Is there an issue with protect_from_forgery on Jruby 1.1.2 running
rails?
Environment:
Rails 2.1
Tomcat 5.5
OSX
Jruby 1.1.2
Warbler

I keep getting the following in the tomcat log:
ActionController::InvalidAuthenticityToken
(ActionController::InvalidAuthenticityToken):

/usr/local/tomcat/webapps/myapp/WEB-INF/gems/gems/actionpack-2.1.0/lib/action_controller/request_forgery_protection.rb:86:in
`verify_authenticity_token’

I even tried setting the following in web.xml

Also strange is the reference to jruby-1.1.1-complete.jar when this was
built with 1.1.2

file:/usr/local/tomcat/webapps/myapp/WEB-INF/lib/jruby-complete-1.1.1.jar!/benchmark.rb:293:in
`measure’

Any ideas ?

Thx
Adam

On Wed, Jun 18, 2008 at 8:46 PM, AD [email protected] wrote:

Is there an issue with protect_from_forgery on Jruby 1.1.2 running rails?
Environment:
Rails 2.1
Tomcat 5.5
OSX
Jruby 1.1.2
Warbler

I assume you’re using 0.9.9?

take care of session store →

jruby.session_store is not used anymore with JRuby-Rack, which is
bundled with 0.9.9.

If you’re trying to set your session store to :active_record_store,
you might be hitting this bug:
http://jira.codehaus.org/browse/JRUBY-2507

It’s fixed on trunk of JRuby-Rack, but I haven’t released a new version
yet.

Also strange is the reference to jruby-1.1.1-complete.jar when this was
built with 1.1.2

Warbler bundles 1.1.1. If you want to use 1.1.2, you can run “jruby -S
warble pluginize” and remove
vendor/plugins/warbler/lib/jruby-complete-1.1.1.jar and add
jruby-complete-1.1.2.jar instead.

Any ideas ?

If you don’t use the active record store, JRuby-Rack will use the java
servlet session store by default, which should support authenticity
tokens just fine.

Cheers,
/Nick

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

Thanks Nick.

Yes i am using .9.9
I uncommented out the activerecord-store in environment.rb so right now
defaulting to cookie based sessions

Any other ideas here?

Whats wierd is i do notice that the authenticity_token on the form (when
doing a view source) is not the same as the one that gets posted in the
logfile which is odd.

Adam

Also strange is the reference to jruby-1.1.1-complete.jar when this was
built with 1.1.2

Warbler bundles 1.1.1. If you want to use 1.1.2, you can run “jruby -S
warble pluginize” and remove
vendor/plugins/warbler/lib/jruby-complete-1.1.1.jar and add
jruby-complete-1.1.2.jar instead.

Instead of pluginizing warbler, we just modify config.java_libs in
config/warble.rb. In our app, we put all of the jars that we need in
production in RAILS_ROOT/lib/jars (including goldspike and
jruby-complete) and set config.java_libs to []. This makes upgrading
jruby versions and warbler independent of each other.

If jruby-complete is the only jar that needs to be replaced, it’s also
possible to do this:

remove warbler’s version …

config.java_libs.reject! { |lib| lib =~ /jruby-complete/ }

… and add either via config/warble.rb …

config.java_libs << ‘path/to/jruby-complete-x.y.z.jar’

… or just drop the jruby-complete jar into RAILS_ROOT/lib, which
warbler copies to WEB-INF, and the servlet container will put all jars
in WEB-INF in your classpath.

–
Matt

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

Thanks matt.

I am still struggling a bit with this InvalidAuthenticity error and
where it
can be rooted from. ActiveRecord sessions are disabled in
environment.rb

Adam

On Thu, Jun 19, 2008 at 5:35 AM, AD [email protected] wrote:

logfile which is odd.
What do you have in your application controller? Do you have a key
specified in the protect_from_forgery call?

protect_from_forgery # :secret => …
or
protect_from_forgery :secret => …

The servlet session store uses the former, just like the cookie store.

/Nick

To unsubscribe from this list, please visit:

http://xircles.codehaus.org/manage_email

ah i have it uncommented, let me try commenting it out.

Adam

worked like a charm thank you.