grouper-users - RE: [grouper-users] CSRF errors in the Grouper UI
Subject: Grouper Users - Open Discussion List
List archive
- From: Siju Jacob <>
- To: Mark Day <>, "" <>
- Subject: RE: [grouper-users] CSRF errors in the Grouper UI
- Date: Mon, 7 Jan 2019 21:52:37 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) ;
- Ironport-phdr: 9a23:2JY4/BztMkGFBdXXCy+O+j09IxM/srCxBDY+r6Qd2uIfIJqq85mqBkHD//Il1AaPAd2Lraocw8Pt8InYEVQa5piAtH1QOLdtbDQizfssogo7HcSeAlf6JvO5JwYzHcBFSUM3tyrjaRsdF8nxfUDdrWOv5jAOBBr/KRB1JuPoEYLOksi7ze+/94HQbglSmDaxfa55IQmrownWqsQYm5ZpJLwryhvOrHtIeuBWyn1tKFmOgRvy5dq+8YB6/ShItP0v68BPUaPhf6QlVrNYFygpM3o05MLwqxbOSxaE62YGXWUXlhpIBBXF7A3/U5zsvCb2qvZx1S+HNsDtU7s6RSqt4LtqSB/wiScIKTg58H3MisdtiK5XuQ+tqwBjz4LRZoyeKfhwcb7Hfd4CRWRPQNtfVzBPDI2/YYsADesBMvpXoITmvVQCsQeyCBOwCO/zyDJFgGL9060g0+QmFAHLxBEuH9MMsHTJsd77ML0dXvyyzKbT0D7OaOhW2TX/5YTUbBwsuvaMXbNsccbL00kvCh/FjlqOpoz/JDOZzPoCvHWG7+d5U++klm0pqxlprzSx3MgglpTFi4cIxlzZ6Cl0xYg1KNKkREJnZNOkHoVfui6GOIZzR84vQX1ktSQixrEbp5K2fzIGxZU9yxPRafGLaZWE7gzjWeqJLzd3mnFodK66ihu38EWv1+nxW8mx3VtLsCZIkMfAu3UW2BDP6sWKSP5w80Wj1DmTzA/e7PxPL1oumqrBMZEhx6Y9lpoNvkTHGS/7gF34gbOReEk49eWk8vnpbK37qpOFMI97kR/xPr4pmsyiHeQ3KQ8OX3Wd+euhzrHj5Vf5QLJWjvIojqbZrJHaJcMdpqKjBA9Vz5oj6xK4Dzeh09QUh2UILFVAeB6fjojpPU/BIOzgAPuhmVugjCpnyvXbMrH8H5nAK3bDnbj9cbph7kNcxhQ8wN9D6J9RD7wMIu7/V03puNzdFBA5Mgi0w+j9CNV604MTQXmPAq2bPa/Or1OF/eUvI+iQZIMPojb9NuQl5/Hwgn8jgl8RZ7em0oYKaHygBPRpP12ZYWbwgtcGCWoKsRA+TOv3iF2aTzFTfW++X78n5j4lEoKmFpzORoSsgLyawCe7BYNaanpHClCKDXfnaZ+EW/ESZyKOPMNtiCILWqW8S9xp6Rb7kQbgyPJLJ/ucrigCuZvy/Nx/46vckg9ksXQ+AN6aznmAVSRphW4SXBc32rxyu0pw1g3F3KRlybQMGsZU+utESEInLpPG1MR7Dcz/QATMYo3PRVq7FIaIGzY0G+kwwcJGQU92HN/q2gvBgHLwK7gUi/qRGYA7/7jHmXX9OpAumD79yKA9ggx+EYN0Pmq8i/s6rlCLXdSbmliFl6usaaUX1TLM82HG12eVoUVES1AsA77dUyUZYU3b5ZTi60XOQqXmKIxvMxAJiKvgYrBPdsWviFxHQPn5P9GLeGDuwz2YAheUgKmRcIXnYX5b0SnAWwAJ
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
Hi Mark, Is this issue resolved for you. We are also facing a same issue. If yes, could you please share the solution with us. Thanks, Siju Jacob
From: <>
On Behalf Of Mark Day We're just getting started with a Grouper implementation, and I'm running into problems with CSRF errors that pop up in two areas of the Grouper UI. 1. When clicking on "Lite UI" under "Quick Links". The error is: Maybe your session timed out and you need to start again. This should not happen under normal operation. CSRF error. The UI logs show: ERROR CsrfGuardLogger.log(47) - - Referer domain
https://<FQDN-redacted>/grouper/grouperUi/appHtml/grouper.html?operation=Misc.index does not match request domain:
http://<FQDN-redacted>/grouper/grouperExternal/public/OwaspJavaScriptServlet 2. In the "+ Assign permission" function for a group, typing in the Action field results in a 'error communicating with server' alert. The UI logs show: ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery (CSRF) attack thwarted (user:<redacted>, ip:<redacted>, method:GET, uri:/grouper/grouperUi/app/UiV2GroupPermission.permissionActionNameFilter, error:required token
is missing from the request) The two types of CSRF Guard errors potentially have different causes, or are slightly different symptoms of the same problem. Specifics of our implementation: - We're running Grouper in a container based off the tier/grouper:2.3.0-a109-u47-w12-p21 image from DockerHub. - There is an HAproxy-based reverse proxy service that is part of our container orchestration infrastructure that terminates TLS connections from the browser - The UI container's logs show that X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port headers are populated correctly by the proxy. - /opt/grouper/conf/grouper.properties sets grouper.ui.url to
https://<FQDN>/grouper/ (I've also tried
https://<FQDN>/grouper/grouperUi/ with the same results) In the mailing list archives, I found a similar description to our permission setting issue, but it looks like that specific problem was fixed in UI patch 7, so I wouldn't expect to run into it with the TIER docker image we're using. It
feels like it's most likely associated with our use of the container orchestration reverse proxy, but that's more a hunch than anything else, and I'm not sure where to look next. I'm not sure where else to look for a URL setting (apart from grouper.properties) that may be specifying the http:// protocol, assuming that this is in fact a separate problem. Thanks for any suggestions you can offer, Mark Day NERSC / Lawrence Berkeley Lab |
- RE: [grouper-users] CSRF errors in the Grouper UI, Siju Jacob, 01/07/2019
- <Possible follow-up(s)>
- RE: [grouper-users] CSRF errors in the Grouper UI, Siju Jacob, 01/07/2019
Archive powered by MHonArc 2.6.19.