Grouper Users - Open Discussion List

["Coleman, Erik C" <>]

To follow up on this, Chris Hubing helped me resolve it. It turns out this is due to the fact that we terminate the SSL at the load balancer, and not the Grouper container. Therefore, we had to modify our Tomcat server.xml and replace our Connector stanza for AJP to deal with that by deleting redirectPort=8443 and add secure=“true” scheme=“https” and then it worked.  For some reason, 99% of the UI didn’t complain about this, but the particular routines related to attributes were causing some sort of “cross site scripting” scenario by using http instead of https URLs.

 

-Erik

 

 

From: <> On Behalf Of Brett Bieber
Sent: Tuesday, October 30, 2018 8:24 AM
To: Coleman, Erik C <>;
Subject: [grouper-users] Re: Grouper 2.4 UI problem with Setting Attributes

 

Hi Erik,

We're doing the same here at Nebraska and not having any issues, so I don't think it's a UI bug. I can't tell in the first screenshot if you were accessing the site securely or not, but I noticed the error message indicated an http vs https difference even though the domain name was the same. Is it possible you were accessing the site via an insecure URL and the config is set to https? We've got ours configured to redirect any requests to http:// to https:// at the load balancer. Hope that helps.

-Brett

---

From: <> on behalf of Coleman, Erik C <>
Sent: Monday, October 29, 2018 6:09:00 PM
To:
Subject: [grouper-users] Grouper 2.4 UI problem with Setting Attributes

 

I’m running into a snag with the new Grouper 2.4 (running from container tier/grouper:2.4.0-a2-u0-w0-p0).  I’m wanting to demonstrate how group owners can selectively choose to have their groups or folders sync to our AD via our PSPNG config. I select a group or folder and choose “More Actions” -> “Attribute Assignments” and assign an attribute, it seems to work, but then I get this strange error “ErrorType; LoadXML Description: Incorrect XML”:

 

 

Then if I click OK, then attempt to choose the action to assign a value to that attribute, I get a remarkably blank screen:

 

 

The only interesting log entries I am seeing is this:

 

grouper-api;grouper_error.log;as-aws-test-dev2;aws-poc;2018-10-29 18:05:26,238: [ajp-nio-8009-exec-3] ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery (CSRF) attack thwarted (user:ecc, ip:xxx.xxx.xxx.xxx, method:POST, uri:/grouper/grouperUi/app/UiV2GroupAttributeAssignment.assignmentMenuAddValue, error:request token does not match session token)

 

grouper-api;grouper_error.log;as-aws-test-dev2;aws-poc;2018-10-29 18:05:26,475: [ajp-nio-8009-exec-4] ERROR CsrfGuardLogger.log(47) - - Referer domain https://authman-test.techservices.illinois.edu/grouper/grouperUi/app/UiV2Main.index?operation=UiV2GroupAttributeAssignment.assignmentMenuAddValue&attributeAssignId=635adbb3af3b4c2fa54a8eafca18ee13&csrfExtraParam=xyz does not match request domain: http://authman-test.techservices.illinois.edu/grouper/grouperExternal/public/OwaspJavaScriptServlet

 

Is this a UI bug? Or possibly a sign I’ve got something corrupted somewhere?  It’s still pretty stock test environment otherwise.

 

Thanks,

 

Erik Coleman

University of Illinois at Urbana-Champaign