Skip to Content.
Sympa Menu

grouper-users - Re: [grouper-users] CSRF errors in the Grouper UI

Subject: Grouper Users - Open Discussion List

List archive

Re: [grouper-users] CSRF errors in the Grouper UI

Chronological Thread 
  • From: Mark Day <>
  • To: "Hyzer, Chris" <>
  • Cc: Christopher Hubing <>, "Redman, Chad" <>, "" <>
  • Subject: Re: [grouper-users] CSRF errors in the Grouper UI
  • Date: Mon, 17 Dec 2018 17:34:06 -0800
  • Ironport-phdr: 9a23:lyrxJRxVcwkVDf7XCy+O+j09IxM/srCxBDY+r6Qd2+oSIJqq85mqBkHD//Il1AaPAd2Lraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyaOuB+fqfAdt0EQ2RPUNtaWyhYDo69aocCCfcKM+RFoInnv1YBohW+CgusCu3hyTFGm2H40rEh3us7DQ3LxhYtE84SvHnWqtj+KaccUfqyzKnN1TjNaOlZ2S3+6IPVfB4uu/GNVq93fMrU00kgChnKj1WLpIzhJDyV0v4Bs2ec7+p+TO+ijXMspQ92ojiq3Mgsi4/Ji5oaylDF6SV5wJs1KsaiREFnZt6kFZ1dvDyZOYtuWs4uXm9ltDsgxrEYtpO2cjIGxIo5yxPccfCKc5aE7gr9WOqNJTp0nnFodbKlixqs70Ss1/fwWtSw3VtJqCdOj8PCuWoX1xPJ78iKUvt98Vml2TaIzw3T5P9LLE4umarfMJEhxqQ8lpUUsUTdBiP2mUP2g7GKdkg85+Sl5fnrbq/4qpKTOYJ4kB/yProtl8ClAek0LBACX22B9uS90L3j81f5QLJPjvAul6nZqo3VKt4bp6OiBw9ayYIj5wywDzehztQUhWMHI05deBKbk4jpPEnDIP/iDfe4nlSsiClkx+rfMr38GZXCMGLDkKz6cLZ56k5c0xYzzctB655OC7EBJu7zVVHrtNzeEBA5LxK4z/z5B9pgy4NNEV6IV+W5IbHfqxvAzeI1IvLGLNsQszbsOfU/z//1hjkkgVIbe++k0YZBO16iGfEzBkyDYjLAi8ZJRWIQsgMvZOjgjBuNViAFNCX6ZL41+jxuUNHuNozEXI34xeXZgio=

Christopher's suggestion to add: secure=“true” scheme=“https” to the AJP connection in server.xml was sufficient to fix the CSRFguard errors for both the link to the LIte UI, as well as the Action field on the Assign permission page, so a big thanks for that.

Chris, I'm not sure if tomcat is using the XFF header or not, but as I noted, I'm not running into any problems, and since the tomcat log entries don't record client IPs, I can't tell for sure what it thinks the browser's IP address is.

Christopher,  getting back to your original message, I am interested in the Internet2 Slack channels, so yes, please send me an invite.


On Sun, Dec 16, 2018 at 9:19 AM Hyzer, Chris <> wrote:

> Also, to force all constructed URLs to be https, modify the Tomcat 
> server.xml and change the Connector stanza for AJP to deal with that by 
> deleting add secure=“true” scheme=“https” and then it worked.

I think the CSRF error where it expects https but gets http, the above will fix that (add secure="true" and scheme="https").

Regarding this:

> In your Apache configuration, add the following:

> RemoteIPHeader X-Forwarded-For

That sends the IP header but will tomcat use that?  Ive had to write a tad of java to make that happen...


Put it in WEB-INF/lib, and add this to the top of the web.xml


Maybe we should put that logic in Grouper if it is useful...  anyone let me know


Archive powered by MHonArc 2.6.19.

Top of Page