Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

After Bamboo v6.10.2 upgrade, XSRF errors when trying to view all deployment projects

Alexander Garcia
Alexander Garcia December 9, 2019

Upgraded Bamboo from 6.4.1 to 6.10.2 

Carried over parms from previous server.xml file.  No changes were made to proxy/apache server.  Nothing really changed in the config files from the previous version.  Not sure why only the view all deployment projects page is affected, everything else seems to be ok.

Everything looks ok except when trying to access Deploy > All Deployment Projects ... we get two pop-ups. 
First -  An unexpected error has occurred, Please try reloading page

Second - Background page refresh cannot contact server. Please ensure Bamboo server is available.

In the logs we see the following:

2019-12-09 15:31:36,740 INFO [https-jsse-nio-8085-exec-22] [AccessLogFilter] xaxg066 POST https://bamboo.grainger.com:5443/rest/api/latest/deploy/dashboard/status 7589620kb

2019-12-09 15:31:36,742 WARN [https-jsse-nio-8085-exec-22] [XsrfResourceFilter] Additional XSRF checks failed for request: https://bamboo.grainger.com:5443/rest/api/latest/deploy/dashboard/status , origin: https://bamboo.grainger.com , referrer: https://bamboo.grainger.com/deploy/viewAllDeploymentProjects.action , credentials in request: true , allowed via CORS: false

 

We have a work-around by adding the proxy port (5443) to the url - example

What doesn’t work anymore:  https://bamboo.grainger.com/deploy/viewAllDeploymentProjects.action

 

Work-around:  https://bamboo.grainger.com:5443/deploy/viewAllDeploymentProjects.action

 

server.xml

 <!-- Reverse proxy listening port -->
<Connector port="8085"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="5443"
acceptCount="100"
disableUploadTimeout="true"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
SSLEnabled="true"
secure="true"
scheme="https"
proxyName="bamboo.grainger.com"
proxyPort="5443"
sslProtocol="TLSv1.2"
sslEnabledProtocols="TLSv1.1,TLSv1.2"
keystoreType="PKCS12"
keystoreFile="########.p12"
keystorePass="#########"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
/>

 

Answer
Watch
Like Be the first to like this
1080 views

2 answers

0 votes
Mike Curwen NL
Mike Curwen NL June 28, 2021

In case anyone else is here from google, I too ran smack into this upgrading to 6.10.4 (prior version I'm unsure - I had done multiple serial upgrades and didn't check the deploy page on each hop). My corporate security appliance shall remain nameless, but SSL terminates at the appliance, so Tomcat is getting http, but everything about Bamboo the app, has to be fooled into thinking it's https.  

What I had to do to get this working was Admin > General Configuration> Base URL:  https://bamboo.my.co/bamboo

 

Tomcat connector config:  scheme="https" proxyName="bamboo.my.co" proxyPort="" secure="true"

That "" is not a mistake.   

 

This config finally allowed that deploy page to finally compose the same origin and referrer URLs.     

 

Prior to this upgrade, the tomcat config was simply (and, I guess wrongly) proxyName="bamboo.my.co" proxyPort="443"

View More Comments
Mike C
Mike C December 6, 2021

@Mike Curwen NL- Thank you!  We have a similar setup (https terminating at the proxy; proxy talking to Bamboo over http) and encountered this problem when we upgraded from 6.9.2 to 6.10.6.  (I suspect this was caused by the upgrade of the bundled Tomcat from 8.0 to 8.5, and the fact that we switched our proxying protocol from AJP to http, but that's just a guess)

We don't use Bamboo's built-in deployments, but for us, the problem manifested on the Manage apps page.  Both the "Pause server" button and the "Update" buttons for all the individual plug-ins were broken (buttons would just pop up error messages, and not do anything else).  Bamboo's app logs showed we were triggering XSRF problems.  I added the four parameters you listed above to the <Connector> block for the http connection in our server.xml, restarted Bamboo, and the above errors went away -- add-on management is working normally for us again.

Thanks again for sharing your solution -- you saved me a *ton* of headaches.

Like
Reply
0 votes
Bjarte Nilsen
Bjarte Nilsen January 13, 2020

Shouldn't 

proxyPort="5443"

be 443 in your server.xml? 

Reply

Suggest an answer

Log in or Sign up to answer
Bitbucket
Bitbucket
TAGS
AUG Leaders

Atlassian Community Events

    See all events