JasperServer proxy CSRF error

元气小坏坏 提交于 2019-12-23 10:56:15

问题


I have a new installation of JasperReports Server 6.2 using the bundled Tomcat on Ubuntu 14.04 LTS with an Nginx proxy so I can access https://mydomain.xyz/jasperserver. It mostly works, but I'm not able to manage users and roles. If I bypass Nginx and go straight to Tomcat http://123.123.123.123:8080/jasperserver, everything works perfectly. The log indicates:

2016-02-28 19:44:08,024 ERROR CsrfGuard,http-nio-8080-exec-3:44 - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, uri:/jasperserver/flow.html, error:required token is missing from the request)

This is exactly the same as this older question: Running jasperserver behind nginx: Potential CSRF attack. But I've tried both mitigations suggested, and it's still not working.

  • I tried setting underscores_in_headers on;, first in just http, then in server, then in both.
  • When that didn't work, I removed the underscores from JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN in WEB-INF/esapi/Owasp.CsrfGuard.properties

I rebooted the server just to be sure everything was cleared and restarted, but still not working.

I'm seeking suggestions for a resolution and/or guidance on where to look to diagnose the problem better. I'm new to Jasper and my Java/Tomcat skills are rusty.


回答1:


I know this is old now, but as of JasperReports Server 7.X, and probably earlier versions:

When proxying through Nginx to JasperReports Server, the underscores_in_headers on; setting must be in the nginx configuration.

It looks like from the discussion here the default OWASP_CSRFGUARD header JasperReports Server uses will be dropped by Nginx silently without this setting. No other proxy and load balancer I have come across does this.



来源:https://stackoverflow.com/questions/35691799/jasperserver-proxy-csrf-error

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!