Skip to Content.
Sympa Menu

grouper-users - RE: [grouper-users] Grouper UI CSRF error -- required token is missing from the request

Subject: Grouper Users - Open Discussion List

List archive

RE: [grouper-users] Grouper UI CSRF error -- required token is missing from the request


Chronological Thread 
  • From: Shaun Koh <>
  • To: Jeffrey Eaton <>
  • Cc: "Hyzer, Chris" <>, "" <>
  • Subject: RE: [grouper-users] Grouper UI CSRF error -- required token is missing from the request
  • Date: Thu, 3 Nov 2016 22:55:06 +0000
  • Accept-language: en-US, en-NZ
  • Ironport-phdr: 9a23:VxSaoRz/q/YtEK/XCy+O+j09IxM/srCxBDY+r6Qd0ewQIJqq85mqBkHD//Il1AaPBtSBraIUwLKL+4nbGkU4qa6bt34DdJEeHzQksu4x2zIaPcieFEfgJ+TrZSFpVO5LVVti4m3peRMNQJW2WVTerzWI4CIIHV2nbEwud76zSt6Z15n//tvx0qWbWx9Piju5bOE6BzSNhiKViPMrh5B/IL060BrDrygAUe1XwWR1OQDbxE6ktY+YtaRu+CVIuv8n69UIEeCjJ/x5HvRkC2EEPm47/sD6/TTKUQyJri8eX2wKlRxgCA3Yqhz2Q8GinDH9s79G2CCHO4XVSrB8DS+i5rptDhzviA8OKjU69GjRhop5h+RdskTy9FRE34fIbdTNZ7JFdaTHcIZfHDIZUw==

Hi Jeffrey,

I think you may be spot on.. ! -- I do recall our Unix team patching the DEV
systems a few days ago as part of their auto-patching cycles.

Yep just checked, our Grouper DEV hosts are currently using
tomcat6-6.0.24-98.el6_8.noarch -- perhaps time to upgrade

Thanks for the info and link.

Best Regards,
Shaun K.

-----Original Message-----
From: Jeffrey Eaton
[mailto:]

Sent: Friday, 4 November 2016 10:44 a.m.
To: Shaun Koh
Cc: Hyzer, Chris;

Subject: Re: [grouper-users] Grouper UI CSRF error -- required token is
missing from the request

I just had to make the same change last week on my grouper 2.2.1 instance
after a normal OS update (RHEL6.8). I didn’t dig into it too far once I
figured out the fix/workaround, but I suspected it was a Tomcat update that
changed something. For what it’s worth, it looks like we’re on
tomcat6-6.0.24-98.el6_8.noarch right now.

I wouldn’t be surprised it one of the fixes mentioned in
https://rhn.redhat.com/errata/RHSA-2016-2045.html is the underlying change.
There is specifically one about accessing a URL without a trailing slash, so
maybe that’s it?

-jeaton

> On Nov 3, 2016, at 4:58 PM, Shaun Koh
> <>
> wrote:
>
> Hi Chris,
>
> I’m on version 2.3.0 and most updated patch level (api: 30, pspng:3, ui:6,
> ws:4)
>
> I’ve added the below and it seems to have fixed the issue though I am
> curious to know as to why a change in the CsrfGuard properties is required
> when it didn’t before. – i.e. DEV and TEST overlay properties were identical
>
> Best Regards,
> Shaun K.
>
> From: Hyzer, Chris
> [mailto:]
>
> Sent: Friday, 4 November 2016 2:33 a.m.
> To: Shaun Koh;
>
> Subject: RE: Grouper UI CSRF error -- required token is missing from the
> request
>
> What version and patch level?
>
> Maybe try adding this to Owasp.CsrfGuard.overlay.properties:
>
> org.owasp.csrfguard.unprotected.GrouperUiNoSlash=%servletContext%/grouperUi
>
> There is already an entry with a slash, maybe need one without??
>
> Thanks
> Chris
>
>
> From:
>
>
> [mailto:]
> On Behalf Of Shaun Koh
> Sent: Thursday, November 03, 2016 12:22 AM
> To:
>
> Subject: [grouper-users] Grouper UI CSRF error -- required token is missing
> from the request
>
> Hi there,
>
> We’ve run into an error when attempting to access the UI that says `Maybe
> your session timed out and you need to start again. This should not happen
> under normal operation. CSRF error.`.
>
> We use Shibb SSO for our authN and from the debug/error logs, it seems that
> users are being successfully matched against subjects in the DB though the
> redirect to /grouper/grouperUi is being marked as a potential CSRF attack
> apparently due to missing token in the request:
>
> 2016-11-03 17:02:40,432: [http-8080-3] DEBUG
> GrouperUiFilter.remoteUser(638) - - httpServletRequest.getRemoteUser():
> null, UOAid header: ${some_user_id}, remoteUser overall: ${some_user_id},
> 2016-11-03 17:02:40,433: [http-8080-3] INFO EventLog.info(156) - -
> [ccc13c1558c14e6f8d9eb7bb0892c8ac,'GrouperSystem','application'] session:
> start (1ms)
> 2016-11-03 17:02:40,433: [http-8080-3] INFO CsrfGuardLogger.log(26) - -
> CsrfGuard analyzing request /grouper/index.jsp
> 2016-11-03 17:02:40,481: [http-8080-3] INFO CsrfGuardLogger.log(26) - -
> CsrfGuard analyzing request /grouper/grouperUi
> 2016-11-03 17:02:40,482: [http-8080-3] ERROR CsrfGuardLogger.log(47) - -
> potential cross-site request forgery (CSRF) attack thwarted
> (user:<anonymous>, ip:${some_ip}, method:GET, uri:/grouper/grouperUi,
> error:required token is missing from the request)
>
> I’ve had a look at similar threads in the mailing lists though none of the
> solutions worked for us.
>
> Also, this only happens in our DEV environment and not TEST which worked
> seamlessly until 2-3 days ago. -- I do not recall us making any changes
> that may have caused this issue.
>
> Any help or suggestions would be much appreciated.
>
> Best Regards,
> Shaun K.




Archive powered by MHonArc 2.6.19.

Top of Page