1

Using the Java API to push resources to the registry of APIM 2.0.0 fails.

The same code used against APIM 1.10.0 succeeds.

Example code to reproduce is of the sort

    String tenantDomain = “mytenant.com"; 
    String url = "https://localhost:9443/t/"+tenantDomain+"/registry"; 
    String userName = “admin@mytenant.com"; 

    String password = “admin"; 

    System.setProperty("carbon.repo.write.mode", "true"); 


    //Get the file which needs to be added to the registry
    File file = new File(“/home/bob/Desktop/myPayload.json"); 
    RemoteRegistry remote_registry = new RemoteRegistry(new URL(url), userName, password); 

    //Import the file to config registry
    RegistryClientUtils.importToRegistry(file ,"/_system/config" ,remote_registry); 

    //Export  from registry 
    //RegistryClientUtils.exportFromRegistry(file ,"/_system/governance/SomePayload.json" ,remote_registry);

the call to RegistryClientUtils.importToRegistry(file ,"/_system/config" ,remote_registry); will fail. Same code run against APIM 1.10.0 works fine, as it has always done with other products like the ESB.

Typical exception is:

Caused by: org.wso2.carbon.registry.core.exceptions.RegistryException: Add resource fail. Suggested Path: /_system/governance/apimgt/applicationdata/customdata/somedata, Response Status: 403, Response Type: CLIENT_ERROR at org.wso2.carbon.registry.app.RemoteRegistry.put(RemoteRegistry.java:543) at org.wso2.carbon.registry.core.utils.RegistryClientUtils.processImport(RegistryClientUtils.java:113) at org.wso2.carbon.registry.core.utils.RegistryClientUtils.processImport(RegistryClientUtils.java:102) at org.wso2.carbon.registry.core.utils.RegistryClientUtils.processImport(RegistryClientUtils.java:102) at org.wso2.carbon.registry.core.utils.RegistryClientUtils.processImport(RegistryClientUtils.java:102) at org.wso2.carbon.registry.core.utils.RegistryClientUtils.importToRegistry(RegistryClientUtils.java:65)

And in the APIM 2.0.0 log we see typically

[2016-08-18 15:57:34,699] WARN - JavaLogger potential cross-site request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, method:POST, uri:/registry/atom/_system/governance/apimgt/applicationdata/customdata/somedata, error:required token is missing from the request)

Community
  • 1
  • 1
maddaneccles
  • 21
  • 5

3 Answers3

1

APIM 2.0.0 is missing a line in the configuration of CSRF. The registry endpoint needs to be added to those configured for store and publisher. Add the end-point in the "Owasp.CsrfGuard.Carbon.properties" file found in the [APIM_HOME]/repository/conf/security directory. At the end of this file, add the line given below.

org.owasp.csrfguard.unprotected.registry=%servletContext%/t/*

maddaneccles
  • 21
  • 5
0

It seems the API call is blocked by the CSRF Filter. Can you open carbon.xml and white-list the URL you are using and check again.

ycr
  • 12,828
  • 2
  • 25
  • 45
  • Thanks. I have tried that to no avail. It seems to rely on the HTTP referrer header. Are you sure the Registry API code is setting this? – maddaneccles Aug 22 '16 at 10:46
  • The information in [link](https://docs.wso2.com/display/IS500/Mitigating+Cross+Site+Request+Forgery+(CSRF)+Attacks) states: The tag includes a list of sources that are associated with legitimate requests so that the Valve can check the referrer header in order to validate whether the request is coming from a server included in the white list. I have confirmed that (as expected) there is no referrer HTTP header in the requests the registry API generates – maddaneccles Aug 22 '16 at 14:07
0

Try adding below line at the end of <APIM_HOME>/repository/conf/security/Owasp.CsrfGuard.Carbon.properties file.

org.owasp.csrfguard.unprotected.reg=%servletContext%/registry/*

Update: The same error occurs due to a bug in JDK 1.8.0_151.

See wso2 api manger carbon page gives 403 Forbidden

Bee
  • 12,251
  • 11
  • 46
  • 73