Grouper Users - Open Discussion List

[Chris Hyzer <>]

You can edit this config file and add more public pages…

 

https://github.com/Internet2/grouper/blob/master/grouper-ui/conf/Owasp.CsrfGuard.overlay.properties

 

Thanks,

Chris

 

 

 

From: [mailto:] On Behalf Of Sachdeva, Vivek
Sent: Wednesday, July 23, 2014 2:00 PM
To:
Subject: [grouper-users] Re: Adding public pages to grouper 2.2

 

I seem to have solved the problem myself. In Grouper 2.2 CSRF Guard is being used to protect the attacks and when I disabled it in the web.xml, public pages I added worked fine. 

 

Vivek

 

From: vivek sachdeva <>
Date: Tue, 22 Jul 2014 11:57:01 -0700
To: "" <>
Subject: Adding public pages to grouper 2.2

 

Hi,

 

I am trying to add a couple of public pages to grouper 2.2. In version 2.1.5 I did it by modifying web.xml like below:

 

<init-param>    

 

<param-name>ignore</param-name>    

  <param-value>:/populateIndex.do:/callLogin.do:/error.do:/logout.do:/approveDisapprove.do:/acceptDeny.do:</param-value>  

 </init-param>

 

This url http://localhost:8080/grouper/grouperUi/app/approveDisapprove.do?token=0332642a8aaf4c84953f23ca23e395d1 was working in 2.1.5

 

I am trying to do the same thing in 2.2 and it does not seem to work. Now, it asks for password.

 

but when I change the URL to http://localhost:8080/grouper/approveDisapprove.do?token=0332642a8aaf4c84953f23ca23e395d1

it goes in LoginCheckFilter and then throws error and url is redirected to http://localhost:8080/grouper/grouperExternal/public/UiV2Public.index?operation=UiV2Public.postIndex&function=UiV2Public.error&code=csrf&OWASP_CSRFTOKEN=M3DE-ROBX-MXJ8-8DQJ-YCFC-4YJ2-PHN3-5RLB

 

Can someone help?

 

Thanks,

Vivek