Chromium 80 Update February 2020: Cross site cookie blocking for Jaspersoft

Feb. 2020 Chromium 80 update will impact some implementations of JasperReports Server

In mid-February 2020, a change will be pushed by the developers of the Chromium engine to all browser installations which implement it.

Popular browsers using Chromium, impacted by this change:

  • Google Chrome (certified for use with Jaspersoft)
  • Microsoft Edge (certified for use with Jaspersoft)
  • Opera (not certified for use with Jaspersoft)
  • Select others (not certified for use with Jaspersoft)

**Apple Safari and Mozilla Firefox DO NOT use Chromium (although both browser teams have their own plans to implement similar rules in the future).

For affected Chromium browsers, this change will enforce NEW rules on websites, particularly those loading content from multiple domains at once.

Jaspersoft administrators and users should be aware of this change, and understand its impacts on their implementations.

The following brief questionnaire should help clarify whether or not your installation will be impacted immediately by this change to your end users' browsers.

Impact Questionnaire
Question Answer Action
1.  Errors Indicating You Are Impacted? Are you seeing the following error in your browser console when loading pages containing embedded content from JasperReports Server?
A cookie associated with a cross-site resource at http://www.example.com/ was set without the 
`SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site 
requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer 
tools under Application>Storage>Cookies and see more details at 
https://www.chromestatus.com/feature/5088147346030592 and 
https://www.chromestatus.com/feature/5633521622188032.
</pre>
No Please proceed to Question #2
Yes Your implementation is already impacted by this change, and will need to be modified/updated. Please skip the 2 remaining questions in this questionnaire, and read all the details in the sections below.
2. Embedded? Are you embedding JasperReports Server in another web application? For example, are you exposing its functionality using our Visualize.js JavaScript API, or REST API, or possibly iFrames in the pages of another application or site? No Your JasperReports Server installation will not require any changes
Yes Please proceed to Question #3
3. Combining Multiple Domains? Is the domain used by your JasperReports Server DIFFERENT from the domain used by the application in which it is embedded? (Example: the domain name for your JasperReports Server is "somecompany.com", and it is embedded in another application whose domain is "mycompany.com" No Your JasperReports Server installation will not require any changes
Yes Your implementation may need to be modified/updated. Please read all the details below.

**Please read the rest of this page if you completed the questionnaire above, and it indicated you may be impacted.

In February 2020, Google Chrome was the first browser to implement additional checks on cookies related to cross site interactions. Other browsers are planning to also introduce this check.

“Cross site” for a browser means a web page from site A (www.example.com)accessing pages and resources (ie. REST calls, images) on site B (www.myapp.com).

Below is an example of an exception in the Google Chrome browser console with the cross site cookie blocking:

A cookie associated with a cross-site resource at http://www.example.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

What this means is that all received cross site cookies must have the “SameSite=None; Secure” flags set on those cookies and that the cookies must be received over HTTPS - the implication of the Secure flag.

Effect on JasperReports Server

JasperReports Server is often accessed in a cross site manner from browsers when embedding:

  • Jaspersoft web pages in iFrames

  • Visualize.js

  • REST calls through JavaScript

  • Authentication, Single sign on

An example of cross site access is the Jaspersoft visualize.js samples like:

https://jsfiddle.net/gh/get/mootools/1.5.2/TIBCOSoftware/JS-visualize/tree/master/report-embed/report-render/

The page from the jsfiddle.net site is executing the HTML and JavaScript in the visualize sample and is pointing to a public JasperReports Server:

<script src="https://mobiledemo.jaspersoft.com/jasperserver-pro/client/visualize.js"></script>

Blocking cross site cookies will stop the use of embedded Jaspersoft. Jaspersoft uses a JSESSIONID cookie to indicate successful login and establish a logged in user session and other cookies which will be affected by cookie blocking.

How to address cross site cookie blocking for Jaspersoft

There are several ways to address this cookie blocking:

Option 1 - Hot fixes

Hot fixes/patches

If you must access JasperReports Server in a cross site manner (embedded) and cannot use Options 2 or 3 below, you can deploy the "JS-56885" hotfix (JS-56885 is the internal record number related to the cross-site cookie issue).

Jaspersoft Engineering has developed hot fixes to address JS-56885 for the currently supported, SECURE versions of JasperReports Server (7.5.0, 7.2.0, 7.1.1, 6.4.4).

For JasperReports Server commercial editions, the following hot fixes are available:

Subscription customers with valid credentials may download hot fixes via the TIBCO Customer Portal (https://support.tibco.com/s/hotfixes).

Also attached below.

These hot fixes add the SameSite=none; Secure flags on cookies from JasperReports Server.

HTTPS requirement

The Secure flag on the cookies requires them to be served over HTTPS, so JasperReports Server will ONLY be accessible from the browser via HTTPS. This will be a requirement imposed by the browsers moving forward. This is regardless of whether the web page embedding the cross site content is served using HTTP, like in an intranet.

HTTPS (SSL) can be enabled on JasperReports Server. See:

https://community.jaspersoft.com/documentation/tibco-jasperreports-server-security-guide/v7/enabling-ssl-tomcat


Alternatively, HTTPS (SSL) can be enabled in a proxy/load balancer between the browser and JasperReports Server to meet the HTTPS requirement. SSL termination at the proxy/load balancer will remove the need for JasperReports Server to implement HTTPS.

Custom Authentication Update

As part of this fix, there are changes in the use of the optional JasperReports Server custom authetication API https://community.jaspersoft.com/documentation/tibco-jasperreports-server-authentication-cookbook/v750/external-authentication. Code and configuration changes are not required to support this hotfix in most custom authentication use cases if the existing custom authentication APIs/classes are used. However, some use cases (example: token-based authentication) will require minor changes, as outlined below.


Configuration Change: One of the sample custom authentication methods - token based or "preauth" - defined in the samples/sample-applicationContext-externalAuth-preAuth-mt.xml file has been updated to add a single property ("responseHeadersUpdater"):

<bean id="proxyPreAuthenticatedProcessingFilter"
    class="com.jaspersoft.jasperserver.api.security.externalAuth.preauth.BasePreAuthenticatedProcessingFilter">
..........
    <property name="responseHeadersUpdater" ref="responseHeadersUpdater"/>
</bean>

See attached sample-applicationContext-externalAuth-preAuth-mt.xml.

Code Change: If you have your own custom authentication method where custom Java classes were deployed into the JasperReports Server, you may need to update your code and/or configurations. If this code implements a Filter.doFilter method or overrides JrsAuthenticationSuccessHandler.onAuthenticationSuccess, please review BasePreAuthenticatedProcessingFilter and JrsAuthenticationSuccessHandler (attached) to see whether your external authentication needs to be updated. It may be as simple as adding the responseHeadersUpdater property.

Deploying the Hotfix

The hotfix will come as a Zip file.

  1. Unzip it
  2. Review readme.txt, noting updated files that could conflict with your current configuration and/or customizations.
  3. Stop the JasperReports Server web application
  4. With your JasperReports Server web application (WAR) file system
    1. Backup the current WAR files
    2. Delete files as noted in the readme.txt
    3. Copy files, including any of your updates, into the WAR
  5. Clear the Java web server JSP cache
  6. Start the JasperReports Server web application

Again, if a hot fix is not yet available for your version of JasperReports Server, we strongly suggest you review and apply either of the interim solutions in Options 2 or 3 below.

Option 2. - Don't access JasperReports Server in a cross site way

Jaspersoft can be accessed through a proxy, so your web site and Jaspersoft appear under a single web domain and therefore Jaspersoft access is not a cross site. If you have embedded Jaspersoft in a cross site way, changing to proxying will require changes to your environment (implementing and configuring a proxy service) and your application.

See Best Practices for deploying JasperReports Server into your web application | Jaspersoft Community

Another way to avoid cross site access is to use the same Web domain for your application and Jaspersoft. ie.

  • www.myapp.com for your application
  • jaspersoft.myapp.com for JasperReports Server

For HTTPS installations ONLY: Insert necessary cookies to support cross-site references via configuration of your application server (works for later versions of application servers).

*BOTH* of the following cookies, SameSite=none and Secure, need to be inserted for this to work.

For certain recent versions of application servers, it is possible to configure the cookie processor to insert the SameSite Cookie (examples: Tomcat versions 8.5.48 (not yet certified by Jaspersoft), 9.0.30 (not yet certified by Jaspersoft) and higher).

Apache Tomcat: The most popular application server among our customers is Tomcat. To insert the SameSite=none cookie for all pages in Tomcat:

  1. Go to the {JRS WAR}/META-INF/context.xml file.
  2. add the following line within the context tag:
    <CookieProcessor sameSiteCookies="strict" className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" />
  3. Save the edited context.xml file
  4. Restart Tomcat

To read more about this option:

https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html

Other application servers: Similar options may be available in other application servers. Please consult the documentation for your selected server.

To implement the "Secure" cookie across ALL pages served by the application server containing JasperReports Server:

Apache Tomcat Instructions (most popular among Jaspersoft customers):

  1. Go to the "conf" directory of your Tomcat installation (ex: apache_tomcat\conf)
  2. Open the web.xml file
  3. Add the following to the "session-config" section:
    <cookie-config>
    <http-only>true</http-only>
    <secure>true</secure>
    </cookie-config>
  4. Save the edited web.xml file
  5. Restart Tomcat

Other application servers:

Similar options may be available in other application servers. Please consult the documentation for your selected server.

Feedback
randomness