Skip to Content.
Sympa Menu

grouper-users - [grouper-users] CSRF errors in the Grouper UI

Subject: Grouper Users - Open Discussion List

List archive

[grouper-users] CSRF errors in the Grouper UI

Chronological Thread 
  • From: Mark Day <>
  • To:
  • Subject: [grouper-users] CSRF errors in the Grouper UI
  • Date: Mon, 10 Dec 2018 16:39:50 -0800
  • Ironport-phdr: 9a23:ZLsxSBUDAcG9wa0yZCTPhVCfX1PV8LGtZVwlr6E/grcLSJyIuqrYYxSHt8tkgFKBZ4jH8fUM07OQ7/iwHzRYqb+681k6OKRWUBEEjchE1ycBO+WiTXPBEfjxciYhF95DXlI2t1uyMExSBdqsLwaK+i764jEdAAjwOhRoLerpBIHSk9631+ev8JHPfglEnjWwba9xIRmssQndqtQdjJd/JKo21hbHuGZDdf5MxWNvK1KTnhL86dm18ZV+7SleuO8v+tBZX6nicKs2UbJXDDI9M2Ao/8LrrgXMTRGO5nQHTGoblAdDDhXf4xH7WpfxtTb6tvZ41SKHM8D6Uaw4VDK/5KhlUh/ojDoMOSA//m/Zl8d8iLtXrA+9qxB6xYPffYObO+dkfq7FctwURWRPUMVMWSJfHoyxdJEAA/YbMOtCs4Xxu1kDoB2jDgesHuPvzTpIi2fx06IgyeQhEhzN0gI6ENMOrX/Zq9D1NL0PXu+vzKjF1jHDYOhS2Tvn54jIdQ4hrOiKULltcsTR0VEiGx7bgliTs4DoMSmZ2+sQv2SB7edsSPqjh3A7pwx1uDSixcchhpPXio4L11zI7zh1zYIxKNC+VUV1e8SrEIFKuCGfL4Z2Qt0tQ2VvuCsixL0Jp5G2cDIOyJs8wx7TcfOHc4+W4h77VeaRJyl3hG59db6imRq/8lKsx+PmWsS7zVpGtChInsTUunAIzRPT68yHSvVn/kem3DaCzwXT6vtZLk8ulavWMJohzaU0lpYJvkTDGTH2lF3sjKCKbkUk5vSo6+P/b7XpvJ+cMJJ0ihngPaQ0g8C/HP84PRYUX2iA4um80Lzj/VblQLVRkPE6iKjZsJbGJcsFvK65BRFa0po95xqlETipzckYzjE7KwdKYhWal4XzfkzVLerjJfa5n1m2ljp3nbbLMqCyLI/KKy3mma3iNZp0+gYIzRA/xMF345hQTL4GPqSgCQfKqNXEA0phYESPyOH9BYA4j9sT

We're just getting started with a Grouper implementation, and I'm running into problems with CSRF errors that pop up in two areas of the Grouper UI.

1. When clicking on "Lite UI" under "Quick Links". The error is: 
Maybe your session timed out and you need to start again. This should not happen under normal operation. CSRF error.
The UI logs show:
 ERROR CsrfGuardLogger.log(47) -  - Referer domain https://<FQDN-redacted>/grouper/grouperUi/appHtml/grouper.html?operation=Misc.index does not match request domain: http://<FQDN-redacted>/grouper/grouperExternal/public/OwaspJavaScriptServlet

2. In the "+ Assign permission" function for a group, typing in the Action field results in a 'error communicating with server' alert. The UI logs show:
ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery (CSRF) attack thwarted (user:<redacted>, ip:<redacted>, method:GET, uri:/grouper/grouperUi/app/UiV2GroupPermission.permissionActionNameFilter, error:required token is missing from the request)

The two types of CSRF Guard errors potentially have different causes, or are slightly different symptoms of the same problem.

Specifics of our implementation:
- We're running Grouper in a container based off the tier/grouper:2.3.0-a109-u47-w12-p21 image from DockerHub.
- There is an HAproxy-based reverse proxy service that is part of our container orchestration infrastructure that terminates TLS connections from the browser
- The UI container's logs show that  X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port headers are populated correctly by the proxy.
- /opt/grouper/conf/ sets grouper.ui.url to https://<FQDN>/grouper/ (I've also tried https://<FQDN>/grouper/grouperUi/ with the same results)

In the mailing list archives, I found a similar description to our permission setting issue, but it looks like that specific problem was fixed in UI patch 7, so I wouldn't expect to run into it with the TIER docker image we're using.  It feels like it's most likely associated with our use of the container orchestration reverse proxy, but that's more a hunch than anything else, and I'm not sure where to look next.

I'm not sure where else to look for a URL setting (apart from that may be specifying the http:// protocol, assuming that this is in fact a separate problem.

Thanks for any suggestions you can offer,
Mark Day
NERSC / Lawrence Berkeley Lab

Archive powered by MHonArc 2.6.19.

Top of Page