Jasperserver 5.5 CSRF Error when installed behind Apache Reverse Proxy

0

I have installed Jasper Server 5.5 which worked fine when accessed directly.

After installing Apache Reverse Proxy in front of the Jasper Server, the Jasper application works except when trying to modify users, roles etc. I get this error in the jasperserver.log file:

2014-01-25 05:14:46,411 ERROR CsrfGuard,http-bio-8443-exec-34:24 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.0.0.25, uri:/jasperserver/flow.html, error:required token is missing from the request)

I have seen some posts related to CSRF with previous versions of Jasper Server, but did not seem to find any resolution to keep CSRF Gurard on while avoiding this error.

I will appreciate any help to resolve this issue, while keeping CSRFGuard on with Jasper.

Thanks.

snandi's picture
2
Joined: Nov 24 2010 - 10:03pm
Last seen: 5 years 9 months ago

Any luck with running Server 5.5 with a reverse-proxy?  I'm having the same issue.  I was able to disable CSRF checking...which allows Server to work for viewing information and running reports...but anything involving writing to the serer (publishing reports, administering users, etc.) fails.

drueter_1 - 5 years 6 months ago

5 Answers:

0

Here is the answer I found: http://stackoverflow.com/questions/17920949/running-jasperserver-behind-...

You can basically either:

1) allow undescores in headers on your proxy

---nginx----

server {

...

underscores_in_headers on;}

------------

OR

2) change token configuration name in jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

Change from:

org.owasp.csrfguard.TokenName=JASPER_CSRF_TOKEN

org.owasp.csrfguard.SessionKey=JASPER_CSRF_SESSION_KEY

To:

org.owasp.csrfguard.TokenName=JASPERCSRFTOKEN

org.owasp.csrfguard.SessionKey=JASPERCSRFSESSIONKEY

ariksu's picture
2
Joined: Oct 16 2013 - 6:03am
Last seen: 5 years 3 weeks ago
0

Hi,

 

This issue still contiune with jasper 6.1.1 as well.. I  tried options 2 , no luck,  did anyone tested this  soultions ?

while I am reProduce Problem, I can see below errors on  jasper.log  file :

 

2015-12-16 14:23:15,219 ERROR CsrfGuard,http-nio-8080-exec-37:44 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, uri:/jasperserver-pro/flow.html, error:required token is missing from the request)
2015-12-16 14:24:25,436 ERROR errorPage_jsp,http-nio-8080-exec-33:298 - JSException:
2015-12-16 14:24:25,438 ERROR errorPage_jsp,http-nio-8080-exec-33:583 - stack trace of exception that redirected to errorPage.jsp
com.jaspersoft.jasperserver.api.JSException: jsexception.null.uri
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.findByURI(HibernateRepositoryServiceImpl.java:1096)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.loadResource(HibernateRepositoryServiceImpl.java:359)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.loadResource(HibernateRepositoryServiceImpl.java:352)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl$2.execute(HibernateRepositoryServiceImpl.java:256)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.HibernateDaoImpl.executeCallback(HibernateDaoImpl.java:63)

 

janakarajp's picture
Joined: Jul 23 2015 - 9:09pm
Last seen: 2 years 1 month ago
1

SOLVED.

Edit this file:

jasperserver/WEB-INF/classes/esapi/security-config.properties

and put to false the following value:

security.validation.csrf.on=false

 

 

 

dino.lupo_1's picture
Joined: Mar 23 2016 - 4:33am
Last seen: 3 years 7 months ago
0

Hi,

I did the following :

A js script is injected by jasper in order to perform csrf verifications.
The script is located at : /opt/jasperreports-server-6.4.2/apache-tomcat/webapps/jasperserver-pro/WEB-INF/csrf/jrs.csrfguard.js
One of the checks performed is if OWASP CSRFGuard JavaScript was included from within an unauthorized domain.

One line in the script must be modified :
> if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
set to:
> if(true) {

Jaspersoft community reference: https://community.jaspersoft.com/wiki/owasp-csrfguard-javascript-was-included-within-unauthorized-domain

pierre.ortalo's picture
Joined: Aug 16 2017 - 1:34am
Last seen: 1 year 2 months ago
0

Hi ... I am still having problems with CSRF behind a proxy. I use AWS CloudFront to proxy requests to Jasper Server. When I try to login over HTTPS I get the error "Failed to retrieve CSRF token" in the developer console and the message "Connection error! Try reloading! | close" as a banner acrosss the page.

I have made the edit to the jrs.csrfguard.js file as mentioned above: -

  //if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
  <strong>if (true) { </strong>// GCJ 2019-01-21 https://community.jaspersoft.com/wiki/owasp-csrfguard-javascript-was-included-within-unauthorized-domain
    /** optionally include Ajax CSRF support **/

... and I've also changed the jrs.csrfguard.properties file: -

  # If csrfguard filter is enabled
  org.owasp.csrfguard.Enabled = <strong>false</strong>

... but it still fails because the Origin header is different from the Request URL as seen by the Tomcat Server.

@pierre.ortalo It seems you had the exact same problem. Wonder if you've got any more insights?

gjohnson_2's picture
Joined: Jan 15 2018 - 4:39pm
Last seen: 2 months 4 days ago
Feedback
randomness