grouper-users - Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request
Subject: Grouper Users - Open Discussion List
List archive
Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request
Chronological Thread
- From: "Hyzer, Chris" <>
- To: "Waldbieser, Carl" <>, Shaun Koh <>
- Cc: Jeffrey Eaton <>, "" <>
- Subject: Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request
- Date: Fri, 4 Nov 2016 13:36:25 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:2pbpqBa5vBRYS+xCzx2MF1r/LSx+4OfEezUN459isYplN5qZpM2zbnLW6fgltlLVR4KTs6sC0LuM9fCxEjFbqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i760zceF13FOBZvIaytQ8iJ3p7xh7H5psabSj4LrQL1Wal1IhSyoFeZnegtqqwmFJwMzADUqGBDYeVcyDAgD1uSmxHh+pX4p8Y7oGx48sgs/M9YUKj8Y79wDfkBVGxnYCgJ45ihihDHQQGO62ARSCFeuRNSB0KNuA7zWpv7sybxnu501iCLMNHqQPY5VSn0q+9QSBb1jm8kMD5xpHrXg9F2yqFcoDqouhd8x4fSbMecP7x4bPWOU8kdQD8LftdDWjYFSqi8dYoURaJVOO1YvpvwvXMPthD4GBGhAuWpxzNV0CyllZYm2vgsRFmVlDcrGMgD5TGN9I34
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
I will make a patch for this... thanks, chris
From: Waldbieser, Carl <>
Sent: Friday, November 4, 2016 6:33:08 AM
To: Shaun Koh
Cc: Jeffrey Eaton; Hyzer, Chris;
Subject: Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request
Sent: Friday, November 4, 2016 6:33:08 AM
To: Shaun Koh
Cc: Jeffrey Eaton; Hyzer, Chris;
Subject: Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request
I just got bit by this, too. My development environment is also at tomcat6-6.0.24-8.el6_8.
Thanks for figuring this one out!
Thanks,
Carl Waldbieser
ITS Systems Programmer
Lafayette College
----- Original Message -----
From: "Shaun Koh" <>
To: "Jeffrey Eaton" <>
Cc: "Hyzer, Chris" <>,
Sent: Thursday, November 3, 2016 6:55:06 PM
Subject: RE: [grouper-users] Grouper UI CSRF error -- required token is missing from the request
Hi Jeffrey,
I think you may be spot on.. ! -- I do recall our Unix team patching the DEV systems a few days ago as part of their auto-patching cycles.
Yep just checked, our Grouper DEV hosts are currently using tomcat6-6.0.24-98.el6_8.noarch -- perhaps time to upgrade
Thanks for the info and link.
Best Regards,
Shaun K.
-----Original Message-----
From: Jeffrey Eaton []
Sent: Friday, 4 November 2016 10:44 a.m.
To: Shaun Koh
Cc: Hyzer, Chris;
Subject: Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request
I just had to make the same change last week on my grouper 2.2.1 instance after a normal OS update (RHEL6.8). I didn’t dig into it too far once I figured out the fix/workaround, but I suspected it was a Tomcat update that changed something. For what it’s worth, it looks like we’re on tomcat6-6.0.24-98.el6_8.noarch right now.
I wouldn’t be surprised it one of the fixes mentioned in https://rhn.redhat.com/errata/RHSA-2016-2045.html is the underlying change. There is specifically one about accessing a URL without a trailing slash, so maybe that’s it?
-jeaton
> On Nov 3, 2016, at 4:58 PM, Shaun Koh <> wrote:
>
> Hi Chris,
>
> I’m on version 2.3.0 and most updated patch level (api: 30, pspng:3, ui:6, ws:4)
>
> I’ve added the below and it seems to have fixed the issue though I am curious to know as to why a change in the CsrfGuard properties is required when it didn’t before. – i.e. DEV and TEST overlay properties were identical
>
> Best Regards,
> Shaun K.
>
> From: Hyzer, Chris []
> Sent: Friday, 4 November 2016 2:33 a.m.
> To: Shaun Koh;
> Subject: RE: Grouper UI CSRF error -- required token is missing from the request
>
> What version and patch level?
>
> Maybe try adding this to Owasp.CsrfGuard.overlay.properties:
>
> org.owasp.csrfguard.unprotected.GrouperUiNoSlash=%servletContext%/grouperUi
>
> There is already an entry with a slash, maybe need one without??
>
> Thanks
> Chris
>
>
> From: [] On Behalf Of Shaun Koh
> Sent: Thursday, November 03, 2016 12:22 AM
> To:
> Subject: [grouper-users] Grouper UI CSRF error -- required token is missing from the request
>
> Hi there,
>
> We’ve run into an error when attempting to access the UI that says `Maybe your session timed out and you need to start again. This should not happen under normal operation. CSRF error.`.
>
> We use Shibb SSO for our authN and from the debug/error logs, it seems that users are being successfully matched against subjects in the DB though the redirect to /grouper/grouperUi is being marked as a potential CSRF attack apparently due to missing token in the request:
>
> 2016-11-03 17:02:40,432: [http-8080-3] DEBUG GrouperUiFilter.remoteUser(638) - - httpServletRequest.getRemoteUser(): null, UOAid header: ${some_user_id}, remoteUser overall: ${some_user_id},
> 2016-11-03 17:02:40,433: [http-8080-3] INFO EventLog.info(156) - - [ccc13c1558c14e6f8d9eb7bb0892c8ac,'GrouperSystem','application'] session: start (1ms)
> 2016-11-03 17:02:40,433: [http-8080-3] INFO CsrfGuardLogger.log(26) - - CsrfGuard analyzing request /grouper/index.jsp
> 2016-11-03 17:02:40,481: [http-8080-3] INFO CsrfGuardLogger.log(26) - - CsrfGuard analyzing request /grouper/grouperUi
> 2016-11-03 17:02:40,482: [http-8080-3] ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:${some_ip}, method:GET, uri:/grouper/grouperUi, error:required token is missing from the request)
>
> I’ve had a look at similar threads in the mailing lists though none of the solutions worked for us.
>
> Also, this only happens in our DEV environment and not TEST which worked seamlessly until 2-3 days ago. -- I do not recall us making any changes that may have caused this issue.
>
> Any help or suggestions would be much appreciated.
>
> Best Regards,
> Shaun K.
- [grouper-users] Grouper UI CSRF error -- required token is missing from the request, Shaun Koh, 11/03/2016
- [grouper-users] RE: Grouper UI CSRF error -- required token is missing from the request, Hyzer, Chris, 11/03/2016
- [grouper-users] RE: Grouper UI CSRF error -- required token is missing from the request, Shaun Koh, 11/03/2016
- Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request, Jeffrey Eaton, 11/03/2016
- RE: [grouper-users] Grouper UI CSRF error -- required token is missing from the request, Shaun Koh, 11/03/2016
- Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request, Waldbieser, Carl, 11/04/2016
- Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request, Hyzer, Chris, 11/04/2016
- RE: [grouper-users] Grouper UI CSRF error -- required token is missing from the request, Hyzer, Chris, 11/05/2016
- Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request, Hyzer, Chris, 11/04/2016
- Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request, Waldbieser, Carl, 11/04/2016
- RE: [grouper-users] Grouper UI CSRF error -- required token is missing from the request, Shaun Koh, 11/03/2016
- Re: [grouper-users] Grouper UI CSRF error -- required token is missing from the request, Jeffrey Eaton, 11/03/2016
- [grouper-users] RE: Grouper UI CSRF error -- required token is missing from the request, Shaun Koh, 11/03/2016
- [grouper-users] RE: Grouper UI CSRF error -- required token is missing from the request, Hyzer, Chris, 11/03/2016
Archive powered by MHonArc 2.6.19.