Uploaded image for project: 'Grouper'
  1. Grouper
  2. GRP-1405

csrf error on grouper ui with no slash required token is missing from the request

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Minor
    • 2.4.0, 2.3.0.patch
    • None
    • None
    • None

    Description

      ----Original Message----
      From: Waldbieser, Carl
      Sent: Friday, November 04, 2016 6:33 AM
      To: Shaun Koh
      Cc: Jeffrey Eaton; Hyzer, Chris; grouper-users
      Subject: Re: [grouper-users] Grouper UI CSRF error – required token is missing from the request

      I just got bit by this, too. My development environment is also at tomcat6-6.0.24-8.el6_8.
      Thanks for figuring this one out!

      Thanks,
      Carl Waldbieser
      ITS Systems Programmer
      Lafayette College

      ----- Original Message -----
      From: "Shaun Koh"
      To: "Jeffrey Eaton"
      Cc: "Hyzer, Chris", grouper-users
      Sent: Thursday, November 3, 2016 6:55:06 PM
      Subject: RE: [grouper-users] Grouper UI CSRF error – required token is missing from the request

      Hi Jeffrey,

      I think you may be spot on.. ! – I do recall our Unix team patching the DEV systems a few days ago as part of their auto-patching cycles.

      Yep just checked, our Grouper DEV hosts are currently using tomcat6-6.0.24-98.el6_8.noarch – perhaps time to upgrade

      Thanks for the info and link.

      Best Regards,
      Shaun K.

      ----Original Message----
      From: Jeffrey Eaton
      Sent: Friday, 4 November 2016 10:44 a.m.
      To: Shaun Koh
      Cc: Hyzer, Chris; grouper-users
      Subject: Re: [grouper-users] Grouper UI CSRF error – required token is missing from the request

      I just had to make the same change last week on my grouper 2.2.1 instance after a normal OS update (RHEL6.8). I didn’t dig into it too far once I figured out the fix/workaround, but I suspected it was a Tomcat update that changed something. For what it’s worth, it looks like we’re on tomcat6-6.0.24-98.el6_8.noarch right now.

      I wouldn’t be surprised it one of the fixes mentioned in https://rhn.redhat.com/errata/RHSA-2016-2045.html is the underlying change. There is specifically one about accessing a URL without a trailing slash, so maybe that’s it?

      -jeaton

      > On Nov 3, 2016, at 4:58 PM, Shaun Koh wrote:
      >
      > Hi Chris,
      >
      > I’m on version 2.3.0 and most updated patch level (api: 30, pspng:3, ui:6, ws:4)
      >
      > I’ve added the below and it seems to have fixed the issue though I am curious to know as to why a change in the CsrfGuard properties is required when it didn’t before. – i.e. DEV and TEST overlay properties were identical
      >
      > Best Regards,
      > Shaun K.
      >
      > From: Hyzer, Chris mchyzer
      > Sent: Friday, 4 November 2016 2:33 a.m.
      > To: Shaun Koh; grouper-users
      > Subject: RE: Grouper UI CSRF error – required token is missing from the request
      >
      > What version and patch level?
      >
      > Maybe try adding this to Owasp.CsrfGuard.overlay.properties:
      >
      > org.owasp.csrfguard.unprotected.GrouperUiNoSlash=%servletContext%/grouperUi
      >
      > There is already an entry with a slash, maybe need one without??
      >
      > Thanks
      > Chris
      >
      >
      > From: grouper-users-request Shaun Koh
      > Sent: Thursday, November 03, 2016 12:22 AM
      > To: grouper-users
      > Subject: [grouper-users] Grouper UI CSRF error – required token is missing from the request
      >
      > Hi there,
      >
      > We’ve run into an error when attempting to access the UI that says `Maybe your session timed out and you need to start again. This should not happen under normal operation. CSRF error.`.
      >
      > We use Shibb SSO for our authN and from the debug/error logs, it seems that users are being successfully matched against subjects in the DB though the redirect to /grouper/grouperUi is being marked as a potential CSRF attack apparently due to missing token in the request:
      >
      > 2016-11-03 17:02:40,432: [http-8080-3] DEBUG GrouperUiFilter.remoteUser(638) - - httpServletRequest.getRemoteUser(): null, UOAid header: ${some_user_id}, remoteUser overall: ${some_user_id},
      > 2016-11-03 17:02:40,433: [http-8080-3] INFO EventLog.info(156) - - [ccc13c1558c14e6f8d9eb7bb0892c8ac,'GrouperSystem','application'] session: start (1ms)
      > 2016-11-03 17:02:40,433: [http-8080-3] INFO CsrfGuardLogger.log(26) - - CsrfGuard analyzing request /grouper/index.jsp
      > 2016-11-03 17:02:40,481: [http-8080-3] INFO CsrfGuardLogger.log(26) - - CsrfGuard analyzing request /grouper/grouperUi
      > 2016-11-03 17:02:40,482: [http-8080-3] ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:${some_ip}, method:GET, uri:/grouper/grouperUi, error:required token is missing from the request)
      >
      > I’ve had a look at similar threads in the mailing lists though none of the solutions worked for us.
      >
      > Also, this only happens in our DEV environment and not TEST which worked seamlessly until 2-3 days ago. – I do not recall us making any changes that may have caused this issue.
      >
      > Any help or suggestions would be much appreciated.
      >
      > Best Regards,
      > Shaun K.

      Attachments

        Activity

          People

            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            chris.hyzer@at.internet2.edu Chris Hyzer (upenn.edu)
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: