Issue Description
A customer put their JasperReports Server appserver behind a loadbalancer or proxy and encountered the following error in the logs and login page would just loop back to itself upon submission:
2016-09-09 15:26:58,020 ERROR CsrfGuard,http-nio-8080-exec-4:44 - Referer domain https://oursite.com/jasperserver-pro/login.html does not match request domain: http://192.168.150.23:8080/jasperserver-pro/JavaScriptServlet
Resolution
The message means that the CSRFGuard is doing it's work to try and be protective. In this case the http request is coming from 192.168.150.23, but the browser url being used is oursite.com, so this looks like CSRF (Cross Site Request Forgery).
There are three options:
configure your proxy / IIS to pass correct headers
See the first answer at http://stackoverflow.com/questions/22483397/csrfguard-behind-a-reverse-proxy
set org.owasp.csrfguard.JavascriptServlet.refererMatchDomain=false in jasperserver-proWEB-INFcsrfjrs.csrfguard.properties . Doing so might compromise the security a bit.
set org.owasp.csrfguard.JavascriptServlet.refererPattern = .* , in the same file, documented below:
# Allows the developer to specify a regular expression describing the required value of the
# Referer header. Any attempts to access the servlet with a Referer header that does not
# match the captured expression is discarded. Inclusion of referer header checking is to
# help minimize the risk of JavaScript Hijacking attacks that attempt to steal tokens from
# the dynamically generated JavaScript. While the primary defenses against JavaScript
# Hijacking attacks are implemented within the dynamic JavaScript itself, referer header
# checking is implemented to achieve defense in depth.org.owasp.csrfguard.JavascriptServlet.refererPattern = .*
For reference: https://www.owasp.org/index.php/Cross-Site_Request_Forgery (CSRF)
Ref. Case 00071217
Recommended Comments
There are no comments to display.