Hi all,
I upgraded camunda from 7.9.0 to 7.10.0 version. I followed instructions from this page https://docs.camunda.org/manual/latest/update/minor/79-to-710/ and did the following steps for upgrade:
- Since I’m using Spring Boot I checked compatibility versions from this page https://docs.camunda.org/manual/latest/user-guide/spring-boot-integration/version-compatibility/
and update camunda dependencies
<camunda.version>7.10.0</camunda.version>
<camunda.spring.boot.starter.version>3.1.0</camunda.spring.boot.starter.version>
Spring Boot version is 2.0.3.RELEASE
- Execute all SQL scripts related to camunda 7.10.0 upgrade
Upgrade went well and I was able to start camunda application. The main reason for upgrading to 7.10.0 is Prevention of Cross-Site-Request-Forgery attacks.
This documentation page https://docs.camunda.org/manual/latest/update/minor/79-to-710/#csrf-prevention-in-the-webapps says that if we want to use CSRF
security enhancement we need to enable “CsrfPreventionFilter”, so I enable it with this code below
@Bean
public CsrfPreventionFilter csrfPreventionFilter() {
CsrfPreventionFilter csrfPreventionFilter = new CsrfPreventionFilter();
csrfPreventionFilter
.setEntryPoints("/api/engine/engine/default/history/task/count, /api/engine/engine/default/history/variable/count");
return csrfPreventionFilter;
}
With filter enabled, I cannot create CSRF attack, if I try I get following error
(type=Forbidden, status=403). CSRFPreventionFilter: Token provided via HTTP Header is absent/empty.
And this is all great camunda version 7.10.0 solves CSRF issues, but with CsrfPreventionFilter enabled lot of other issues occurred
I cannot:
- create a new user in camunda (“status”:403,“error”:“Forbidden”,“message”:“CSRFPreventionFilter: Invalid HTTP Header Token.”)
- delete user (“status”:403,“error”:“Forbidden”,“message”:“CSRFPreventionFilter: Invalid HTTP Header Token.”)
- logout user (“status”:403,“error”:“Forbidden”,“message”:“CSRFPreventionFilter: Invalid HTTP Header Token.”)
- Open Tasklist (same error, also in console I get " <- Unsuccessful HTTP response")
If I disable CsrfPreventionFilter everything works fine, but the purpose of upgrading is to solve CSRF issues.
After doing some research and debugging CsrfPreventionFilter I found the following:
When I open login page => http://localhost:8090/app/welcome/default/#/login I get two cookies JSESSIONID and XSRF-TOKEN.
And by debugging I found out that for current session CSRF token is generated and the value of that token is set as a session attribute => CAMUNDA_CSRF_TOKEN and also same value is set for the response header => X-XSRF-TOKEN.
Then when I log in and get to welcome page => http://localhost:8090/app/welcome/default/#/welcome I get new JSESSIONID,
and since old session is invalidated and the new session doesn’t have CAMUNDA_CSRF_TOKEN attribute, new CSRF token is generated and set as a value for CAMUNDA_CSRF_TOKEN and also for X-XSRF-TOKEN response header.
In the browser, I can now see that I have two XSRF-TOKEN cookies one that I got on the login page and one that I got when I access to welcome page.
Now with every subsequent request, I can see that X-XSRF-TOKEN header is sent with old outdated value, so in request headers
value of XSRF-TOKEN from the cookie and X-XSRF-TOKEN differs and because of this when CSRF token is validated, there is a mismatch between token from header and token from the session. And the result of this is “Invalid HTTP Header Token.”
Also, just to be sure that this is the cause of problems I did the following:
Go to welcome page and deliberately delete old XSRF-TOKEN cookie that I got on the login page and for the new one I replace path attribute of cookie to be same as
in JSESSIONID cookie, by doing this I was able to trick the browser to send a right cookie, and as a result, everything works fine and all above-mentioned problems no longer exist.
Is there something that I’m missing in upgrade steps or does anyone have a similar or same problem?
It seems to me that on backend everything works fine but for some reason from frontend side, requests are sent with wrong X-XSRF-TOKEN header.
Thanks in advance.