CSP Error in Eclipse Scout (One Day Tutorial)?

Question

I'm currently on the one day tutorial of the Eclipse Scout Framework, and I'm stuck at exactly this part. I don't think that my question is Tutorial-specific, which is why I'm asking my question here: Suddenly, when I try to open a menu in my scout localhost environment; I get an "access denied" message in my browser, and the java console gives back the following log:

2022-04-06 22:27:06,597 WARN  [qtp1600667055-41] org.eclipse.scout.rt.server.commons.authentication.DevelopmentAccessController.handle(DevelopmentAccessController.java:66) - 
+++ Development access control with user xxx.yyy - MDC[]
2022-04-06 22:27:06,875 INFO  [qtp1600667055-33] org.eclipse.scout.rt.ui.html.csp.ContentSecurityPolicyReportHandler.log(ContentSecurityPolicyReportHandler.java:80) - CSP-REPORT: {
  "csp-report": {
    "blocked-uri": "inline",
    "column-number": 797897,
    "document-uri": "http:\/\/localhost:8082\/",
    "line-number": 71,
    "original-policy": "img-src 'self'; style-src 'self' 'unsafe-inline'; child-src *; default-src 'self'; report-uri http:\/\/localhost:8082\/csp-report; script-src 'self'",
    "referrer": "",
    "source-file": "moz-extension",
    "violated-directive": "script-src"
  }
} - MDC[principal=xxx.yyy, 
httpUri=/csp-report, 
cid=d3e5c2b5-19b8-4f62-b512-56bbd82eb685]
2022-04-06 22:27:07,
575 INFO  [scout-model-thread-4 Starting ClientSession [sessionId=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah]] org.eclipse.scout.rt.client.AbstractClientSession.start(AbstractClientSession.java:294) - Client session started [session=org.eclipse.scout.contacts.client.ClientSession@49956588[id = v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah], user=xxx.yyy] - MDC[principal=xxx.yyy, httpUri=/json, jobName=Starting ClientSession [sessionId=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah], cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,575 INFO  [qtp1600667055-45] org.eclipse.scout.rt.ui.html.UiSession.getOrCreateClientSession(UiSession.java:303) - Created new client session [clientSessionId=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah, userAgent=HTML|DESKTOP|FIREFOX|WINDOWS|Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0] - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,575 INFO  [qtp1600667055-45] org.eclipse.scout.rt.ui.html.UiThemeHelper.getConfiguredTheme(UiThemeHelper.java:59) - UI theme configured in config.properties: default - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,591 INFO  [scout-model-thread-10 Starting JsonClientSession] org.eclipse.scout.rt.ui.html.json.MainJsonObjectFactory.getFactories(MainJsonObjectFactory.java:36) - Using following object factories: [org.eclipse.scout.rt.ui.html.JsonObjectFactory@7646906d] - MDC[principal=xxx.yyy, httpUri=/json, scoutSession=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah, jobName=Starting JsonClientSession, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,701 INFO  [qtp1600667055-45] org.eclipse.scout.rt.ui.html.UiSession.init(UiSession.java:264) - UiSession with ID 1:gsk4adjmlv49n219mb0v7ono8bfv2g3bo4kdiimvse5duppfdl4 initialized - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:07,717 INFO  [qtp1600667055-45] org.eclipse.scout.rt.ui.html.json.JsonMessageRequestHandler.createUiSession(JsonMessageRequestHandler.java:362) - Created new UI session with ID 1:gsk4adjmlv49n219mb0v7ono8bfv2g3bo4kdiimvse5duppfdl4 in 558.412900 ms [maxIdleTime=14400s, httpSession.maxInactiveInterval=3600s] - MDC[principal=xxx.yyy, httpUri=/json, cid=Sq8Jw6Nn9Gq/1]
2022-04-06 22:27:11,793 INFO  [scout-model-thread-18 Processing JSON request] org.eclipse.scout.rt.platform.exception.ExceptionHandler.handlePlatformException(ExceptionHandler.java:125) - VetoException: Zugriff verweigert [severity=ERROR, user=xxx.yyy, remote-service.name=org.eclipse.scout.contacts.shared.person.IPersonService, remote-service.operation=prepareCreate, form=org.eclipse.scout.contacts.client.person.PersonForm, ui.event=action, ui.adapter=Menu[id=5, modelClass=org.eclipse.scout.contacts.client.Desktop$QuickAccessMenu$NewPersonMenu, parentId=4]] - MDC[principal=xxx.yyy, httpUri=/json, uiSession=1:gsk4adjmlv49n219mb0v7ono8bfv2g3bo4kdiimvse5duppfdl4, scoutSession=v6r80rs8kch0k2pohlnc4u4n2917m8ohb0smftl2jbf4a62i7ah, jobName=Processing JSON request, cid=Bp3cD7ar8Gp/4]

To me it seems that there's a Content Security Policy issue somewhere, but no clue if that's the case, and if so how to fix that, even after researching the issue for quite some time now.

Help?

Answer 1

Are you running some kind of ad-blocker or privacy plugin in your browser? This would explain the reported CSP error. By default, the CSP rules block inline JavaScript code (eg <script>...</script> ). Scout itself does not use inline code. It is therefore likely that a browser plugin has injected code into the page. The reported "source-file" ("moz-extension") also hints to that.

The access denied error is probably not caused by the CSP rules. According to the log file, the click was successfully dispatched to the corresponding Menu instance on the UI server. That code calls a backend service ( IPersonService ) over the service tunnel, which fails with an exception. There are a lot of things that could have gone wrong here:

• Backend not running.
• Backend running, but not in a valid state.
• Auth keys of UI server and backend server don't match, so the service tunnel cannot be established securely. Check the values of the config properties scout.auth.privateKey and scout.auth.publicKey . If necessary, use the SecurityUtility to create a new pair.
• User does not have the necessary permissions. For every call to the backend over the service tunnel, RemoteServiceAccessPermission is required. And for most services, a specific permission is required, eg ReadPersonPermission .
• User doesn't exist.

To analyze these kinds of errors, first check the logs of both the UI server and the backend server. If this does not help, set some breakpoints and step through the code. Here are some classes that make a good starting point: ServerServletFilter , ServiceTunnelServlet , AccessControlService .

Answer 2

If your are running Java 17 version, then you need to update the private & public keys which can be found on config.properties file.