      </a>
    </div>
    <div class="main">
      <div class="inner">
        <header>
        <h1>Not Found (404)</h1>
      </header>
        <h2>The Page you are requesting was not found on this server.</h2>
        <p>Try going back to the Front Page and attempting the Action again.</p>
      </div>
    </div>

    <footer>
        Powered by <a href="http://camunda.org">Camunda Platform</a>
    </footer>
  </body>
</html>

I am just giving this the Monday morning bump, I realised I posted it over the weekend.

Hi @SlappyAUS
What browser do you use? Do you get the same result with Firefox?

Same result across all browsers.
Local instance works fine.

I would remove the changes you made based on that article because it states " If you would like to enable the additional Same Origin with Standard Headers verification" but you’re trying to turn it off or allow something.
Can you roll back the changes you made and collect/provide a network trace?

Reverted the config change.
HAR attached
indongo.virtualpostman.co.za.har.txt (3.2 MB)

it looks like an existing problem, can you try the following solutions 1 and 2?

These solutions look like they are for an old bug on the Spring Boot edition. I am using the Tomcat edition so they dont seem applicable.

Is there not some documentation on how to take the Tomcat instance to production?
Like a checklist of config/security issues that need configuring?

You’re right I somehow missed it, my bad.

Have you tried to add “/camunda” inside the web.xml you menionted in the desription? As I understand the documentation it’s a list of URLs that will not be tested.

 <filter>
    <filter-name>CsrfFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class>
    <init-param>
      <param-name>entryPoints</param-name>
      <param-value>/camunda, /api/engine/engine/default/history/task/count, /api/engine/engine/default/history/variable/count</param-value>
    </init-param>
  </filter>

Like a checklist of config/security issues that need configuring?
I have no idea.

Unfortunate this did not change any behaviour.

The file I am modifying is: /camunda-bpm-tomcat-7.16.0/server/apache-tomcat-9.0.52/conf/web.xml

It has an entry in there by default:

  <!-- CSRF Prevention filter -->
  <filter>
    <filter-name>CsrfPreventionFilter</filter-name>
    <filter-class>org.camunda.bpm.webapp.impl.security.filter.CsrfPreventionFilter</filter-class>
    <!--<init-param>-->
    <!--<param-name>targetOrigin</param-name>-->
    <!--<param-value>http://localhost:8080</param-value>-->
    <!--</init-param>-->
  </filter>
  <filter-mapping>
    <filter-name>CsrfPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
  </filter-mapping>

Hi @SlappyAUS,

you can find a list of consideriations and actions here: Security Instructions | docs.camunda.org

Hope this helps, Ingo

This is exceptional, thank you

Ok I have tracked down the issue. It seems Safari for whatever reason was hogging the XSRF cookie and not refreshing it for some reason. I went into a private session and it worked fine. However I manually had to cleat the cookie cache for Camunda before it would work.

Does anyone know why this is? Did it somehow get into a weird state that never expired the cookie?
Will this aggressive caching affect my users?

Thanks.