U4-10216 - Authorization error: Unauthorized access to URL: /umbraco/backoffice/UmbracoApi/Content/PostSave

Created by somu 31 Jul 2017, 07:54:31 Updated by Dan Booth 18 May 2018, 13:58:25

Hi all,

I have a rich text editor inside of the grid layout control. All works correctly until I try to insert an image and save at which point I get this error on backoffice:

Authorization error: Unauthorized access to URL: /umbraco/backoffice/UmbracoApi/Content/PostSave

We are running version 7.5.11 in a azure environment. Absolutely any recommendations on what I can try? I'm running out of ideas. It happens only in the site which runs over https. If i run the site over http and save, there is no problem.

2 Attachments

Comments

Sebastiaan Janssen 01 Aug 2017, 08:02:12

Did you set umbracoUseSSL="true" in web.config?


somu 01 Aug 2017, 13:23:04

Hi @sebastiaan

Yes. umbracoUseSSL is set as true in web.config.


Sebastiaan Janssen 02 Aug 2017, 12:08:44

Alright, I'm very sorry, but I haven't heard anyone else having this problem.

Make sure to head over to the forums for help with this: https://our.umbraco.org/


somu 02 Aug 2017, 12:33:40

Thank you @sebastiaan. I already posted this issue in forums (https://our.umbraco.org/forum/using-umbraco-and-getting-started/87016-back-office-error-over-https-site) but don't get any solution or even reply from anybody. :(


Shannon Deminick 15 Aug 2017, 01:23:11

@infoapp2013 assigning an issue to me is not going to get it resolved. If you wish to get to the bottom of your issue you'll need to provide far more details:

  • Have you tried replicating this on a clean install on a different environment?
  • If you can replicate on a new install/environment, provide the steps
  • Have you tried upgrading to the latest version to see if that solves the problem?

Anytime you submit a bug or ask for help these things will make it far more likely that people will be able to help you out. As Sebastiaan mentioned, nobody has seen this issue before so chances are it's environment specific or something odd bit of code, plugin or settings that is causing the problem.


somu 21 Aug 2017, 10:33:28

@Shandem Thanks for giving the options. will try and come back.


somu 08 Sep 2017, 12:08:30

@Shandem

I don't get this error in a clean install on a different environment also our client's don't want to upgrade the version before the answer for the below message from Umbraco support.

When i hit save and see the console in the browser, i got the error like in the attached screenshot, and when i click the link /umbraco/backoffice/UmbracoApi/Content/PostSave, It returns the json message like {"Message":"The requested resource does not support http method 'GET'."}. I changed all the url's which are pointing http to https.

I'm not restricting permissions to any node to users. I am using a macro for just submitting the Contact information to database and i removed the macro but no luck.

Could you please respond asap.. Thanks.


Sebastiaan Janssen 08 Sep 2017, 13:23:53

@infoapp2013 If you have a support contract with us then please get in touch through our support channel: https://shop.umbraco.com/profile/options/get-help-and-support/support-for-your-umbraco-pro-websites/

Other than that, as you've noticed, on a clean install this problem does not occur, so there seems to be a problem with your configuration or code. However, since nobody else has this problem I will close this issue as "Cannot Reproduce". Please do not re-open this issue unless you have steps to reproduce this problem on a clean Umbraco install.


Nigel Brown 12 Sep 2017, 13:36:11

Hello, I also have this problem on Azure as well. It is on a clean version of Umbraco version 7.6.5 assembly: 1.0.6428.37121 on an original 7.5.12 database that was updated as part of the install.

The website is behind a Microsoft Application Gateway/WAF so I cant use UmbracoUseSSL to true as no https traffic is being sent behind the firewall. https is converted to http on the firewal, and vice versa.

Also I need to set debug = false in web.config in order to login as I think there are some errors ClientDependency whether this is relevant or not I dont know.

thanks Nigel


Nigel Brown 12 Sep 2017, 13:41:30

Here are some errors if this helps. (TypeError: Cannot read property 'length' of undefined)

backoffice/UmbracoApi/Member/PostSave 403 () (anonymous) @ VM507:1 (anonymous) @ angular.min.js?cdv=167830318:106 o @ angular.min.js?cdv=167830318:102 g @ angular.min.js?cdv=167830318:100 i @ angular.min.js?cdv=167830318:79 i @ angular.min.js?cdv=167830318:79 (anonymous) @ angular.min.js?cdv=167830318:80 $eval @ angular.min.js?cdv=167830318:92 $digest @ angular.min.js?cdv=167830318:90 $apply @ angular.min.js?cdv=167830318:92 (anonymous) @ angular.min.js?cdv=167830318:156 dispatch @ jquery.min.js?cdv=167830318:3 r.handle @ jquery.min.js?cdv=167830318:3 angular.min.js?cdv=167830318:63 TypeError: Cannot read property 'length' of undefined at Object.getAllProps (umbraco.services.js?cdv=167830318:962) at Object.reBindChangedProperties (umbraco.services.js?cdv=167830318:1091) at umbraco.controllers.js?cdv=167830318:9250 at o (angular.min.js?cdv=167830318:80) at angular.min.js?cdv=167830318:81 at Object.$eval (angular.min.js?cdv=167830318:92) at Object.$digest (angular.min.js?cdv=167830318:90) at Object.$apply (angular.min.js?cdv=167830318:92) at j (angular.min.js?cdv=167830318:101) at r (angular.min.js?cdv=167830318:104)


Shannon Deminick 12 Sep 2017, 23:38:13

I can only suggest that there is something awry with you configuration of Microsoft Application Gateway/WAF. I assume you've tested that it works when it's not behind this? Bumps you CDF version in the clientdependency.config file too just in case


Nigel Brown 14 Sep 2017, 08:25:41

Thanks for the reply. When I access Umbraco back office directly (bypassing the firewall) I still need to have debug set to true, and UmbracoUseSSL = False. When debug is set to false (going directly) you can still see the login screen but none of the css etc gets loaded. I expect this is a client dependency issue. The Clientdependency url is in the source code of the page and it can be accessed but gives a 403 forbidden error message.

I think the ClientDependency is causing the issue logging in.

I have set bundleDomains etc in ClientDependncy.config and a

I have upgraded to Umbraco version 7.6.6 assembly: 1.0.6456.19226 and the issue seems to be the same.

is there any way to turn ClientDependency off without setting debug=true?

the public facing website works perfectly.

to summarise, the issues are, I can only login when debug=true, I can only amend content when bypassing firewall.


Shannon Deminick 14 Sep 2017, 08:32:07

No there's not a way to do that with CDF. Have you change CDF config at all from it's original? Can you try using the original config that is shipped with Umbraco? Did you also bump the CDF config version value?


Nigel Brown 14 Sep 2017, 13:14:59

Hi Shannon, yes I added in some bundleDomains into the CDF config. I have restored it to the original file, stopped WWW service, cleared cache, and incremented version +1, then rebooted server.

With debug=false I still get a white screen when hitting the back office url.. When browsing to the https:///DependencyHandler.axd?s=<etc..> I get the following Server Error

403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.

I can login when debug=true. but then dont have permission to save or add any thing. eg On the Developer Dashboard I get the following error dashboard/feedproxy.aspx?url=http://umbraco.tv/videos/developer/chapterrss?sort=no Failed to load resource: the server responded with a status of 403 ()

I have tried with and without umbracoUseSSL = true/false and with debug = true/ false. thanks


Shannon Deminick 14 Sep 2017, 13:34:34

if it's a 403 then something is denying the request to DependencyHandler. This isn't something to do with CDF, it something that is configured to deny that request. I'd advise just debugging paths such as that to see what is causing 403. Maybe you have some formsauth paths configured to deny certain things, or maybe it's something else. As always, try to do this with a vanilla Umbraco site and when that works, you'll need to figure out what you've changed in your app/config to make it stop working.


andrew shearer 24 Nov 2017, 03:16:45

Does anyone know a fix for this?


Richard Hamilton 12 Dec 2017, 18:10:48

@shearer3000 I am getting this problem too. The files work fine when I request them through the browser directly. It's only in Azure when the ClientDependancyhandler requests them that it has a problem.


Richard Hamilton 14 Dec 2017, 16:51:01

Hi, I found this in web.config, which I believe was causing this issue (it's a site I have been brought in to debug, not one of my own builds):


Nigel Brown 15 Dec 2017, 12:37:21

Hi @RichHamilton we don't have these settings in our Umbraco web.config but we are getting the same error over https like everyone else.

I plan to setup a clean install of Umbraco on Azure over the forthcoming days to see if its present or not.


Nigel Brown 17 Dec 2017, 09:50:46

@Shandem @RichHamilton I have tried this on a clean install of Umbraco 7.7.7 Set up on Azure VM 2016R2 with SQL Azure DB. It works for http, but once I try https, I can no longer log in. When I try to login, I get a 404 Error.

backoffice/UmbracoApi/Authentication/PostLogin

)]}', {"Message":"The requested resource does not support http method 'GET'."}

There are no IP restrictions in place on the Umbraco folder.

This may be interesting, I can login on http, change URL in browser to https and I can then save content etc without error.. would this be connected to the original authentication at login?


Sebastiaan Janssen 17 Dec 2017, 11:20:03

Nigel, did you remember to set umbracoUseSSL to true when you switched over to https?


Nigel Brown 17 Dec 2017, 11:37:29

Hi @sebastiaan yes i tried it both with and without that setting.. or do you mean login with http, set umbracoUseSSL to true then change to https? thanks


Sebastiaan Janssen 17 Dec 2017, 13:45:56

Logging in over https will with that setting set to true or false, but if it's set to true the cookie will only be submitted over https. If you try to do anything over http, you will get errors. Make sure to add a redirect to https as well for everything, that might help.

For more info, see: https://cultiv.nl/blog/so-you-want-to-secure-your-umbraco-site/

In any case, there seems to be some kind of misconfiguration on your machine as this all works all the time on hundreds of sites on Umbraco Cloud (actually thousands, since they all use https on their UC url).

I don't know what the misconfiguration is though, mystery.

I've seen problems like this before if the webdav module is installed, make sure to remove it using web.config (we ship this by default, but just checking):

And I hope your system.webServer/handlers still contains the following:


Tom J 12 Jan 2018, 14:20:57

Just for anyone else that comes across this issue, we experienced this exact issue today in a website deployed to Azure with the settings mentioned by @RichHamilton in our web.config - removing these resolved the issue immediately.


Nigel Brown 30 Apr 2018, 18:31:57

Hi, I was wondering if anyone else had the same issue on Azure with a VM sitting behind a web application firewall.

I have implemented a clean version of Umbraco. (7.10.4)

UmbracoUseSSL = True

I have got around the login page showing, by removing the fileDependencyExtensions in ClientDependency.config

so I can now at least login.

However, I am unable to save anything. I get the following errors Failed to load resource: the server responded with a status of 400 (Bad Request) /backoffice/UmbracoApi/Authentication/PostLogin

Failed to load resource: the server responded with a status of 403 (ModSecurity Action /backoffice/UmbracoApi/Content/PostSave

Within the logs are the following entries.

2018-04-30 18:27:11,851 [P3656/D7/T26] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username myemailaddress@domain.com from IP address 10.2.0.4 2018-04-30 18:27:11,851 [P3656/D7/T26] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: User: myemailaddress@domain.com logged in from IP address 10.2.0.4 2018-04-30 18:27:12,773 [P3656/D7/T26] ERROR Umbraco.Web.WebApi.Filters.AngularAntiForgeryHelper - Could not validate XSRF token System.Web.Mvc.HttpAntiForgeryException (0x80004005): The provided anti-forgery token was meant for user "", but the current user is "myemailaddress@domain.com". at System.Web.Helpers.AntiXsrf.TokenValidator.ValidateTokens(HttpContextBase httpContext, IIdentity identity, AntiForgeryToken sessionToken, AntiForgeryToken fieldToken) at System.Web.Helpers.AntiXsrf.AntiForgeryWorker.Validate(HttpContextBase httpContext, String cookieToken, String formToken) at Umbraco.Web.WebApi.Filters.AngularAntiForgeryHelper.ValidateTokens(String cookieToken, String headerToken)

2018-04-30 18:49:47,526 [P3656/D13/T27] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: Login attempt succeeded for username myemailaddress@domain.com from IP address 10.2.0.5 2018-04-30 18:49:47,526 [P3656/D13/T27] INFO Umbraco.Core.Security.BackOfficeSignInManager - Event Id: 0, state: User: myemailaddress@domain.com logged in from IP address 10.2.0.5 2018-04-30 18:49:48,703 [P3656/D13/T27] ERROR Umbraco.Web.WebApi.Filters.AngularAntiForgeryHelper - Could not validate XSRF token System.Web.Mvc.HttpAntiForgeryException (0x80004005): The anti-forgery token could not be decrypted. If this application is hosted by a Web Farm or cluster, ensure that all machines are running the same version of ASP.NET Web Pages and that the configuration specifies explicit encryption and validation keys. AutoGenerate cannot be used in a cluster. at System.Web.Helpers.AntiXsrf.AntiForgeryTokenSerializer.Deserialize(String serializedToken)

The umbraco install is behind the firewall, the IP Address is the internal firewall address. 10.2.0.5

Any other suggestions.

thanks Nigel


Dan Booth 18 May 2018, 13:58:25

Just to mentioned I've just encountered this issue on a 7.9.2 install. Happened on one page, with an image in the RTE. If I delete the image the page published, but if it remains get the "unauthorised banner". I can't see anything strange about the image - totally bog standard.

The site is running on a single, dedicated Windows server - not Azure. No load balancing or anything. Checked all the things in this thread.

The only thing I can think is that when the image was added the site was running on HTTP, but was later moved to HTTPS. But other pages with images don't have this issue.


Priority: Normal

Type: Bug

State: Can't Reproduce

Assignee:

Difficulty:

Category:

Backwards Compatible: True

Fix Submitted:

Affected versions: 7.5.11

Due in version:

Sprint:

Story Points:

Cycle: