snandi Posted January 28, 2014 Share Posted January 28, 2014 I have installed Jasper Server 5.5 which worked fine when accessed directly.After installing Apache Reverse Proxy in front of the Jasper Server, the Jasper application works except when trying to modify users, roles etc. I get this error in the jasperserver.log file:2014-01-25 05:14:46,411 ERROR CsrfGuard,http-bio-8443-exec-34:24 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.0.0.25, uri:/jasperserver/flow.html, error:required token is missing from the request)I have seen some posts related to CSRF with previous versions of Jasper Server, but did not seem to find any resolution to keep CSRF Gurard on while avoiding this error.I will appreciate any help to resolve this issue, while keeping CSRFGuard on with Jasper.Thanks. Link to comment Share on other sites More sharing options...
drueter_1 Posted May 15, 2014 Share Posted May 15, 2014 Any luck with running Server 5.5 with a reverse-proxy? I'm having the same issue. I was able to disable CSRF checking...which allows Server to work for viewing information and running reports...but anything involving writing to the serer (publishing reports, administering users, etc.) fails. Link to comment Share on other sites More sharing options...
ariksu Posted October 29, 2014 Share Posted October 29, 2014 Here is the answer I found: http://stackoverflow.com/questions/17920949/running-jasperserver-behind-nginx-potential-csrf-attackYou can basically either:1) allow undescores in headers on your proxy---nginx----server {...underscores_in_headers on;}------------OR2) change token configuration name in jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.propertiesChange from:org.owasp.csrfguard.TokenName=JASPER_CSRF_TOKENorg.owasp.csrfguard.SessionKey=JASPER_CSRF_SESSION_KEYTo:org.owasp.csrfguard.TokenName=JASPERCSRFTOKENorg.owasp.csrfguard.SessionKey=JASPERCSRFSESSIONKEY Link to comment Share on other sites More sharing options...
janakarajp Posted December 16, 2015 Share Posted December 16, 2015 Hi, This issue still contiune with jasper 6.1.1 as well.. I tried options 2 , no luck, did anyone tested this soultions ?while I am reProduce Problem, I can see below errors on jasper.log file : 2015-12-16 14:23:15,219 ERROR CsrfGuard,http-nio-8080-exec-37:44 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, uri:/jasperserver-pro/flow.html, error:required token is missing from the request)2015-12-16 14:24:25,436 ERROR errorPage_jsp,http-nio-8080-exec-33:298 - JSException:2015-12-16 14:24:25,438 ERROR errorPage_jsp,http-nio-8080-exec-33:583 - stack trace of exception that redirected to errorPage.jspcom.jaspersoft.jasperserver.api.JSException: jsexception.null.uri at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.findByURI(HibernateRepositoryServiceImpl.java:1096) at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.loadResource(HibernateRepositoryServiceImpl.java:359) at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.loadResource(HibernateRepositoryServiceImpl.java:352) at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl$2.execute(HibernateRepositoryServiceImpl.java:256) at com.jaspersoft.jasperserver.api.metadata.common.service.impl.HibernateDaoImpl.executeCallback(HibernateDaoImpl.java:63) Link to comment Share on other sites More sharing options...
dino.lupo_1 Posted March 31, 2016 Share Posted March 31, 2016 SOLVED.Edit this file:jasperserver/WEB-INF/classes/esapi/security-config.propertiesand put to false the following value:security.validation.csrf.on=false Link to comment Share on other sites More sharing options...
pierre.ortalo Posted August 25, 2018 Share Posted August 25, 2018 Hi,I did the following :A js script is injected by jasper in order to perform csrf verifications.The script is located at : /opt/jasperreports-server-6.4.2/apache-tomcat/webapps/jasperserver-pro/WEB-INF/csrf/jrs.csrfguard.jsOne of the checks performed is if OWASP CSRFGuard JavaScript was included from within an unauthorized domain.One line in the script must be modified :> if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {set to:> if(true) {Jaspersoft community reference: https://community.jaspersoft.com/wiki/owasp-csrfguard-javascript-was-included-within-unauthorized-domain Link to comment Share on other sites More sharing options...
gjohnson_2 Posted January 29, 2019 Share Posted January 29, 2019 Hi ... I am still having problems with CSRF behind a proxy. I use AWS CloudFront to proxy requests to Jasper Server. When I try to login over HTTPS I get the error "Failed to retrieve CSRF token" in the developer console and the message "Connection error! Try reloading! | close" as a banner acrosss the page.I have made the edit to the jrs.csrfguard.js file as mentioned above: - //if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) { if (true) { // GCJ 2019-01-21 https://community.jaspersoft.com/wiki/owasp-csrfguard-javascript-was-included-within-unauthorized-domain /** optionally include Ajax CSRF support **/... and I've also changed the jrs.csrfguard.properties file: - # If csrfguard filter is enabled org.owasp.csrfguard.Enabled = false... but it still fails because the Origin header is different from the Request URL as seen by the Tomcat Server.@pierre.ortalo It seems you had the exact same problem. Wonder if you've got any more insights? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now