Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error


Chronological Thread 
  • From: Baron Fujimoto <>
  • To: Grouper Users <>
  • Subject: Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error
  • Date: Thu, 10 Dec 2015 16:42:14 -1000

Unearthed this in the Tomcat Changelogs for 8.0.29, which seems like a
candidate:

"Add a new RestCsrfPreventionFilter that provides basic CSRF protection
for REST APIs."

Now trying to make sense of this Tomcat documentation:

<https://tomcat.apache.org/tomcat-8.0-doc/config/filter.html#CSRF_Prevention_Filter_for_REST_APIs>

I don't yet know if the problem is the result of something I need to do
with Tomcat's new RestCsrfPreventionFilter, or some interaction between
it and Grouper's existing owasp.csrfguard.* stuff (or something else
altogether).

Presumably there should be an appropriate <Filter> element that goes in
the UI's web.xml. Assuming I can sort out how to correctly update web.xml,
what's the best way to have it incorporated as part of the build process?
Or would you need to update it after the build? The current web.xml
advises, "CHANGE YOUR FILE specified by the build.properties value
[additional.web.xml]. The contents of that file are merged into
${grouper-ui}/webapp/WEB-INF/web.core.xml" However, when I specify the
following in the grouper-ui's build.properties:
additional.web.xml=${basedir}/path/to/additional-web.xml I don't see the
contents of additional-web.xml incorporated anywhere in the resulting
web.xml after the build.

Aloha,
-baron

On Thu, Dec 10, 2015 at 02:31:00PM -1000, Baron Fujimoto wrote:
>Thanks for the pointers. Doing a little more due diligence, I realized
>that the Grouper versions weren't the only difference in the environments.
>The 2.2.1 env was running under Tomcat 8.0.24, and the 2.2.2 env was
>running under the latest 8.0.30. I upgraded the 2.2.1 env Tomcat to 8.0.30
>and now see the CSRF errors there as well. Backing out to 8.0.24 restores
>the working behavior, so this seems like a smoking gun. The Tomcat configs
>should be the same between the two instances, so I'll go review the Tomcat
>changelogs for any documented clues to account for the difference between
>these versions.
>
>Aloha,
>-baron
>
>On Thu, Dec 10, 2015 at 09:24:13AM -0500, Waldbieser, Carl wrote:
>>
>>Followup: Looking in my notes, the header in question is "OWASP_CSRF". We
>>use Nginx, which strips out headers with underscores by default. the
>>setting "underscores_in_headers on;" in the "nginx.conf" file allows that
>>header.
>>
>>Thanks,
>>Carl
>>
>>----- Original Message -----
>>From: "waldbiec"
>><>
>>To: "Baron Fujimoto"
>><>
>>Cc: "Grouper Users"
>><>
>>Sent: Thursday, December 10, 2015 9:18:01 AM
>>Subject: Re: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error
>>
>>Baron,
>>
>>Not sure if this helps, but when we first set up Grouper, we ran afoul of
>>the CSRF checks because our proxy was not handling an HTTP header correctly.
>>I am not sure how you are using CAS (integrated vs. apache + mod_auth_cas)
>>or what your deployment architecture is like, so I am not sure if that
>>helps.
>>
>>Thanks,
>>Carl Waldbieser
>>ITS Systems Programmer
>>Lafayette College
>>
>>----- Original Message -----
>>From: "Baron Fujimoto"
>><>
>>To: "Grouper Users"
>><>
>>Sent: Wednesday, December 9, 2015 10:32:26 PM
>>Subject: [grouper-users] Grouper 2.2 w/ CAS AuthN logout, CSRF error
>>
>>While testing our Grouper 2.2 UI deployment which uses CAS for
>>authentication, I encountered the following situation:
>>
>>- Log out
>>
>>This puts me back at the usual page at
>><https://grouper-future.its.hawaii.edu/grouper/logout.do> with the warning
>>text, "The only way to be sure that you have logged out is to close ALL
>>browser windows."
>>
>>If I then attempt to log back in from this screen, it sends me back to the
>>CAS login page as expected, but after authenticating with CAS I am
>>redirected back to a Grouper error page which says "You have an anonymous
>>session since you are not logged in, but this section requires you to be
>>logged in. Maybe No username found. Your identity provider might not be
>>sending your username to this application. Either you need to use a
>>different identity provider, or ask your IT department to send your
>>username to this application."
>>
>>In 2.2.1 if I click on the offered option to "Start over" it sends me back
>>to /grouper and all proceeds as expected (presumably reusing my existing
>>CAS session).
>>
>>With 2.2.2 I am redirected to an error page that says, "Maybe your session
>>timed out and you need to start again. This should not happen under normal
>>operation. CSRF error" and the following gets logged:
>>
>>ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery
>>(CSRF) attack thwarted (user:<anonymous>, ip:xxx.xxx.xxx.xxx, method:GET,
>>uri:/grouper/grouperUi, error:required token is missing from the request)
>>
>>No matter what I try from this point, including quitting and restarting
>>my browser, using the browser's private browsing features, and even
>>incredibly (to me) restarting the UI webapp won't get me past this when I
>>try to go back to /grouper.
>>
>>Any ideas on why it's not matching the 2.2.1 behaviour?
>>
>>Also, FWIW, whenever one of those error pages is loaded, the following
>>string is also logged with no context or additional information,
>>"Institute of Higher Education". I've tracked this down to
>>
>>grouper.ui/conf/grouperText/grouper.text.en.us.base.properties:
>>institutionName = Institute of Higher Education
>>
>>Where I suppose we could customize it in grouper.text.en.us.properties?
>>However, logging this string as it does currently doesn't seem to serve
>>any useful purpose?
>>
>>-baron

--
Baron Fujimoto
<>
:: UH Information Technology Services
minutas cantorum, minutas balorum, minutas carboratum desendus pantorum



Archive powered by MHonArc 2.6.16.

Top of Page