Jump to content
Changes to the Jaspersoft community edition download ×
  • CsrfGuard error:required token is missing from the request


    ghudson_1

    Issue Description

    A customer tries to access their JasperReports Server from behind a proxy or loadbalancer and find this error in their logs:

    2016-09-15 11:41:11,534 ERROR CsrfGuard,http-nio-8080-exec-6:44 - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:192.168.150.15, method:POST, uri:/jasperserver-pro/rest_v2/reports/organizations/8001/Reports/uic_s_month_adm/inputControls/, error:required token is missing from the request)

    Resolution

    The CsrfGuard is protecting from Cross Site Request Forgery - https://www.owasp.org/index.php/Cross-Site_Request_Forgery (CSRF)

    The message "required token is missing from the request" indicates that our application is expecting a token which isn't present in the http headers forwarded from the proxy or loadbalancer.

    The token we expect is defined in jasperserver-proWEB-INFcsrfjrs.csrfguard.properties, org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN

    In 5.6.x the value was JASPER_CSRF_TOKEN, but in 6.3.x it is OWASP_CSRFTOKEN .

    Your network engineers should evaluate the headers and ensure the correct token is being passed

    Ref. Case 00071217


    User Feedback

    Recommended Comments

    lo que a mi me funcionó es buscar "OWASP_CSRFTOKEN" y reemplazarlo con "OWASP-CSRFTOKEN"

    /opt/jasper/apache-tomcat/webapps/jasperserver/ROOT/WEB-INF/csrf/jrs.csrfguard.properties
    /opt/jasper/apache-tomcat/webapps/jasperserver/ROOT/WEB-INF/csrf/Websphere.jrs.csrfguard.properties

    Link to comment
    Share on other sites



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...