Did HTTP receiver changed from V2.8.6 ?

---

Good day,

I'm checking the new V3 and i can't receive HTTP POST from an other device with http receiver.

The exact same setting is working with core 2.8.6.

basically i'm trying to send http post from Node-Red.
with the following code;

msg.payload = "testpara=22";
msg.headers = {'content-type':'application/x-www-form-urlencoded'};
return msg;

trough the http request node in POST on the mango server address.

I receive it in Mango 2.8.6 but not in 3.0.1. with the receivers set up in the exact same settings.
In 2.8.6 :

In 3.0.1 it doesn't receive anything.

Any clue ?

I have this message in the console :

WARN  2017-04-28T14:54:02,077 (com.serotonin.m2m2.web.mvc.spring.security.MangoAccessDeniedHandler.handle:54) - Denying access to Mango resource 
org.springframework.security.web.csrf.MissingCsrfTokenException: Could not verify the provided CSRF token because your session was not found.
	at org.springframework.security.web.csrf.CsrfFilter.doFilterInternal(CsrfFilter.java:114) [spring-security-web-4.1.1.RELEASE.jar:4.1.1.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.1.RELEASE.jar:4.1.1.RELEASE]
	at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:66) [spring-security-web-4.1.1.RELEASE.jar:4.1.1.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.1.RELEASE.jar:4.1.1.RELEASE]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:105) [spring-security-web-4.1.1.RELEASE.jar:4.1.1.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.1.RELEASE.jar:4.1.1.RELEASE]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:56) [spring-security-web-4.1.1.RELEASE.jar:4.1.1.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:331) [spring-security-web-4.1.1.RELEASE.jar:4.1.1.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:214) [spring-security-web-4.1.1.RELEASE.jar:4.1.1.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:177) [spring-security-web-4.1.1.RELEASE.jar:4.1.1.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262) [spring-web-4.3.7.RELEASE.jar:4.3.7.RELEASE]
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1668) [jetty-servlet-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:581) [jetty-servlet-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548) [jetty-security-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:511) [jetty-servlet-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.Server.handle(Server.java:524) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:319) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:253) [jetty-server-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:273) [jetty-io-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:95) [jetty-io-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93) [jetty-io-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303) [jetty-util-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148) [jetty-util-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136) [jetty-util-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671) [jetty-util-9.3.11.v20160721.jar:9.3.11.v20160721]
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589) [jetty-util-9.3.11.v20160721.jar:9.3.11.v20160721]
	at java.lang.Thread.run(Thread.java:745) [?:1.8.0_121]

Hi philgdep,

Can you share how you're trying to publish data to it? I just confirmed it's working fine, and the CSRF message is not related (it's not happening every time you attempt to publish, is it? If so, I wonder if you're publishing to http://ip:port/httpds). Are you using the alias 'localhost' for your server? If so, it's possible IPv6 is being resolved. The whitelists don't currently support IPv6, so if the incoming IP is ::1 it will get denied.

Here's some text I was able to get a value from using nc 127.0.0.1 80 < httpPub.txt

GET /httpds?brown=8.905449871164275%4020170428091914 HTTP/1.1
User-Agent: Mango M2M2 HTTP Sender publisher
Host: localhost:8088
Connection: Keep-Alive
Accept-Encoding: gzip,deflate

Gotten by a nc -l 8088 and pointing the publisher at that port/httpds so some of the details (like the host header or user agent) aren't exactly correct (User-agent netcat!), but it works.

Nevermind. I have attempted the same exercise with Post and encountered this issue. It's related to some security enhancements. I will work to get this resolved as quickly as possible.

Hi Philgdep,

I have emailed you a fix if you need it right this moment. We will be updating this in the store download soon.

@phildunlap Thanks a lot ! its working now. You guys are very efficient!

The fix you sent me will be ok or the later store version will be better ? Just to know if I have to delete de override file later?

best,

Thanks! We try!

It's always better not to use overridden classes, but we like to enable people to resume whatever they were doing when they discovered an issue as quickly as possible, but it does make a moment more of work during an upgrade. You'll definitely need to delete the overrides when updating.

@phildunlap What is the fix here? I am trying with 3.4.4 using HTTP JSON receiver listener and I am seeing the same error.

I believe the fix was creating an exclusion such that no XSRF was required on the http://host:port/httpds URL Shouldn't really be possible still. Do you have any details about how it's being caused?

For instance, i was able to post this message from a publisher to a receiver, and receive the value in an alphanumeric point with the HTTP parameter name on thE JSON receiver set to /p1

POST /httpds HTTP/1.1
User-Agent: Mango M2M2 HTTP Sender publisher
Content-Type: application/json
Content-Length: 49
Host: 192.168.2.12:8888
Connection: Keep-Alive
Expect: 100-continue
Accept-Encoding: gzip,deflate

{
  "p1" : "52.81569485688922@20180625082854"
}

My receiver was on 3.4.4

Got it thanks.