androidwso2wso2-iot

WSO2IoT: Create New Mobile App for Android

I've downloaded WSO2IoT v3.1.0 and I'm trying to create an app store for inside my company. I'm following the instructions posted here:

https://docs.wso2.com/display/IoTS310/Creating+an+Android+Application

However, I'm unable to create and app and have no discernible error message.

I'm able to login with the default user ID and password to at https://localhost:9443/publisher (step 1 and 2). Step 3 works when I click on Add New Mobile Application. I can select Android (step 4) and Enterprise (step 5). Then for step 6, I select an APK and click next (step 7).

On the next page, I see a few odd things:

  1. It states that "Uploading.... Please wait." with a progress bar near the top of the page, but it never changes/completes.
  2. The "Version" field is both starred and grayed out.
  3. Regardless of the values I provide (or none at all), clicking "Create" at the bottom takes me back to the previous page.

If the wso2carbon.log I see this error message on step 7:

TID: [-1234] [] [2018-02-21 17:43:14,263] WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, method:POST, uri:/publisher/api/mobileapp/upload, error:required token is missing from the request) {org.owasp.csrfguard.log.JavaLogger}

I see no error messages on clicking "Create".

Not sure how to successfully create an App in the store and what is going wrong.

Update 1:

Watching the network traffic from inside Chromium, I can see that when I click "Next" in Step 7, the web browser tries to send POST to https://localhost:9443/publisher/api/mobileapp/upload, and gets a 403 Forbidden returned.

I can see that some cookies are being sent, including two JSESSIONIDs (which seems odd):

JSESSIONID=4D274F4F3A5AABE1F7D61E27C384B973; JSESSIONID=9EB3FADCEE9CA1C5156D25133FDC2C7E; requestedURI="../../policy/effective-policy?type=android&id="; commonAuthId=7a7c8a6c-7932-42ef-b670-4ccf50b14bfa; samlssoTokenId=b3b01735-5aac-4e60-9863-af4fce62abb0

Interestingly, none of the cookies are marked as "secure", which seems bad.

It looks like this request is trying to send the APK I've selected. The body of the response is a generic 403 Forbidden page.

Is this a bug on WSO2IoT v3.1.0?

Solution

  • This seems to be a bug in IOT server 3.1.0. You can solve this issue by editing the following file.

    [SERVER_HOME]/conf/security/Owasp.CsrfGuard.Carbon.properties

    find the below line and append /* to the end of it.

    org.owasp.csrfguard.unprotected.publisherApi=%servletContext%/publisher/api

    edit the above as follows, org.owasp.csrfguard.unprotected.publisherApi=%servletContext%/publisher/api/*

    I can see that this issue has been fixed in the latest code. Refer 9964e