Jasperserver 5.5 CSRF Error when installed behind Apache Reverse Proxy

Posted on January 28, 2014 at 11:58am

I have installed Jasper Server 5.5 which worked fine when accessed directly.

After installing Apache Reverse Proxy in front of the Jasper Server, the Jasper application works except when trying to modify users, roles etc. I get this error in the jasperserver.log file:

2014-01-25 05:14:46,411 ERROR CsrfGuard,http-bio-8443-exec-34:24 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:10.0.0.25, uri:/jasperserver/flow.html, error:required token is missing from the request)

I have seen some posts related to CSRF with previous versions of Jasper Server, but did not seem to find any resolution to keep CSRF Gurard on while avoiding this error.

I will appreciate any help to resolve this issue, while keeping CSRFGuard on with Jasper.

Thanks.

JasperReports® Server
snandi's picture
snandi
2
Joined: Nov 24 2010 - 10:03pm
Last seen: 9 years 2 months ago

Any luck with running Server 5.5 with a reverse-proxy?  I'm having the same issue.  I was able to disable CSRF checking...which allows Server to work for viewing information and running reports...but anything involving writing to the serer (publishing reports, administering users, etc.) fails.

drueter_1 - 8 years 10 months ago
add comment

5 Answers:

Posted on October 29, 2014 at 7:05am

Here is the answer I found: http://stackoverflow.com/questions/17920949/running-jasperserver-behind-...

You can basically either:

1) allow undescores in headers on your proxy

---nginx----

server {

...

underscores_in_headers on;}

------------

OR

2) change token configuration name in jasperserver-pro/WEB-INF/esapi/Owasp.CsrfGuard.properties

Change from:

org.owasp.csrfguard.TokenName=JASPER_CSRF_TOKEN

org.owasp.csrfguard.SessionKey=JASPER_CSRF_SESSION_KEY

To:

org.owasp.csrfguard.TokenName=JASPERCSRFTOKEN

org.owasp.csrfguard.SessionKey=JASPERCSRFSESSIONKEY

ariksu's picture
ariksu
46
Joined: Oct 16 2013 - 6:03am
Last seen: 8 years 5 months ago
Posted on December 15, 2015 at 11:34pm

Hi,

 

This issue still contiune with jasper 6.1.1 as well.. I  tried options 2 , no luck,  did anyone tested this  soultions ?

while I am reProduce Problem, I can see below errors on  jasper.log  file :

 

2015-12-16 14:23:15,219 ERROR CsrfGuard,http-nio-8080-exec-37:44 - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, uri:/jasperserver-pro/flow.html, error:required token is missing from the request)
2015-12-16 14:24:25,436 ERROR errorPage_jsp,http-nio-8080-exec-33:298 - JSException:
2015-12-16 14:24:25,438 ERROR errorPage_jsp,http-nio-8080-exec-33:583 - stack trace of exception that redirected to errorPage.jsp
com.jaspersoft.jasperserver.api.JSException: jsexception.null.uri
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.findByURI(HibernateRepositoryServiceImpl.java:1096)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.loadResource(HibernateRepositoryServiceImpl.java:359)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl.loadResource(HibernateRepositoryServiceImpl.java:352)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.hibernate.HibernateRepositoryServiceImpl$2.execute(HibernateRepositoryServiceImpl.java:256)
        at com.jaspersoft.jasperserver.api.metadata.common.service.impl.HibernateDaoImpl.executeCallback(HibernateDaoImpl.java:63)

 

janakarajp's picture
janakarajp
153
Joined: Jul 23 2015 - 9:09pm
Last seen: 5 years 5 months ago
Posted on March 31, 2016 at 12:37pm

SOLVED.

Edit this file:

jasperserver/WEB-INF/classes/esapi/security-config.properties

and put to false the following value:

security.validation.csrf.on=false

 

 

 

dino.lupo_1's picture
dino.lupo_1
26
Joined: Mar 23 2016 - 4:33am
Last seen: 6 years 12 months ago
Posted on August 25, 2018 at 11:11am

Hi,

I did the following :

A js script is injected by jasper in order to perform csrf verifications.
The script is located at : /opt/jasperreports-server-6.4.2/apache-tomcat/webapps/jasperserver-pro/WEB-INF/csrf/jrs.csrfguard.js
One of the checks performed is if OWASP CSRFGuard JavaScript was included from within an unauthorized domain.

One line in the script must be modified :
> if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
set to:
> if(true) {

Jaspersoft community reference: https://community.jaspersoft.com/wiki/owasp-csrfguard-javascript-was-included-within-unauthorized-domain

pierre.ortalo's picture
pierre.ortalo
91
Joined: Aug 16 2017 - 1:34am
Last seen: 4 years 7 months ago
Posted on January 28, 2019 at 9:14pm

Hi ... I am still having problems with CSRF behind a proxy. I use AWS CloudFront to proxy requests to Jasper Server. When I try to login over HTTPS I get the error "Failed to retrieve CSRF token" in the developer console and the message "Connection error! Try reloading! | close" as a banner acrosss the page.

I have made the edit to the jrs.csrfguard.js file as mentioned above: -

  //if(isValidDomain(document.domain, "%DOMAIN_ORIGIN%")) {
  <strong>if (true) { </strong>// GCJ 2019-01-21 https://community.jaspersoft.com/wiki/owasp-csrfguard-javascript-was-included-within-unauthorized-domain
    /** optionally include Ajax CSRF support **/

... and I've also changed the jrs.csrfguard.properties file: -

  # If csrfguard filter is enabled
  org.owasp.csrfguard.Enabled = <strong>false</strong>

... but it still fails because the Origin header is different from the Request URL as seen by the Tomcat Server.

@pierre.ortalo It seems you had the exact same problem. Wonder if you've got any more insights?

gjohnson_2's picture
gjohnson_2
31
Joined: Jan 15 2018 - 4:39pm
Last seen: 1 year 6 months ago
Feedback