Jasperserver 5.5 CSRF Error when installed behind Apache Reverse Proxy

[snandi]

I have installed Jasper Server 5.5 which worked fine when accessed directly.

After installing Apache Reverse Proxy in front of the Jasper Server, the Jasper application works except when trying to modify users, roles etc. I get this error in the jasperserver.log file:

2014-01-25 05:14:46,411 ERROR CsrfGuard,http-bio-8443-exec-34:24 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.0.0.25, uri:/jasperserver/flow.html, error:required token is missing from the request)

I have seen some posts related to CSRF with previous versions of Jasper Server, but did not seem to find any resolution to keep CSRF Gurard on while avoiding this error.

I will appreciate any help to resolve this issue, while keeping CSRFGuard on with Jasper.

Thanks.

[drueter_1]

Any luck with running Server 5.5 with a reverse-proxy?  I'm having the same issue.  I was able to disable CSRF checking...which allows Server to work for viewing information and running reports...but anything involving writing to the serer (publishing reports, administering users, etc.) fails.

[ariksu]

Here is the answer I found: http://stackoverflow.com/questions/17920949/running-jasperserver-behind-nginx-potential-csrf-attack

You can basically either:

1) allow undescores in headers on your proxy

---nginx----

server {

...

underscores_in_headers on;}

------------

OR

2) change token configuration name in jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

Change from:

org.owasp.csrfguard.TokenName=JASPER_CSRF_TOKEN

org.owasp.csrfguard.SessionKey=JASPER_CSRF_SESSION_KEY

To:

org.owasp.csrfguard.TokenName=JASPERCSRFTOKEN

org.owasp.csrfguard.SessionKey=JASPERCSRFSESSIONKEY

[janakarajp]

Hi,

 

This issue still contiune with jasper 6.1.1 as well.. I  tried options 2 , no luck,  did anyone tested this  soultions ?

while I am reProduce Problem, I can see below errors on  jasper.log  file :

 

2015-12-16 14:23:15,219 ERROR CsrfGuard,http-nio-8080-exec-37:44 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, uri:/jasperserver-pro/flow.html, error:required token is missing from the request)
2015-12-16 14:24:25,436 ERROR errorPage_jsp,http-nio-8080-exec-33:298 - JSException:
2015-12-16 14:24:25,438 ERROR errorPage_jsp,http-nio-8080-exec-33:583 - stack trace of exception that redirected to errorPage.jsp
com.jaspersoft.jasperserver.api.JSException: jsexception.null.uri
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.findByURI(HibernateRepositoryServiceImpl.java:1096)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.loadResource(HibernateRepositoryServiceImpl.java:359)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.loadResource(HibernateRepositoryServiceImpl.java:352)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl$2.execute(HibernateRepositoryServiceImpl.java:256)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.HibernateDaoImpl.executeCallback(HibernateDaoImpl.java:63)

 

[dino.lupo_1]

SOLVED.

Edit this file:

jasperserver/WEB-INF/classes/esapi/security-config.properties

and put to false the following value:

security.validation.csrf.on=false

 

 

 

[pierre.ortalo]

Hi,

I did the following :

A js script is injected by jasper in order to perform csrf verifications.
The script is located at : /opt/jasperreports-server-6.4.2/apache-tomcat/webapps/jasperserver-pro/WEB-INF/csrf/jrs.csrfguard.js
One of the checks performed is if OWASP CSRFGuard JavaScript was included from within an unauthorized domain.

One line in the script must be modified :
> if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
set to:
> if(true) {

Jaspersoft community reference: https://community.jaspersoft.com/wiki/owasp-csrfguard-javascript-was-included-within-unauthorized-domain

[gjohnson_2]

Hi ... I am still having problems with CSRF behind a proxy. I use AWS CloudFront to proxy requests to Jasper Server. When I try to login over HTTPS I get the error "Failed to retrieve CSRF token" in the developer console and the message "Connection error! Try reloading! | close" as a banner acrosss the page.

I have made the edit to the jrs.csrfguard.js file as mentioned above: -

  //if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {  if (true) { // GCJ 2019-01-21 https://community.jaspersoft.com/wiki/owasp-csrfguard-javascript-was-included-within-unauthorized-domain    /** optionally include Ajax CSRF support **/

... and I've also changed the jrs.csrfguard.properties file: -

  # If csrfguard filter is enabled  org.owasp.csrfguard.Enabled = false

... but it still fails because the Origin header is different from the Request URL as seen by the Tomcat Server.

@pierre.ortalo It seems you had the exact same problem. Wonder if you've got any more insights?