grouper-users - Re: [grouper-users] CSRF errors in the Grouper UI
Subject: Grouper Users - Open Discussion List
List archive
- From: Mark Day <>
- To: "Hyzer, Chris" <>
- Cc: Christopher Hubing <>, "Redman, Chad" <>, "" <>
- Subject: Re: [grouper-users] CSRF errors in the Grouper UI
- Date: Mon, 17 Dec 2018 17:34:06 -0800
- Ironport-phdr: 9a23:lyrxJRxVcwkVDf7XCy+O+j09IxM/srCxBDY+r6Qd2+oSIJqq85mqBkHD//Il1AaPAd2Lraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyaOuB+fqfAdt0EQ2RPUNtaWyhYDo69aocCCfcKM+RFoInnv1YBohW+CgusCu3hyTFGm2H40rEh3us7DQ3LxhYtE84SvHnWqtj+KaccUfqyzKnN1TjNaOlZ2S3+6IPVfB4uu/GNVq93fMrU00kgChnKj1WLpIzhJDyV0v4Bs2ec7+p+TO+ijXMspQ92ojiq3Mgsi4/Ji5oaylDF6SV5wJs1KsaiREFnZt6kFZ1dvDyZOYtuWs4uXm9ltDsgxrEYtpO2cjIGxIo5yxPccfCKc5aE7gr9WOqNJTp0nnFodbKlixqs70Ss1/fwWtSw3VtJqCdOj8PCuWoX1xPJ78iKUvt98Vml2TaIzw3T5P9LLE4umarfMJEhxqQ8lpUUsUTdBiP2mUP2g7GKdkg85+Sl5fnrbq/4qpKTOYJ4kB/yProtl8ClAek0LBACX22B9uS90L3j81f5QLJPjvAul6nZqo3VKt4bp6OiBw9ayYIj5wywDzehztQUhWMHI05deBKbk4jpPEnDIP/iDfe4nlSsiClkx+rfMr38GZXCMGLDkKz6cLZ56k5c0xYzzctB655OC7EBJu7zVVHrtNzeEBA5LxK4z/z5B9pgy4NNEV6IV+W5IbHfqxvAzeI1IvLGLNsQszbsOfU/z//1hjkkgVIbe++k0YZBO16iGfEzBkyDYjLAi8ZJRWIQsgMvZOjgjBuNViAFNCX6ZL41+jxuUNHuNozEXI34xeXZgio=
Christopher's suggestion to add: secure=“true” scheme=“https” to the AJP connection in server.xml was sufficient to fix the CSRFguard errors for both the link to the LIte UI, as well as the Action field on the Assign permission page, so a big thanks for that.
Chris, I'm not sure if tomcat is using the XFF header or not, but as I noted, I'm not running into any problems, and since the tomcat log entries don't record client IPs, I can't tell for sure what it thinks the browser's IP address is.
Christopher, getting back to your original message, I am interested in the Internet2 Slack channels, so yes, please send me an invite.
Regards,
Mark
On Sun, Dec 16, 2018 at 9:19 AM Hyzer, Chris <> wrote:
> Also, to force all constructed URLs to be https, modify the Tomcat
> server.xml and change the Connector stanza for AJP to deal with that by
> deleting add secure=“true” scheme=“https” and then it worked.
I think the CSRF error where it expects https but gets http, the above will fix that (add secure="true" and scheme="https").
Regarding this:
> In your Apache configuration, add the following:
> RemoteIPHeader X-Forwarded-For
That sends the IP header but will tomcat use that? Ive had to write a tad of java to make that happen...
Download:
Put it in WEB-INF/lib, and add this to the top of the web.xml
<filter><filter-name>proxyWrapper</filter-name><filter-class>edu.upenn.isc.proxyWrapper.ProxyWrapperFilter</filter-class></filter><filter-mapping><filter-name>proxyWrapper</filter-name><url-pattern>/*</url-pattern></filter-mapping>
Maybe we should put that logic in Grouper if it is useful... anyone let me know
thanksChris
- [grouper-users] CSRF errors in the Grouper UI, Mark Day, 12/11/2018
- Re: [grouper-users] CSRF errors in the Grouper UI, Hyzer, Chris, 12/11/2018
- RE: [grouper-users] CSRF errors in the Grouper UI, Redman, Chad, 12/11/2018
- RE: [grouper-users] CSRF errors in the Grouper UI, Christopher Hubing, 12/11/2018
- Re: [grouper-users] CSRF errors in the Grouper UI, Hyzer, Chris, 12/16/2018
- Re: [grouper-users] CSRF errors in the Grouper UI, Mark Day, 12/18/2018
- Re: [grouper-users] CSRF errors in the Grouper UI, Hyzer, Chris, 12/16/2018
- RE: [grouper-users] CSRF errors in the Grouper UI, Christopher Hubing, 12/11/2018
Archive powered by MHonArc 2.6.19.