Grouper Users - Open Discussion List

[Jeffrey Crawford <>]

gahhh,

Okay someone decided to add a cache pragma into Apache so it apparently was keeping JSESSIONID's in graphics files. I think that got things confused as somewhere in the request it would load *.js files and they suddenly didn't have matching cookies anymore.

In any case removing the Apache cache pragma did the trick.

Jeffrey

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

On Wed, Jan 13, 2016 at 4:30 PM, Jeffrey Crawford <> wrote:

Chrome doesn't seem to be showing the same symptoms but ie is. I just realized that I forgot to mention that getting into grouper is no problem. however the moment I try to display a folder or group, that's when the loop begins. Eventually I get the "start over" but then it displays the dashboard. Soon as I hit a group or folder it goes again. Admin ui isn't having any problems it's just the newUI.

Jeffrey E. Crawford
ITS Application Administrator (IdM)
831-459-4365

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

On Wed, Jan 13, 2016 at 3:00 PM, Jeffrey Crawford <> wrote:

I'll have to look around, so far the configs seem to be identical and after restarting everything it's still not working. off to a meeting now. will update when I get back.

Jeffrey E. Crawford
ITS Application Administrator (IdM)
831-459-4365

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

On Wed, Jan 13, 2016 at 2:05 PM, Hyzer, Chris <> wrote:

I don’t really know.

 

It sounds like tomcat is not getting the JSESSIONID cookie and creating a new session each time, and since it is doing that, it is create a new CSRF token, which means that there is a mismatch from the old.  Can you verify somehow that apache is passing that cookie back to tomcat?  What version of tomcat are you using?  Did you recently make any changes to tomcat or apache around the time that this started?  Or is something different between test and prod to cause this?

 

Thanks,

Chris

 

 

From: Jeffrey Crawford [mailto:]
Sent: Wednesday, January 13, 2016 4:08 PM

To: Hyzer, Chris <>
Cc: Gouper Users List <>
Subject: Re: [grouper-users] Our Dev system is getting CSRF errors and the ui page is reloading.

 

Okay this is also kind of interesting, on each loop I'm getting a new "&csrfExtraParam=xyz" tacked onto the end of the url on each loop. Also I pick up this strange Cookie setting between two of the requests. By the way I cleared the tomcat work and temp sections but it didn't help. However yes each post has a new JSESSIONID entry.

Jeffrey

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 

On Wed, Jan 13, 2016 at 12:36 PM, Jeffrey Crawford <> wrote:

The tokens seem to be there, but they are different on each POST (it keeps looping). I've also found some "GET's" with "FETCH-CRSF-TOKEN:1" when trying to fetch "OwaspJavaScriptServlet" not sure if that's right.

The only new data in the logs are:

2016-01-13 12:21:48,327: [TP-Processor16] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperExternal/public/UiV2Public.index
2016-01-13 12:21:48,429: [TP-Processor1] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperUi/app/UiV2Main.index
2016-01-13 12:21:48,497: [TP-Processor15] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperExternal/public/assets/css/bootstrap.css
2016-01-13 12:21:48,546: [TP-Processor12] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperExternal/public/OwaspJavaScriptServlet
2016-01-13 12:21:49,426: [TP-Processor2] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperExternal/public/OwaspJavaScriptServlet
2016-01-13 12:21:51,918: [TP-Processor2] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperUi/app/UiV2Main.folderMenu
2016-01-13 12:21:51,919: [TP-Processor7] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperUi/app/UiV2Stem.viewStem
2016-01-13 12:21:51,919: [TP-Processor7] ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery (CSRF) attack thwarted (user:Gxxxxxxxxx, ip:xxx.xxx.xx.x, method:POST, uri:/grouper/grouperUi/app/UiV2Stem.viewStem, error:request token does not match session token)

Jeffrey E. Crawford
ITS Application Administrator (IdM)
831-459-4365

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 

On Wed, Jan 13, 2016 at 11:36 AM, Hyzer, Chris <> wrote:

Try setting this in the log4j.properties:

 

log4j.logger.edu.internet2.middleware.grouper.grouperUi.csrf.CsrfGuardLogger  = DEBUG

 

Can you try it in a different browser?  Does it reproduce?

 

Can you reproduce on the demo server?  If you get to a firebug or chrome debug panel you can see the HTTP header in the request.  Verify you see it on your dev server.  Not sure what is getting messed up here…

 

 

 

 

 

From: Jeffrey Crawford [mailto:]
Sent: Wednesday, January 13, 2016 1:27 PM
To: Hyzer, Chris <>
Cc: Gouper Users List <>
Subject: Re: [grouper-users] Our Dev system is getting CSRF errors and the ui page is reloading.

 

 

Jeffrey

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------

 

On Wed, Jan 13, 2016 at 10:16 AM, Hyzer, Chris <> wrote:

What version and patch level are you running? 

​v2.2.2 patch 5​

 

​ui patch 4​

Do you have apache in front of tomcat or a load balancer? 

​We are using shibboleth apache in front of tomcat​

 

How many nodes? 

​Dev is just one node​

 

​direct connection​

Sticky load balancing?  

​No LB on dev​

 

​, but production does use a LB, however it's working as of now.​

What browser are you using? 

​Firefox​

 

Does it happen for multiple people?

​Yes​

 

Thanks, Chris

 

From: [mailto:] On Behalf Of Jeffrey Crawford
Sent: Wednesday, January 13, 2016 1:10 PM
To: Gouper Users List <>
Subject: [grouper-users] Our Dev system is getting CSRF errors and the ui page is reloading.

 

This is from our dev system. it was working fine and then just started producing the following error and reloading the page when opening folders or groups. It seems to finally catch after a while but It's not clear as to when this started or why it's happening. I've tried clearing cookies and private browsing but it doesn't seem to help.

2016-01-13 10:02:57,449: [TP-Processor12] ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery (CSRF) attack thwarted (user:Gxxxxxxxxx, ip:xxx.xxx.xx.x, method:POST, uri:/grouper/grouperUi/app/UiV2Group.viewGroup, error:request token does not match session token)

Any ideas on where to start figuring out what's going on? Our prod isn't doing this but I'm of course a little worried.

Jeffrey

 

Both pilots and IT professionals require training and currency before charging into clouds!

---------------------------------------