Reason for failed POST to .../api/tokens in Tomcat 8 and 9?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Reason for failed POST to .../api/tokens in Tomcat 8 and 9?

Victor Norman
Friends,

We are trying to upgrade a server that uses Guacamole / Tomcat7 on Ubuntu 16.04 to Ubuntu 18.04 or 20.04 with Tomcat 8 or 9.

You can try out the server yourself, by going to http://agora.cs.calvin.edu:8080/.

Each time we get close to having it work, we see this error show up in the console of the browser:

POST http://agora.cs.calvin.edu:8080/agora/api/tokens 403

Drilling down on that in Chrome, I find:


     *
Request URL:
http://agora.cs.calvin.edu:8080/agora/api/tokens
     *
Request Method:
POST
     *
Status Code:
403
     *
Remote Address:
153.106.116.108:8080
     *
Referrer Policy:
no-referrer-when-downgrade
  1.  Response Headersview source
     *
Content-Type:
application/json
     *
Date:
Tue, 23 Jun 2020 16:42:56 GMT
     *
Transfer-Encoding:
chunked
  2.  Request Headersview source
     *
Accept:
application/json, text/plain, */*
     *
Accept-Encoding:
gzip, deflate
     *
Accept-Language:
en-US,en;q=0.9
     *
Cache-Control:
no-cache
     *
Connection:
keep-alive
     *
Content-Length:
0
     *
Content-Type:
application/x-www-form-urlencoded
     *
Cookie:
JSESSIONID=F61EBB3764D21F4A6161304BB9D820EF; JSESSIONID=BA81E2D37D390F411711FAB57F5B8DBF
     *
DNT:
1
     *
Host:
agora.cs.calvin.edu:8080
     *
Origin:
http://agora.cs.calvin.edu:8080
     *
Pragma:
no-cache
     *
Referer:
http://agora.cs.calvin.edu:8080/agora/
     *
User-Agent:
Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.106 Mobile Safari/537.36

What is this request to POST to ../api/tokens?

Is this some new security added in tomcat8 or 9 that we need to account for?  Or is it a file permissions issue somehow?

I'd really appreciate any insight anyone has.

Thanks.


Prof. Victor Norman
Computer Science
Calvin College University
[hidden email]<mailto:[hidden email]>
-----
"A designer knows he has achieved perfection not when there is nothing left to add, but when there is nothing left to take away." -- Antoine de Saint Exupéry


Reply | Threaded
Open this post in threaded view
|

Re: Reason for failed POST to .../api/tokens in Tomcat 8 and 9?

Christopher Schultz-2
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Victor,

On 6/23/20 13:08, Victor Norman wrote:

> We are trying to upgrade a server that uses Guacamole / Tomcat7 on
> Ubuntu 16.04 to Ubuntu 18.04 or 20.04 with Tomcat 8 or 9.
>
> You can try out the server yourself, by going to
> http://agora.cs.calvin.edu:8080/.
>
> Each time we get close to having it work, we see this error show up
> in the console of the browser:
>
> POST http://agora.cs.calvin.edu:8080/agora/api/tokens 403

403 is obviously "forbidden". That can happen for a lot of reasons,
most of them likely in your application.

> Drilling down on that in Chrome, I find:
>
>
> * Request URL: http://agora.cs.calvin.edu:8080/agora/api/tokens *
> Request Method: POST * Status Code: 403 * Remote Address:
> 153.106.116.108:8080 * Referrer Policy: no-referrer-when-downgrade
> 1.  Response Headersview source * Content-Type: application/json *
> Date: Tue, 23 Jun 2020 16:42:56 GMT * Transfer-Encoding: chunked 2.
> Request Headersview source * Accept: application/json, text/plain,
> */* * Accept-Encoding: gzip, deflate * Accept-Language:
> en-US,en;q=0.9 * Cache-Control: no-cache * Connection: keep-alive
> * Content-Length: 0 * Content-Type:
> application/x-www-form-urlencoded * Cookie:
> JSESSIONID=F61EBB3764D21F4A6161304BB9D820EF;
> JSESSIONID=BA81E2D37D390F411711FAB57F5B8DBF * DNT: 1 * Host:
> agora.cs.calvin.edu:8080 * Origin: http://agora.cs.calvin.edu:8080

Since you have an "Origin" header, is this a REST call? Are you using
CORS? Has it been configured correctly?

> * Pragma: no-cache * Referer:
> http://agora.cs.calvin.edu:8080/agora/ * User-Agent: Mozilla/5.0
> (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36
> (KHTML, like Gecko) Chrome/83.0.4103.106 Mobile Safari/537.36
>
> What is this request to POST to ../api/tokens?

This must be something Guacamole-related, or in your own application.
Tomcat won't do this.

> Is this some new security added in tomcat8 or 9 that we need to
> account for?  Or is it a file permissions issue somehow?
>
> I'd really appreciate any insight anyone has.

It's tough to say why you are getting this response. You will probably
have to dig-into your application's logs to see what is happening. If
you have CORS enabled, it's very easy to get that configuration wrong
 and lock clients out.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl7yPgwACgkQHPApP6U8
pFipVxAAune0nuUM8GqljUeECPC2hfn+PUVKsC8XZXr9TBqCoqOlHnav2H7VUrlP
e80O+z7nC3fOuUm7xDk+kNp5aY4luIOSY3miNtsSU402VkGy1Aa2kJtmp00BSH5X
UvLVLKU29H+gucOhvcqPjiiSgRWuN7uYpkhRet4DYQC/disc6PM/QLomkAG/IK0W
tIiOgIsTobc7K9XpihTkD7tZHhla1aV0dZ+c4WSfy0R2XvyisA43yHtWImMTrzEt
GtRy7ZsXb8ibDMv0ZY2coN1LEFofUEo9BJFQsnbtTd5WXKQrUxNeddLB6HI3LXqt
6aX0ENHcFVwoCHNk6o860/aItAjSHn5nNYLkFTaoi9GSX8tdXkC/zqReUCA75QPJ
CCUbKWBjxC295+H5HhKPu/2UPuOSe+6nKLOUIz/5RWUnINypTC6X+IIvxowXh4Dh
i0IA7dexpEmFg5MZjs3YfYruDjljGkv7iSmCySCJxGosUdQcY7gIvgtro9fGxe8s
xXNzmri1i2ir7Dh4a1K+ZrbW7GW1JVXQ9mIcI5xgOBvu3690G9ufcQaNdA1ozpjl
e4o4WBD8UEZtsnxp5CAyU1BYKed+AQCBlFBOurPWWTShKenhlyZ+2mDlFpbL7Nms
gV1CUkonnIU3ESXwihMclUae4rIBSMakSPxuNMTfbNLfjulxRR4=
=7uFs
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Reason for failed POST to .../api/tokens in Tomcat 8 and 9?

Konstantin Kolinko
In reply to this post by Victor Norman
вт, 23 июн. 2020 г. в 20:08, Victor Norman <[hidden email]>:
>
> Cookie:
> JSESSIONID=F61EBB3764D21F4A6161304BB9D820EF; JSESSIONID=BA81E2D37D390F411711FAB57F5B8DBF

1) Having two session cookies is not a crime, but why?

(It is not a cause of this issue. Just an odd configuration.)

I see that when I go to http://agora.cs.calvin.edu:8080/
I receive a HTML page with "<meta http-equiv="refresh"
content="0;URL=http://agora.cs.calvin.edu:8080/agora/">" and a
Set-Cookie header in a response.  That page does not need a session
and thus does not need sending the session cookie.

If that HTML response is generated by a JSP page, use <%@page session="false"%>.

(Also, I wonder whether one needs to return a HTML page? A JSP page
may generate a redirect response with HTTP status code 302 by using <%
response.sendRedirect(...) %> code instead of relying on a "meta
refresh" element of HTML).

2)
> Content-Length:
> 0

The POST request sends no data - the length of content is zero..
Looking at the source code [1], if I figured it correctly, I think
that it actually expects a username and a password.

Why was such a request sent?

[1] https://github.com/apache/guacamole-client/blob/master/guacamole/src/main/java/org/apache/guacamole/rest/auth/TokenRESTService.java

3) Guacamole is an Apache project, You may better ask on their mailing list,

[2] https://guacamole.apache.org/support/#mailing-lists

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]