Camunda Cockpit plugin produces 404 error for version 7.11

Hi!

I encountered a problem that a new security filter was added when updating the new version (from 7.10 to 7.11):

With Camunda BPM 7.11.0 we have added the XSS Protection Header to all server responses in conjunction with the Webapps.

So, when i am running my pet-project, it’s not a big deal, all works as expected. But on my real work project there are some security conflicts. Honestly, I got confused and do not know what to do. And yes, i found thread with the same problem, but could not solve the problem.

Let me show the use case.

  1. Update camunda engine from 7.10 to 7.11:

was

<camunda-version>3.2.1</camunda-version>

now

<camunda-version>3.3.1</camunda-version>
  Spring-Boot:  (v2.1.5.RELEASE)
  Camunda BPM: (v7.11.0)
  Camunda BPM Spring Boot Starter: (v3.3.1)
  1. Run Camunda cockpit on localhost, login and click on cockpit (or admin) button and got this:

As you can see, Cockpit not responding.

/api/cockpit/plugin/cockpitPlugins/static/app/plugin.css throws 404 error.
/api/cockpit/plugin/cockpitPlugins/static/app/plugin.js?bust=7.11.0 throws 404 error.

And some more logs:

org.camunda.bpm.engine.rest.exception.RestException: It was not able to load the following file 'app/plugin.css'.

org.camunda.bpm.engine.rest.exception.RestException: It was not able to load the following file 'app/plugin.js'.

And more logs about filtering…

org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:53)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:45)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.camunda.bpm.engine.rest.filter.EmptyBodyFilter.doFilter(EmptyBodyFilter.java:101)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.camunda.bpm.webapp.impl.engine.ProcessEnginesFilter.applyFilter(ProcessEnginesFilter.java:130)\r\n\tat org.camunda.bpm.webapp.impl.filter.AbstractTemplateFilter.doFilter(AbstractTemplateFilter.java:58)\r\n\tat org.camunda.bpm.spring.boot.starter.webapp.filter.LazyDelegateFilter.doFilter(LazyDelegateFilter.java:60)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.camunda.bpm.webapp.impl.security.filter.headersec.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:83)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)\r\n\tat org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)\r\n\tat org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:71)\r\n\tat org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:55)\r\n\tat org.camunda.bpm.spring.boot.starter.webapp.filter.LazyDelegateFilter.doFilter(LazyDelegateFilter.java:60)\

I’ve tried to use solution from another forum thread (filter disabling):

 @Bean
    public ServletContextInitializer csrfOverwrite() {
        return servletContext -> servletContext.addFilter(CSRF_PREVENTION_FILTER, (request, response, chain) -> chain.doFilter(request, response));
    }

So, in debug mode i found filtering method and add breakpoint from org.camunda.bpm.webapp.impl.security.filter.CsrfPreventionFilter:

With filter disabling config bean (bellow) this doFilter method doesn’t matches when i login and when i use cockip. But page still not responding.

From @Gregor

Ok, after experimenting a lot with different Web Security configurations I started to set breakpoints inside SpringBootCsrfPreventionFilter and as far as I can tell the issue is not connected to CSRF validation. Visiting /app/welcome/default/ works as expected; The application generates a CSRF token, validates it etc. pp. and shows me the page requested. But once I click on “Cockpit” my SpringBootCsrfPreventionFilter breakpoints are not reached and I get the above pasted exception. I feel like there is a mapping missing or something like that, i.e. the requested file http://localhost:8090/api/cockpit/plugin/cockpitPlugins/static/app/plugin.js?bust=7.11.0 is just not mapped to right JAR (camunda-webapp-webjar-7.11.0.jar).

Also in our project there is a common module (bom file) for all dependencies and configs. It seemed to me that it was there that conflicts, but when i am disabled all security configs, nothing happened. Please tell me what could be the problem?

Okay, i found solution how to fix this.

Problem was in my IDE (Intelij IDEA 2019 version).

  1. Open Run/Debug configuration.
  2. Check if shorten command line is NOT JAR manifest.

It must looks like:

Really stupid issue, because intelij idea rewrite this config randomly…

2 Likes