Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1110

disable url session rewriting in tomcat in installer

    XMLWordPrintable

Details

    • Bug
    • Resolution: Unresolved
    • Minor
    • None
    • 2.2.1
    • grouperInstaller
    • None

    Description

      im thinking we should add this to the installer... any objections?

      https://fralef.me/tomcat-disable-jsessionid-in-url.html

      From: grouper-users-request grouper-users-request On Behalf Of Chris Hyzer
      Sent: Tuesday, February 03, 2015 6:17 PM
      To: Bryan Wooten; grouper-users
      Subject: [grouper-users] RE: Fresh 2.2.1 Installation

      Im thinking you should disable url rewriting with jsessionid...

      e.g.
      https://fralef.me/tomcat-disable-jsessionid-in-url.html

      Seems like a good security thing to do anyways right?

      Thanks,
      Chris

      From: Bryan Wooten bryan.wooten
      Sent: Tuesday, February 03, 2015 3:27 PM
      To: Chris Hyzer; grouper-users
      Subject: RE: Fresh 2.2.1 Installation

      Hmm, grouper_error.log has this clue:

      2015-02-03 13:20:19,231: [http-bio-8080-exec-6] ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery (CSRF) attack thwarted (user:GrouperSystem, ip:155.101.205.178, method:GET, uri:/grouper/;jsessionid=A5FFC803A416F58090D3F3691077A6E5, error:required token is missing from the request)

      I think my CAS web.xml config could be the issue? I didn’t see this 2.1.x. I am pointing at my standard U test CAS server.

      -Bryan

      From: Chris Hyzer mchyzer
      Sent: Tuesday, February 03, 2015 12:42 PM
      To: Bryan Wooten; grouper-users
      Subject: RE: Fresh 2.2.1 Installation

      Anything else in logs or stdout / stderr from tomcat?

      From: grouper-users-request grouper-users-request On Behalf Of Bryan Wooten
      Sent: Tuesday, February 03, 2015 2:39 PM
      To: grouper-users
      Subject: [grouper-users] Fresh 2.2.1 Installation

      Ok, not sure what is going on here.

      We have a fresh 2.2.1 installation, not an upgrade from 2.1.x

      We have a CASified Grouper UI. The CAS login is successful.

      I have run the following GSH script:

      grouperSession = GrouperSession.startRootSession();
      addGroup("etc", "sysadmingroup", "SysAdmin Group")
      addMember("etc:sysadmingroup", "GrouperSystem")
      addMember("etc:sysadmingroup", "u0519980")

      After login the UI displays this:

      Maybe your session timed out and you need to start again. This should not happen under normal operation. CSRF error.

      I click “start over” and I get this:

      You have an anonymous session since you are not logged in, but this section requires you to be logged in. Maybe No username found. Your identity provider might not be sending your username to this application. Either you need to use a different identity provider, or ask your IT department to send your username to this application.

      Ideas?

      Bryan Wooten

      UIT-Common Infrastructure Systems

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated: