Grouper Users - Open Discussion List

[Mark Day <>]

Christopher's suggestion to add: secure=“true” scheme=“https” to the AJP connection in server.xml was sufficient to fix the CSRFguard errors for both the link to the LIte UI, as well as the Action field on the Assign permission page, so a big thanks for that.

Chris, I'm not sure if tomcat is using the XFF header or not, but as I noted, I'm not running into any problems, and since the tomcat log entries don't record client IPs, I can't tell for sure what it thinks the browser's IP address is.

Christopher,  getting back to your original message, I am interested in the Internet2 Slack channels, so yes, please send me an invite.

Regards,

Mark

On Sun, Dec 16, 2018 at 9:19 AM Hyzer, Chris <> wrote:

> Also, to force all constructed URLs to be https, modify the Tomcat 
> server.xml and change the Connector stanza for AJP to deal with that by 
> deleting add secure=“true” scheme=“https” and then it worked.

I think the CSRF error where it expects https but gets http, the above will fix that (add secure="true" and scheme="https").

Regarding this:

> In your Apache configuration, add the following:

> RemoteIPHeader X-Forwarded-For

That sends the IP header but will tomcat use that?  Ive had to write a tad of java to make that happen...

Download:

https://github.com/mchyzer/proxyWrapper/tree/master/dist

Put it in WEB-INF/lib, and add this to the top of the web.xml

  <filter>

    <filter-name>proxyWrapper</filter-name>

    <filter-class>edu.upenn.isc.proxyWrapper.ProxyWrapperFilter</filter-class>

  </filter>

  <filter-mapping>

    <filter-name>proxyWrapper</filter-name>

    <url-pattern>/*</url-pattern>

  </filter-mapping>

Maybe we should put that logic in Grouper if it is useful...  anyone let me know

thanks

Chris