Jump to content
We've recently updated our Privacy Statement, available here ×

  • Chromium 80 Update February 2020: Cross site cookie blocking for Jaspersoft

    abresci

    By abresci

      • Product: JasperReports® Server
     Share

    Feb. 2020 Chromium 80 update will impact some implementations of JasperReports Server

    In mid-February 2020, a change will be pushed by the developers of the Chromium engine to all browser installations which implement it.

    Popular browsers using Chromium, impacted by this change:

    • Google Chrome (certified for use with Jaspersoft)
    • Microsoft Edge (certified for use with Jaspersoft)
    • Opera (not certified for use with Jaspersoft)
    • Select others (not certified for use with Jaspersoft)

    **Apple Safari and Mozilla Firefox DO NOT use Chromium (although both browser teams have their own plans to implement similar rules in the future).

    For affected Chromium browsers, this change will enforce NEW rules on websites, particularly those loading content from multiple domains at once.

    Jaspersoft administrators and users should be aware of this change, and understand its impacts on their implementations.

    The following brief questionnaire should help clarify whether or not your installation will be impacted immediately by this change to your end users' browsers.

    Impact Questionnaire
    QuestionAnswerAction
    1.  Errors Indicating You Are Impacted? Are you seeing the following error in your browser console when loading pages containing embedded content from JasperReports Server?NoPlease proceed to Question #2
    YesYour implementation is already impacted by this change, and will need to be modified/updated. Please skip the 2 remaining questions in this questionnaire, and read all the details in the sections below.
    2.  Embedded? Are you embedding JasperReports Server in another web application? For example, are you exposing its functionality using our Visualize.js JavaScript API, or REST API, or possibly iFrames in the pages of another application or site?NoYour JasperReports Server installation will not require any changes
    YesPlease proceed to Question #3
    3.  Combining Multiple Domains? Is the domain used by your JasperReports Server DIFFERENT from the domain used by the application in which it is embedded? (Example: the domain name for your JasperReports Server is "somecompany.com", and it is embedded in another application whose domain is "mycompany.com"NoYour JasperReports Server installation will not require any changes
    YesYour implementation may need to be modified/updated. Please read all the details below.

     

     

     

     

     

    **Please read the rest of this page if you completed the questionnaire above, and it indicated you may be impacted.

    What is cross site cookie blocking?

    In February 2020, Google Chrome was the first browser to implement additional checks on cookies related to cross site interactions. Other browsers are planning to also introduce this check.

    “Cross site” for a browser means a web page from site A (www.example.com)accessing pages and resources (ie. REST calls, images) on site B (www.myapp.com).

    Below is an example of an exception in the Google Chrome browser console with the cross site cookie blocking:

    A cookie associated with a cross-site resource at http://www.example.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

    What this means is that all received cross site cookies must have the “SameSite=None; Secure” flags set on those cookies and that the cookies must be received over HTTPS - the implication of the Secure flag.

    Effect on JasperReports Server

    JasperReports Server is often accessed in a cross site manner from browsers when embedding:

    • Jaspersoft web pages in iFrames

    • Visualize.js

    • REST calls through JavaScript

    • Authentication, Single sign on

    An example of cross site access is the Jaspersoft visualize.js samples like:

    https://jsfiddle.net/gh/get/mootools/1.5.2/TIBCOSoftware/JS-visualize/tree/master/report-embed/report-render/

    The page from the jsfiddle.net site is executing the HTML and JavaScript in the visualize sample and is pointing to a public JasperReports Server:

    <script src="https://mobiledemo.jaspersoft.com/jasperserver-pro/client/visualize.js"></script>

    Blocking cross site cookies will stop the use of embedded Jaspersoft. Jaspersoft uses a JSESSIONID cookie to indicate successful login and establish a logged in user session and other cookies which will be affected by cookie blocking.

     

    How to address cross site cookie blocking for Jaspersoft

    There are several ways to address this cookie blocking:

    Option 1 - Hot fixes

    Hot fixes/patches

    If you must access JasperReports Server in a cross site manner (embedded) and cannot use Options 2 or 3 below, you can deploy the "JS-56885" hotfix (JS-56885 is the internal record number related to the cross-site cookie issue).

    Jaspersoft Engineering has developed hot fixes to address JS-56885 for the currently supported, SECURE versions of JasperReports Server (7.5.0, 7.2.0, 7.1.1, 6.4.4). 

    For JasperReports Server commercial editions, the following hot fixes are available:

    Subscription customers with valid credentials may download hot fixes via the TIBCO Customer Portal (https://support.tibco.com/s/hotfixes).

    Also attached below.

    These hot fixes add the SameSite=none; Secure flags on cookies from JasperReports Server.

    HTTPS requirement

    The Secure flag on the cookies requires them to be served over HTTPS, so JasperReports Server will ONLY be accessible from the browser via HTTPS. This will be a requirement imposed by the browsers moving forward. This is regardless of whether the web page embedding the cross site content is served using HTTP, like in an intranet.

     

    HTTPS (SSL) can be enabled on JasperReports Server. See:

    https://community.jaspersoft.com/documentation/tibco-jasperreports-server-security-guide/v7/enabling-ssl-tomcat

     

    Alternatively, HTTPS (SSL) can be enabled in a proxy/load balancer between the browser and JasperReports Server to meet the HTTPS requirement. SSL termination at the proxy/load balancer will remove the need for JasperReports Server to implement HTTPS.

    Custom Authentication Update

    As part of this fix, there are changes in the use of the optional JasperReports Server custom authetication API https://community.jaspersoft.com/documentation/tibco-jasperreports-server-authentication-cookbook/v750/external-authentication. Code and configuration changes are not required to support this hotfix in most custom authentication use cases if the existing custom authentication APIs/classes are used. However, some use cases (example: token-based authentication) will require minor changes, as outlined below.

     

    Configuration Change: One of the sample custom authentication methods - token based or "preauth" - defined in the samples/sample-applicationContext-externalAuth-preAuth-mt.xml file has been updated to add a single property ("responseHeadersUpdater"):

    <bean id="proxyPreAuthenticatedProcessingFilter"    class="com.jaspersoft.jasperserver.api.security.externalAuth.preauth.BasePreAuthenticatedProcessingFilter">..........    <property name="responseHeadersUpdater" ref="responseHeadersUpdater"/></bean>[/code]

    See attached sample-applicationContext-externalAuth-preAuth-mt.xml.

    Code Change: If you have your own custom authentication method where custom Java classes were deployed into the JasperReports Server, you may need to update your code and/or configurations. If this code implements a Filter.doFilter method or overrides JrsAuthenticationSuccessHandler.onAuthenticationSuccess, please review BasePreAuthenticatedProcessingFilter and JrsAuthenticationSuccessHandler (attached) to see whether your external authentication needs to be updated. It may be as simple as adding the responseHeadersUpdater property.

    Deploying the Hotfix

    The hotfix will come as a Zip file.

    1. Unzip it
    2. Review readme.txt, noting updated files that could conflict with your current configuration and/or customizations.
    3. Stop the JasperReports Server web application
    4. With your JasperReports Server web application (WAR) file system
      1. Backup the current WAR files
      2. Delete files as noted in the readme.txt
      3. Copy files, including any of your updates, into the WAR
    5. Clear the Java web server JSP cache
    6. Start the JasperReports Server web application

    Again, if a hot fix is not yet available for your version of JasperReports Server, we strongly suggest you review and apply either of the interim solutions in Options 2 or 3 below.

    Option 2. - Don't access JasperReports Server in a cross site way

    Jaspersoft can be accessed through a proxy, so your web site and Jaspersoft appear under a single web domain and therefore Jaspersoft access is not a cross site. If you have embedded Jaspersoft in a cross site way, changing to proxying will require changes to your environment (implementing and configuring a proxy service) and your application.

     

    See Best Practices for deploying JasperReports Server into your web application | Jaspersoft Community

    Another way to avoid cross site access is to use the same Web domain for your application and Jaspersoft. ie.

    • www.myapp.com for your application
    • jaspersoft.myapp.com for JasperReports Server

    Option 3. - Update application servers to inject cookie flags

    For HTTPS installations ONLY: Insert necessary cookies to support cross-site references via configuration of your application server (works for later versions of application servers).

    *BOTH* of the following cookies, SameSite=none and Secure, need to be inserted for this to work.

    Required Cookie #1: SameSite=none

    For certain recent versions of application servers, it is possible to configure the cookie processor to insert the SameSite Cookie (examples: Tomcat versions 8.5.48 (not yet certified by Jaspersoft), 9.0.30 (not yet certified by Jaspersoft) and higher).

    Apache Tomcat: The most popular application server among our customers is Tomcat. To insert the SameSite=none cookie for all pages in Tomcat:

    1. Go to the {JRS WAR}/META-INF/context.xml file.
    2. add the following line within the context tag:
      <CookieProcessor sameSiteCookies="none" className="org.apache.tomcat.util.http.Rfc6265CookieProcessor" />

    3. Save the edited context.xml file
    4. Restart Tomcat

     

    To read more about this option:

    https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html

    Other application servers: Similar options may be available in other application servers. Please consult the documentation for your selected server.

    Required Cookie #2: Secure

    To implement the "Secure" cookie across ALL pages served by the application server containing JasperReports Server:

    Apache Tomcat Instructions (most popular among Jaspersoft customers):

    1. Go to the "conf" directory of your Tomcat installation (ex: apache_tomcatconf)
    2. Open the web.xml file
    3. Add the following to the "session-config" section:
      <cookie-config><http-only>true</http-only><secure>true</secure></cookie-config>

    4. Save the edited web.xml file
    5. Restart Tomcat

    Other application servers:

    Similar options may be available in other application servers. Please consult the documentation for your selected server.

     

    jrs-7.1.1-sample-applicationcontext-externalauth-preauth.xml

    jrsauthenticationsuccesshandler.java

    basepreauthenticatedprocessingfilter.java

    hotfix_jrspro7.5.0_cumulative_20200228_0035.zip

    hotfix_jrspro7.2.0_cumulative_20200227_1708.zip

    hotfix_jrspro7.1.1_cumulative_20200224_2255.zip

    hotfix_jrspro6.4.4_cumulative_20200304_1659.zip

     Share
    Go to entries

    User Feedback

    Recommended Comments

    There are no comments to display.



    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

×
×
  • Create New...

© 2024 Cloud Software Group,
Inc. All rights reserved.

Products

Explore