grouper-users - Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error
Subject: Grouper Users - Open Discussion List
List archive
- From: "Waldbieser, Carl" <>
- To: Baron Fujimoto <>
- Cc: Grouper Users <>
- Subject: Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error
- Date: Thu, 10 Dec 2015 09:18:01 -0500 (EST)
Baron,
Not sure if this helps, but when we first set up Grouper, we ran afoul of the
CSRF checks because our proxy was not handling an HTTP header correctly.
I am not sure how you are using CAS (integrated vs. apache + mod_auth_cas) or
what your deployment architecture is like, so I am not sure if that helps.
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -----
From: "Baron Fujimoto"
<>
To: "Grouper Users"
<>
Sent: Wednesday, December 9, 2015 10:32:26 PM
Subject: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error
While testing our Grouper 2.2 UI deployment which uses CAS for
authentication, I encountered the following situation:
- Log out
This puts me back at the usual page at
<https://grouper-future.its.hawaii.edu/grouper/logout.do> with the warning
text, "The only way to be sure that you have logged out is to close ALL
browser windows."
If I then attempt to log back in from this screen, it sends me back to the
CAS login page as expected, but after authenticating with CAS I am
redirected back to a Grouper error page which says "You have an anonymous
session since you are not logged in, but this section requires you to be
logged in. Maybe No username found. Your identity provider might not be
sending your username to this application. Either you need to use a
different identity provider, or ask your IT department to send your
username to this application."
In 2.2.1 if I click on the offered option to "Start over" it sends me back
to /grouper and all proceeds as expected (presumably reusing my existing
CAS session).
With 2.2.2 I am redirected to an error page that says, "Maybe your session
timed out and you need to start again. This should not happen under normal
operation. CSRF error" and the following gets logged:
ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery
(CSRF) attack thwarted (user:<anonymous>, ip:xxx.xxx.xxx.xxx, method:GET,
uri:/grouper/grouperUi, error:required token is missing from the request)
No matter what I try from this point, including quitting and restarting
my browser, using the browser's private browsing features, and even
incredibly (to me) restarting the UI webapp won't get me past this when I
try to go back to /grouper.
Any ideas on why it's not matching the 2.2.1 behaviour?
Also, FWIW, whenever one of those error pages is loaded, the following
string is also logged with no context or additional information,
"Institute of Higher Education". I've tracked this down to
grouper.ui/conf/grouperText/grouper.text.en.us.base.properties:
institutionName = Institute of Higher Education
Where I suppose we could customize it in grouper.text.en.us.properties?
However, logging this string as it does currently doesn't seem to serve
any useful purpose?
-baron
--
Baron Fujimoto
<>
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum
- [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Baron Fujimoto, 12/10/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Waldbieser, Carl, 12/10/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Waldbieser, Carl, 12/10/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Baron Fujimoto, 12/11/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Baron Fujimoto, 12/11/2015
- RE: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Chris Hyzer, 12/11/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Baron Fujimoto, 12/11/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Baron Fujimoto, 12/12/2015
- RE: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Chris Hyzer, 12/13/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Baron Fujimoto, 12/16/2015
- RE: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Chris Hyzer, 12/16/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Baron Fujimoto, 12/16/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Baron Fujimoto, 12/11/2015
- RE: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Chris Hyzer, 12/11/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Baron Fujimoto, 12/11/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Baron Fujimoto, 12/11/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Waldbieser, Carl, 12/10/2015
- Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error, Waldbieser, Carl, 12/10/2015
Archive powered by MHonArc 2.6.16.