CsrfGuard error:required token is missing from the request

Issue Description

A customer tries to access their JasperReports Server from behind a proxy or loadbalancer and find this error in their logs:

2016-09-15 11:41:11,534 ERROR CsrfGuard,http-nio-8080-exec-6:44 - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:192.168.150.15, method:POST, uri:/jasperserver-pro/rest_v2/reports/organizations/8001/Reports/uic_s_month_adm/inputControls/, error:required token is missing from the request)

Resolution

The CsrfGuard is protecting from Cross Site Request Forgery - https://www.owasp.org/index.php/Cross-Site_Request_Forgery (CSRF)

The message "required token is missing from the request" indicates that our application is expecting a token which isn't present in the http headers forwarded from the proxy or loadbalancer.

The token we expect is defined in jasperserver-proWEB-INFcsrfjrs.csrfguard.properties, org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN

In 5.6.x the value was JASPER_CSRF_TOKEN, but in 6.3.x it is OWASP_CSRFTOKEN .

Your network engineers should evaluate the headers and ensure the correct token is being passed

Ref. Case 00071217

User Feedback

1 Comment

Recommended Comments

fishkdo 0

Posted September 27, 2022

- Share this comment

lo que a mi me funcionó es buscar "OWASP_CSRFTOKEN" y reemplazarlo con "OWASP-CSRFTOKEN"

/opt/jasper/apache-tomcat/webapps/jasperserver/ROOT/WEB-INF/csrf/jrs.csrfguard.properties
/opt/jasper/apache-tomcat/webapps/jasperserver/ROOT/WEB-INF/csrf/Websphere.jrs.csrfguard.properties

Sign In

CsrfGuard error:required token is missing from the request

Issue Description

Resolution

Table of contents

User Feedback

Recommended Comments

fishkdo 0

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in

Activity

Products

Explore