Grouper Users - Open Discussion List

[Siju Jacob <>]

Thanks team, I was able to resolve this issue by

 

adding: secure=“true” scheme=“https” to the AJP connection in server.xml

 

based on Christopher's suggestion in an old email.

 

Thanks,

Siju

 

From: Siju Jacob
Sent: Monday, January 7, 2019 4:53 PM
To: 'Mark Day' <>;
Subject: RE: [grouper-users] CSRF errors in the Grouper UI

 

Hi Mark,

   Is this issue resolved for you. We are also facing a same issue.

If yes, could you please share the solution with us.

 

Thanks,

Siju Jacob

 

 

From: <> On Behalf Of Mark Day
Sent: Monday, December 10, 2018 7:40 PM
To:
Subject: [grouper-users] CSRF errors in the Grouper UI

 

We're just getting started with a Grouper implementation, and I'm running into problems with CSRF errors that pop up in two areas of the Grouper UI.

 

1. When clicking on "Lite UI" under "Quick Links". The error is: 

Maybe your session timed out and you need to start again. This should not happen under normal operation. CSRF error.

The UI logs show:

 ERROR CsrfGuardLogger.log(47) -  - Referer domain https://<FQDN-redacted>/grouper/grouperUi/appHtml/grouper.html?operation=Misc.index does not match request domain: http://<FQDN-redacted>/grouper/grouperExternal/public/OwaspJavaScriptServlet

 

2. In the "+ Assign permission" function for a group, typing in the Action field results in a 'error communicating with server' alert. The UI logs show:

ERROR CsrfGuardLogger.log(47) -  - potential cross-site request forgery (CSRF) attack thwarted (user:<redacted>, ip:<redacted>, method:GET, uri:/grouper/grouperUi/app/UiV2GroupPermission.permissionActionNameFilter, error:required token is missing from the request)

 

The two types of CSRF Guard errors potentially have different causes, or are slightly different symptoms of the same problem.

 

Specifics of our implementation:

- We're running Grouper in a container based off the tier/grouper:2.3.0-a109-u47-w12-p21 image from DockerHub.

- There is an HAproxy-based reverse proxy service that is part of our container orchestration infrastructure that terminates TLS connections from the browser

- The UI container's logs show that  X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Port headers are populated correctly by the proxy.

- /opt/grouper/conf/grouper.properties sets grouper.ui.url to https://<FQDN>/grouper/ (I've also tried https://<FQDN>/grouper/grouperUi/ with the same results)

 

In the mailing list archives, I found a similar description to our permission setting issue, but it looks like that specific problem was fixed in UI patch 7, so I wouldn't expect to run into it with the TIER docker image we're using.  It feels like it's most likely associated with our use of the container orchestration reverse proxy, but that's more a hunch than anything else, and I'm not sure where to look next.

 

I'm not sure where else to look for a URL setting (apart from grouper.properties) that may be specifying the http:// protocol, assuming that this is in fact a separate problem.

 

Thanks for any suggestions you can offer,

Mark Day

NERSC / Lawrence Berkeley Lab