XSRF not in the whitelist exception when performing the field operation

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Product: JIRA

Environment

Operating System

All

Affect Version/s

4.4.x or earlier

Application Server

Tomcat

Symptom

When performing the operation like changing or displaying the customfield or customfiled scheme, it shows up an XSRF exception on the page.

Error Message

Cause: 
java.lang.RuntimeException: ACTION: com.atlassian.jira.web.action.admin.issuefields.enterprise.EditFieldLayoutScheme.doDeleteScheme has XSRF annotated but its not in the whitelist

Stack Trace: [hide]

java.lang.RuntimeException: ACTION: com.atlassian.jira.web.action.admin.issuefields.enterprise.EditFieldLayoutScheme.doDeleteScheme has XSRF annotated but its not in the whitelist
	at com.atlassian.jira.security.xsrf.XsrfVulnerabilityDetectionSQLInterceptor$CallStack.isProtectedAction(XsrfVulnerabilityDetectionSQLInterceptor.java:184)
	at com.atlassian.jira.security.xsrf.XsrfVulnerabilityDetectionSQLInterceptor.afterExecutionImpl(XsrfVulnerabilityDetectionSQLInterceptor.java:75)
	at com.atlassian.jira.security.xsrf.XsrfVulnerabilityDetectionSQLInterceptor.afterSuccessfulExecution(XsrfVulnerabilityDetectionSQLInterceptor.java:40)
	at com.atlassian.jira.ofbiz.ChainedSQLInterceptor.afterSuccessfulExecution(ChainedSQLInterceptor.java:70)
	at org.ofbiz.core.entity.jdbc.SQLInterceptorSupport$DelegatingNoOpSQLConnectionInterceptor.afterSuccessfulExecution(SQLInterceptorSupport.java:150)
	at org.ofbiz.core.entity.jdbc.SQLProcessor.afterExecution(SQLProcessor.java:561)
	at org.ofbiz.core.entity.jdbc.SQLProcessor.executeUpdate(SQLProcessor.java:642)
	at org.ofbiz.core.entity.GenericDAO.deleteImpl(GenericDAO.java:1203)
	at org.ofbiz.core.entity.GenericDAO.delete(GenericDAO.java:1176)
	at org.ofbiz.core.entity.GenericHelperDAO.removeByPrimaryKey(GenericHelperDAO.java:121)
	at org.ofbiz.core.entity.GenericDelegator.removeValue(GenericDelegator.java:1066)
	at org.ofbiz.core.entity.GenericDelegator.removeValue(GenericDelegator.java:1046)
	at org.ofbiz.core.entity.GenericValue.remove(GenericValue.java:88)
	at com.atlassian.jira.issue.fields.layout.field.DefaultFieldLayoutManager.removeFieldLayoutScheme(DefaultFieldLayoutManager.java:360)
	at com.atlassian.jira.issue.fields.layout.field.FieldLayoutSchemeImpl.remove(FieldLayoutSchemeImpl.java:290)
	at com.atlassian.jira.web.action.admin.issuefields.enterprise.EditFieldLayoutScheme.doDeleteScheme(EditFieldLayoutScheme.java:85)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at webwork.util.InjectionUtils$DefaultInjectionImpl.invoke(InjectionUtils.java:70)
	at webwork.util.InjectionUtils.invoke(InjectionUtils.java:56)
	at webwork.action.ActionSupport.invokeCommand(ActionSupport.java:433)
	at webwork.action.ActionSupport.execute(ActionSupport.java:157)
	at com.atlassian.jira.action.JiraActionSupport.execute(JiraActionSupport.java:76)
	at webwork.interceptor.DefaultInterceptorChain.proceed(DefaultInterceptorChain.java:39)
	at webwork.interceptor.NestedInterceptorChain.proceed(NestedInterceptorChain.java:31)
	at webwork.interceptor.ChainedInterceptor.intercept(ChainedInterceptor.java:16)
	at webwork.interceptor.DefaultInterceptorChain.proceed(DefaultInterceptorChain.java:35)
	at webwork.dispatcher.GenericDispatcher.executeAction(GenericDispatcher.java:205)
	at webwork.dispatcher.GenericDispatcher.executeAction(GenericDispatcher.java:143)
	at com.atlassian.jira.web.dispatcher.JiraWebworkActionDispatcher.service(JiraWebworkActionDispatcher.java:152)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.jira.web.filters.steps.ChainedFilterStepRunner.doFilter(ChainedFilterStepRunner.java:74)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.core.filters.HeaderSanitisingFilter.doFilter(HeaderSanitisingFilter.java:44)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)
	at com.atlassian.applinks.core.rest.context.ContextFilter.doFilter(ContextFilter.java:25)
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter.doFilter(DelegatingPluginFilter.java:74)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:42)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.jira.web.filters.accesslog.AccessLogFilter.executeRequest(AccessLogFilter.java:103)
	at com.atlassian.jira.web.filters.accesslog.AccessLogFilter.doFilter(AccessLogFilter.java:87)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.jira.security.xsrf.XsrfTokenAdditionRequestFilter.doFilter(XsrfTokenAdditionRequestFilter.java:54)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.opensymphony.sitemesh.webapp.SiteMeshFilter.obtainContent(SiteMeshFilter.java:129)
	at com.opensymphony.sitemesh.webapp.SiteMeshFilter.doFilter(SiteMeshFilter.java:77)
	at com.atlassian.jira.web.filters.PathExclusionFilter.doFilter(PathExclusionFilter.java:118)
	at com.atlassian.core.filters.AbstractHttpFilter.doFilter(AbstractHttpFilter.java:31)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:77)
	at com.atlassian.plugin.servlet.filter.ServletFilterModuleContainerFilter.doFilter(ServletFilterModuleContainerFilter.java:63)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.seraph.filter.SecurityFilter.doFilter(SecurityFilter.java:211)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.security.auth.trustedapps.filter.TrustedApplicationsFilter.doFilter(TrustedApplicationsFilter.java:98)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.seraph.filter.BaseLoginFilter.doFilter(BaseLoginFilter.java:150)
	at com.atlassian.jira.web.filters.JiraLoginFilter.doFilter(JiraLoginFilter.java:70)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at com.atlassian.plugin.servlet.filter.IteratingFilterChain.doFilter(IteratingFilterChain.java:46)
	at com.atlassian.plugin.servlet.filter.DelegatingPluginFilter$1.doFilter(DelegatingPluginFilter.java:66)

 

Root Cause

It had been enabled the XSRF package log in the file log4j.properties like this:

log4j.logger.com.atlassian.jira.security.xsrf.XsrfVulnerabilityDetectionSQLInterceptor = INFO, xsrflog

Which is unfortunately triggered the unexpected XSRF check for the operation. Actually, this is a log setting only for our development purpose.

Solution

Update the log4j.properties file like following to disable trace:

log4j.logger.com.atlassian.jira.security.xsrf.XsrfVulnerabilityDetectionSQLInterceptor = OFF, xsrflog

Last modified on Nov 21, 2012

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.