CSRF Token not being validated on some TaskList XHR

Mauro_Della_Chiesa · February 5, 2018, 5:05pm

Hello,

I wanted to add Google OAuth2 authentication to the Spring Boot version of Camunda, which I started by using camunda-archetype-spring-boot archetype, so I found this repository that gave me enough information on how to do so: https://github.com/OKaluzny/spring-boot-security-oauth2-google

It worked like a charm! I was able to access my controllers and Camunda’s apps only once the user is authenticated with Google.
But then I realized a problem on the Tasklist, which I intend the system’s users to use from time to time, there is an XHR POST request failing because of a missing CSRF Token.

The message I’m getting on the response is the generic one from Spring:

“Invalid CSRF Token ‘null’ was found on the request parameter ‘_csrf’ or header ‘X-XSRF-TOKEN’.”

Which led me to think that my inclusion of Google’s OAuth2 might have broken something. But today, while doing some more analysis, I found that the Cockpit does a similar call (or at least that is what I can tell with my limited knowledge of Camunda’s implementation) but already provides the X-XSRF-TOKEN and makes the app work fine.
So now I’m wondering if this is an issue on the Task list implementation which should be fixed once the request gets the header X-XSRF-TOKEN added. Can someone help me determine that?

Here is an image that should help understand what I mean

Thanks!

Mauro_Della_Chiesa · February 15, 2018, 3:25pm

I can explain or add more detail if the scenario I’m describing is not clear enough. Just let me know.
Thanks!

Yana · February 15, 2018, 4:45pm

Hi,

Why do you think that the problem is coming from Tasklist implementation?

Best regards,
Yana

Mauro_Della_Chiesa · February 15, 2018, 6:11pm

Hi Yana, thanks for replying!
It is just a guess I did based on the fact that a similar call done to the Cockpit application does not give me the same error response. In fact, other non POST calls to the Tasklist return 200.

Please, let me know what you think

Yana · February 19, 2018, 2:51pm

Hi,

Neither Tasklist nor Cockpit provide xsrf token from engine side. We use only jsessionid cookie to determinate the user’s session.
Could you please check Google OAuth2 specification if the token is coming from there?

Best regards,
Yana

Mauro_Della_Chiesa · February 21, 2018, 8:23pm

Indeed, the xsrf token is coming from the addition I made with the Google oauth2 example I mentioned. The weird thing I noted is that for some requests it works fine and for others (POST requests?) it does not work on the Task list.

I realized just now that I pasted the same image for both requests described on the first post. The correct image for the cockpit is this one:

We ended up following another path that involved getting rid of the Cockpit and Tasklist apps so we do not actually need this fixed but would love to know what you guys think.

Thanks!