italoosorio Posted April 29, 2012 Share Posted April 29, 2012 I have jasperserver-pro running behind Apache. I have tomcat configure with multiple vhosts. One is for jasperserver-pro only.Everything seems to work perfectly. However each time a login process happens in the front-end this message appears in the logs.It also happens while authenticating using REST services.****************************************************** Owasp.CsrfGuard Properties** Logger: com.jaspersoft.jasperserver.api.security.JSCsrfLogger* NewTokenLandingPage: /jasperserver-pro/login.html* PRNG: SHA1PRNG* SessionKey: JASPER_CSRF_SESSION_KEY* TokenLength: 96* TokenName: JASPER_CSRF_TOKEN* Ajax: true* Rotate: true* TokenPerPage: true* Action: org.owasp.csrfguard.action.Rotate* Action: org.owasp.csrfguard.action.Redirect* Parameter: Page = /jasperserver-pro/login.html* Action: org.owasp.csrfguard.action.Log* Parameter: Message = potential cross-site request forgery (CSRF) attack thwarted (user:%user%, ip:%remote_ip%, uri:%request_uri%, error:%exception_message%)*****************************************************I would like to know what is triggering this message and how to configure jasperserver properly to avoid it.Post Edited by italoosorio at 04/29/2012 21:46 Link to comment Share on other sites More sharing options...
Ching Ice-creaming Posted April 29, 2012 Share Posted April 29, 2012 http://jasperforge.org/plugins/espforum/view.php?group_id=112&forumid=102&topicid=95352 Link to comment Share on other sites More sharing options...
italoosorio Posted April 30, 2012 Author Share Posted April 30, 2012 Yes, I tried that before plus other things and it did not fix the log problem.I have it setup on this way: security.validation.csrf.on=true I chnage it to: security.validation.csrf.on=false, no effect.However, a solution which disables security does not seem much attractive.Post Edited by italoosorio at 04/30/2012 00:27 Link to comment Share on other sites More sharing options...
italoosorio Posted May 2, 2012 Author Share Posted May 2, 2012 I got this solved thank you to JasperSever support. Here is their comment:I stumbled across a couple of similar cases. It seems that CsrfGuard log is set to INFO in this release. This is getting changed in a future release. You can fix this by modifying jasperserver-pro/WEB-INF/web.xml:<context-param> <param-name>Owasp.CsrfGuard.Config.Print</param-name> <param-value>true</param-value></context-param>Change the value to false to suppress CSRF warningsNow the mesage if not showing in the log anymore. Link to comment Share on other sites More sharing options...
hozawa Posted February 14, 2014 Share Posted February 14, 2014 Seems it's still not changed in 5.5.0. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now