Jump to content
We've recently updated our Privacy Statement, available here ×

  • VIDEO: Reverse Proxies can often cause CSRF or Block Mixed Content problems

    kcollins

    By kcollins

      • Version: v7.1, v6 Product: JasperReports® Server
     Share

    The video applies to 7.1.1 and prior.

    Reverse Proxies, if misconfigured, result in UI problems due to CSRF issues or due to HTTP requests getting blocked due to "mixed content" resulting from incorrect scheme/protocol, port and hostname.

    The HOST and Referrer headers hitting the application server are the key ingredients. A few options exist for having control over the scheme, port and hostnames being "seen" by TIBCO JasperReports® Server.

    The first option is for your network engineers and administrations to perform configurations and things like url-rewriting directly within your reverse proxy to make sure the external values are being forwarded in the HOST header and Referrer header.

    Second option, if you are using Tomcat you can edit your server.xml's scheme, proxyName, and proxyPort within the connector element. Ensure these reflect the external values.

    Third option, if you are using 7.1 or 7.1.1, is to edit WEB-INFapplicationContext-webapp.xml and tweak the proxyUrlFilter bean per the descriptions in the file. You can define the entire external url (scheme, hostname and port), or you can specify the names of HTTP Headers which you'll populate in your proxy which dictate the port and protocol.

    In 7.2 and 7.5, the proxyUrlFilter bean was replaced, so the headers are no longer configurable, instead the only option header-wise are the X-Forwarded-* headers. See "configuration using proxies" - https://community.jaspersoft.com/documentation/tibco-jasperreports-server-administrator-guide/v720/configuration-using-proxies

    With ability to force behavior from the proxy side or at the application server level, you have flexibility depending on your specific scenario / topography.

    References: https://tomcat.apache.org/tomcat-8.5-doc/config/http.html

     

     Share
    Go to entries

    User Feedback

    Recommended Comments

    ghudson_1 

    If so, try this in a textfield expression of a test jrxml report:<![CDATA[((javax.servlet.http.HttpServletRequest)$P{REPORT_PARAMETERS_MAP}.get("HTTP_SERVLET_REQUEST")).getHeader("X-Forwarded-Host")]]>[/code]

    Or modify your appserver's logging, here's an example for tomcat:

    https://community.jaspersoft.com/wiki/add-header-tomcat-access-log-valve

    Additionally, something a little more superfluous would be to dump the entire http request (minus the body) via apache's RequestDumperFilter servlet:

    https://www.stackextend.com/java/tomcat/tomcat-debugging-tips-trace-full-request-content-of-all-coming-requests/

     

    Link to comment
    Share on other sites


    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...

© 2024 Cloud Software Group,
Inc. All rights reserved.

Products

Explore