Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VaadinWebSecurity does not ignore CSRF for Flow PUSH connection request #19075

Closed
mcollovati opened this issue Apr 2, 2024 · 4 comments · Fixed by #19085
Closed

VaadinWebSecurity does not ignore CSRF for Flow PUSH connection request #19075

mcollovati opened this issue Apr 2, 2024 · 4 comments · Fixed by #19085
Labels
bug Impact: High prerelease version for Vaadin 24.4.0 Released with Vaadin 24.3.10 Released with Vaadin 24.4.0.alpha21 Severity: Minor

Comments

@mcollovati
Copy link
Collaborator

Description of the bug

Given a Vaadin 24.3 application with security configured through VaadinWebSecurity, the PUSH connections fail right after login with a 403 error after login, because of Spring Security complaining about an invalid CSRF token.
However, when the protected page is reloaded the PUSH connections are correctly established

image

2024-04-02T08:47:06.190+02:00 DEBUG 65418 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Securing POST /VAADIN/push?v-r=push&debug_window&token=bbcccf73-3299-443e-a767-066584ca8495&X-Atmosphere-Transport=close&X-Atmosphere-tracking-id=44c5fba3-a76a-4c86-a56c-50c17dcc887f
2024-04-02T08:47:06.190+02:00 DEBUG 65418 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Retrieved SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=user, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, CredentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=2949F5403A070331A08F02896D9BD6D9], Granted Authorities=[ROLE_USER]]]
2024-04-02T08:47:06.190+02:00 DEBUG 65418 --- [nio-8080-exec-3] o.s.security.web.csrf.CsrfFilter         : Invalid CSRF token found for http://localhost:8080/VAADIN/push?v-r=push&debug_window&token=bbcccf73-3299-443e-a767-066584ca8495&X-Atmosphere-Transport=close&X-Atmosphere-tracking-id=44c5fba3-a76a-4c86-a56c-50c17dcc887f

The issue seems to be that the Flow PUSH connections requests (/VAADIN/push) are no more identified as Framework requests by HandlerHelper.isFrameworkInternalRequest().
To be noted For Hilla PUSH connections, there is a specific method (HandlerHelper.isHillaPush()) that checks for /HILLA/push

Expected behavior

Spring CSRF check should be skipped for Vaadin PUSH connection, since they have their own built-in protection mechanism.

Minimal reproducible example

  • Use start.vaadin.com to create an application with protected views and login page
  • Try to navigate to a protected page, the login view should be shown
  • Enter credential and verify that Vaadin PUSH connection requests fail with a 403 status code

Versions

  • Vaadin / Flow version: 24.3
  • Java version: 17
@mcollovati
Copy link
Collaborator Author

It looks like only ping requests are failing, since they are doing a POST.
The connection is established through a GET request, so CSRF is not checked

mcollovati added a commit that referenced this issue Apr 3, 2024
@mcollovati
fix: detect Flow PUSH requests as internal framework requests
06f4b1d 
HandlerHelper is currently not considering Flow PUSH requests
(/VAADIN/push) as internal, preventing VaadinWebSecurity to
ignore CSRF checks.
The issues happen only for ping requests; the connection request
is not affected because it is a GET request.

Fixes #19075
@mcollovati mcollovati mentioned this issue Apr 3, 2024
Merged
9 tasks
@mcollovati
Copy link
Collaborator Author

It might be related to the PUSH request error reported in vaadin/kubernetes-kit#111

tepi pushed a commit that referenced this issue Apr 4, 2024
@mcollovati
fix: detect Flow PUSH requests as internal framework requests (#19085)
4459d6b 
HandlerHelper is currently not considering Flow PUSH requests
(/VAADIN/push) as internal, preventing VaadinWebSecurity to
ignore CSRF checks.
The issues happen only for ping requests; the connection request
is not affected because it is a GET request.

Fixes #19075
vaadin-bot pushed a commit that referenced this issue Apr 4, 2024
@mcollovati @vaadin-bot
fix: detect Flow PUSH requests as internal framework requests (#19085)
fa1560d 
HandlerHelper is currently not considering Flow PUSH requests
(/VAADIN/push) as internal, preventing VaadinWebSecurity to
ignore CSRF checks.
The issues happen only for ping requests; the connection request
is not affected because it is a GET request.

Fixes #19075
vaadin-bot added a commit that referenced this issue Apr 4, 2024
@vaadin-bot @mcollovati
fix: detect Flow PUSH requests as internal framework requests (#19085) (
bd9bf0e 
#19110)

HandlerHelper is currently not considering Flow PUSH requests
(/VAADIN/push) as internal, preventing VaadinWebSecurity to
ignore CSRF checks.
The issues happen only for ping requests; the connection request
is not affected because it is a GET request.

Fixes #19075

Co-authored-by: Marco Collovati <marco@vaadin.com>
@vaadin-bot
Copy link
Collaborator

This ticket/PR has been released with Vaadin 24.4.0.alpha21 and is also targeting the upcoming stable 24.4.0 version.

@vaadin-bot
Copy link
Collaborator

This ticket/PR has been released with Vaadin 24.3.10.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Impact: High prerelease version for Vaadin 24.4.0 Released with Vaadin 24.3.10 Released with Vaadin 24.4.0.alpha21 Severity: Minor
Projects
Vaadin Flow bugs & maintenance (Vaadin 10+)
Status: ✅ Closed
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: detect Flow PUSH requests as internal framework requests vaadin/flow
2 participants
@mcollovati @vaadin-bot