Skip to Content.
Sympa Menu

grouper-users - [grouper-users] RE: Grouper UI CSRF error -- required token is missing from the request

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] RE: Grouper UI CSRF error -- required token is missing from the request


Chronological Thread 
  • From: Shaun Koh <>
  • To: "Hyzer, Chris" <>, "" <>
  • Subject: [grouper-users] RE: Grouper UI CSRF error -- required token is missing from the request
  • Date: Thu, 3 Nov 2016 20:58:09 +0000
  • Accept-language: en-US, en-NZ
  • Ironport-phdr: 9a23:L20bTBdg1pYWqYktaFItcN6+lGMj4u6mDksu8pMizoh2WeGdxc+7YR7h7PlgxGXEQZ/co6odzbGH6eawBidZu8vJmUtBWaQEbwUCh8QSkl5oK+++Imq/EsTXaTcnFt9JTl5v8iLzG0FUHMHjew+a+SXqvnYsExnyfTB4Ov7yUtaLyZ/mjabipNaKOVgArQH+SIs6FA+xowTVu5teqqpZAYF19CH0pGBVcf9d32JiKAHbtR/94sCt4MwrqHwI6Lpyv/JHBO/abrY1V/gQJzQ8Mnt/rJnuvhnSXwaVznoHWSMLihdOBU7I4AysGt+7vTH9q/JwwmyHJsDsVpg1Xyiv9aFmVEWuhSsafXZt/3vQl9R9ludGux+7vDR+xZLZeoeYKKA4c6/AK4A0X21EC/1RXjFHSqC7b8NbFOoIIOAerI79j1ITphi6DA+gQurkjDla0CyllZYm2vgsRFmVlDcrGMgD5SzZ

Hi Chris,

 

I’m on version 2.3.0 and most updated patch level (api: 30, pspng:3, ui:6, ws:4)

 

I’ve added the below and it seems to have fixed the issue though I am curious to know as to why a change in the CsrfGuard properties is required when it didn’t before. – i.e. DEV and TEST overlay properties were identical

 

Best Regards,

Shaun K.

 

From: Hyzer, Chris [mailto:]
Sent: Friday, 4 November 2016 2:33 a.m.
To: Shaun Koh;
Subject: RE: Grouper UI CSRF error -- required token is missing from the request

 

What version and patch level?

 

Maybe try adding this to Owasp.CsrfGuard.overlay.properties:

 

org.owasp.csrfguard.unprotected.GrouperUiNoSlash=%servletContext%/grouperUi

 

There is already an entry with a slash, maybe need one without??

 

Thanks

Chris

 

 

From: [] On Behalf Of Shaun Koh
Sent: Thursday, November 03, 2016 12:22 AM
To:
Subject: [grouper-users] Grouper UI CSRF error -- required token is missing from the request

 

Hi there,

 

We’ve run into an error when attempting to access the UI that says `Maybe your session timed out and you need to start again. This should not happen under normal operation. CSRF error.`.

 

We use Shibb SSO for our authN and from the debug/error logs, it seems that users are being successfully matched against subjects in the DB though the redirect to /grouper/grouperUi is being marked as a potential CSRF attack apparently due to missing token in the request:

 

2016-11-03 17:02:40,432: [http-8080-3] DEBUG GrouperUiFilter.remoteUser(638) -  - httpServletRequest.getRemoteUser(): null, UOAid header: ${some_user_id}, remoteUser overall: ${some_user_id},

2016-11-03 17:02:40,433: [http-8080-3] INFO  EventLog.info(156) -  - [ccc13c1558c14e6f8d9eb7bb0892c8ac,'GrouperSystem','application'] session: start (1ms)

2016-11-03 17:02:40,433: [http-8080-3] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/index.jsp

2016-11-03 17:02:40,481: [http-8080-3] INFO  CsrfGuardLogger.log(26) -  - CsrfGuard analyzing request /grouper/grouperUi

2016-11-03 17:02:40,482: [http-8080-3] ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:${some_ip}, method:GET, uri:/grouper/grouperUi, error:required token is missing from the request)

 

I’ve had a look at similar threads in the mailing lists though none of the solutions worked for us.

 

Also, this only happens in our DEV environment and not TEST which worked seamlessly until 2-3 days ago. -- I do not recall us making any changes that may have caused this issue.

 

Any help or suggestions would be much appreciated.

 

Best Regards,

Shaun K.


Archive powered by MHonArc 2.6.19.

Top of Page