Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] Our Dev system is getting CSRF errors and the ui page is reloading.

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] Our Dev system is getting CSRF errors and the ui page is reloading.


Chronological Thread 
  • From: Jeffrey Crawford <>
  • To: "Hyzer, Chris" <>
  • Cc: Gouper Users List <>
  • Subject: Re: [grouper-users] Our Dev system is getting CSRF errors and the ui page is reloading.
  • Date: Wed, 13 Jan 2016 13:08:15 -0800

Okay this is also kind of interesting, on each loop I'm getting a new "&csrfExtraParam=xyz" tacked onto the end of the url on each loop. Also I pick up this strange Cookie setting between two of the requests. By the way I cleared the tomcat work and temp sections but it didn't help. However yes each post has a new JSESSIONID entry.

Inline image 2

Jeffrey

Both pilots and IT professionals require training and currency before charging into clouds!
---------------------------------------

On Wed, Jan 13, 2016 at 12:36 PM, Jeffrey Crawford <> wrote:
The tokens seem to be there, but they are different on each POST (it keeps looping). I've also found some "GET's" with "FETCH-CRSF-TOKEN:1" when trying to fetch "OwaspJavaScriptServlet" not sure if that's right.

The only new data in the logs are:

2016-01-13 12:21:48,327: [TP-Processor16] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperExternal/public/UiV2Public.index
2016-01-13 12:21:48,429: [TP-Processor1] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperUi/app/UiV2Main.index
2016-01-13 12:21:48,497: [TP-Processor15] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperExternal/public/assets/css/bootstrap.css
2016-01-13 12:21:48,546: [TP-Processor12] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperExternal/public/OwaspJavaScriptServlet
2016-01-13 12:21:49,426: [TP-Processor2] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperExternal/public/OwaspJavaScriptServlet
2016-01-13 12:21:51,918: [TP-Processor2] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperUi/app/UiV2Main.folderMenu
2016-01-13 12:21:51,919: [TP-Processor7] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperUi/app/UiV2Stem.viewStem
2016-01-13 12:21:51,919: [TP-Processor7] ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery (CSRF) attack thwarted (user:Gxxxxxxxxx, ip:xxx.xxx.xx.x, method:POST, uri:/grouper/grouperUi/app/UiV2Stem.viewStem, error:request token does not match session token)


Jeffrey E. Crawford
ITS Application Administrator (IdM)
831-459-4365

Both pilots and IT professionals require training and currency before charging into clouds!
---------------------------------------

On Wed, Jan 13, 2016 at 11:36 AM, Hyzer, Chris <> wrote:

Try setting this in the log4j.properties:

 

log4j.logger.edu.internet2.middleware.grouper.grouperUi.csrf.CsrfGuardLogger  = DEBUG

 

Can you try it in a different browser?  Does it reproduce?

 

Can you reproduce on the demo server?  If you get to a firebug or chrome debug panel you can see the HTTP header in the request.  Verify you see it on your dev server.  Not sure what is getting messed up here…

 

 

 

 

 

From: Jeffrey Crawford [mailto:]
Sent: Wednesday, January 13, 2016 1:27 PM
To: Hyzer, Chris <>
Cc: Gouper Users List <>
Subject: Re: [grouper-users] Our Dev system is getting CSRF errors and the ui page is reloading.

 

 


Jeffrey

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 

On Wed, Jan 13, 2016 at 10:16 AM, Hyzer, Chris <> wrote:

What version and patch level are you running? 

v2.2.2 patch 5

 

ui patch 4

Do you have apache in front of tomcat or a load balancer? 

We are using shibboleth apache in front of tomcat

 

How many nodes? 

Dev is just one node

 

direct connection

Sticky load balancing?  

No LB on dev

 

, but production does use a LB, however it's working as of now.

What browser are you using? 

Firefox

 

Does it happen for multiple people?

Yes

 

Thanks, Chris

 

From: [mailto:] On Behalf Of Jeffrey Crawford
Sent: Wednesday, January 13, 2016 1:10 PM
To: Gouper Users List <>
Subject: [grouper-users] Our Dev system is getting CSRF errors and the ui page is reloading.

 

This is from our dev system. it was working fine and then just started producing the following error and reloading the page when opening folders or groups. It seems to finally catch after a while but It's not clear as to when this started or why it's happening. I've tried clearing cookies and private browsing but it doesn't seem to help.


2016-01-13 10:02:57,449: [TP-Processor12] ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery (CSRF) attack thwarted (user:Gxxxxxxxxx, ip:xxx.xxx.xx.x, method:POST, uri:/grouper/grouperUi/app/UiV2Group.viewGroup, error:request token does not match session token)

Any ideas on where to start figuring out what's going on? Our prod isn't doing this but I'm of course a little worried.


Jeffrey

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 






Archive powered by MHonArc 2.6.16.

Top of Page