Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Atlassian Community about banner
4,363,505
Community Members
 
Community Events
168
Community Groups

After Bamboo v6.10.2 upgrade, XSRF errors when trying to view all deployment projects

Edited

Upgraded Bamboo from 6.4.1 to 6.10.2 

Carried over parms from previous server.xml file.  No changes were made to proxy/apache server.  Nothing really changed in the config files from the previous version.  Not sure why only the view all deployment projects page is affected, everything else seems to be ok.

Everything looks ok except when trying to access Deploy > All Deployment Projects ... we get two pop-ups. 
First -  An unexpected error has occurred, Please try reloading page

Second - Background page refresh cannot contact server. Please ensure Bamboo server is available.

In the logs we see the following:

2019-12-09 15:31:36,740 INFO [https-jsse-nio-8085-exec-22] [AccessLogFilter] xaxg066 POST https://bamboo.grainger.com:5443/rest/api/latest/deploy/dashboard/status 7589620kb

2019-12-09 15:31:36,742 WARN [https-jsse-nio-8085-exec-22] [XsrfResourceFilter] Additional XSRF checks failed for request: https://bamboo.grainger.com:5443/rest/api/latest/deploy/dashboard/status , origin: https://bamboo.grainger.com , referrer: https://bamboo.grainger.com/deploy/viewAllDeploymentProjects.action , credentials in request: true , allowed via CORS: false

 

We have a work-around by adding the proxy port (5443) to the url - example

What doesn’t work anymore:  https://bamboo.grainger.com/deploy/viewAllDeploymentProjects.action

 

Work-around:  https://bamboo.grainger.com:5443/deploy/viewAllDeploymentProjects.action

 

server.xml

 <!-- Reverse proxy listening port -->
<Connector port="8085"
maxThreads="150"
minSpareThreads="25"
connectionTimeout="20000"
enableLookups="false"
maxHttpHeaderSize="8192"
protocol="HTTP/1.1"
useBodyEncodingForURI="true"
redirectPort="5443"
acceptCount="100"
disableUploadTimeout="true"
compression="on"
compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,application/x-javascript"
SSLEnabled="true"
secure="true"
scheme="https"
proxyName="bamboo.grainger.com"
proxyPort="5443"
sslProtocol="TLSv1.2"
sslEnabledProtocols="TLSv1.1,TLSv1.2"
keystoreType="PKCS12"
keystoreFile="########.p12"
keystorePass="#########"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,
TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA"
/>

 

2 answers

In case anyone else is here from google, I too ran smack into this upgrading to 6.10.4 (prior version I'm unsure - I had done multiple serial upgrades and didn't check the deploy page on each hop). My corporate security appliance shall remain nameless, but SSL terminates at the appliance, so Tomcat is getting http, but everything about Bamboo the app, has to be fooled into thinking it's https.  

What I had to do to get this working was Admin > General Configuration> Base URL:  https://bamboo.my.co/bamboo

 

Tomcat connector config:  scheme="https" proxyName="bamboo.my.co" proxyPort="" secure="true"

That "" is not a mistake.   

 

This config finally allowed that deploy page to finally compose the same origin and referrer URLs.     

 

Prior to this upgrade, the tomcat config was simply (and, I guess wrongly) proxyName="bamboo.my.co" proxyPort="443"

@Mike Curwen NL- Thank you!  We have a similar setup (https terminating at the proxy; proxy talking to Bamboo over http) and encountered this problem when we upgraded from 6.9.2 to 6.10.6.  (I suspect this was caused by the upgrade of the bundled Tomcat from 8.0 to 8.5, and the fact that we switched our proxying protocol from AJP to http, but that's just a guess)

We don't use Bamboo's built-in deployments, but for us, the problem manifested on the Manage apps page.  Both the "Pause server" button and the "Update" buttons for all the individual plug-ins were broken (buttons would just pop up error messages, and not do anything else).  Bamboo's app logs showed we were triggering XSRF problems.  I added the four parameters you listed above to the <Connector> block for the http connection in our server.xml, restarted Bamboo, and the above errors went away -- add-on management is working normally for us again.

Thanks again for sharing your solution -- you saved me a *ton* of headaches.

Shouldn't 

proxyPort="5443"

be 443 in your server.xml? 

Suggest an answer

Log in or Sign up to answer
TAGS

Atlassian Community Events