Issue Description
A customer tries to access their JasperReports Server from behind a proxy or loadbalancer and find this error in their logs:
2016-09-15 11:41:11,534 ERROR CsrfGuard,http-nio-8080-exec-6:44 - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:192.168.150.15, method:POST, uri:/jasperserver-pro/rest_v2/reports/organizations/8001/Reports/uic_s_month_adm/inputControls/, error:required token is missing from the request)
Resolution
The CsrfGuard is protecting from Cross Site Request Forgery - https://www.owasp.org/index.php/Cross-Site_Request_Forgery (CSRF)
The message "required token is missing from the request" indicates that our application is expecting a token which isn't present in the http headers forwarded from the proxy or loadbalancer.
The token we expect is defined in jasperserver-proWEB-INFcsrfjrs.csrfguard.properties, org.owasp.csrfguard.TokenName=OWASP_CSRFTOKEN
In 5.6.x the value was JASPER_CSRF_TOKEN, but in 6.3.x it is OWASP_CSRFTOKEN .
Your network engineers should evaluate the headers and ensure the correct token is being passed
Ref. Case 00071217
Recommended Comments
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now