问题
I have a new installation of JasperReports Server 6.2 using the bundled Tomcat on Ubuntu 14.04 LTS with an Nginx proxy so I can access https://mydomain.xyz/jasperserver. It mostly works, but I'm not able to manage users and roles. If I bypass Nginx and go straight to Tomcat http://123.123.123.123:8080/jasperserver, everything works perfectly. The log indicates:
2016-02-28 19:44:08,024 ERROR CsrfGuard,http-nio-8080-exec-3:44 - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, uri:/jasperserver/flow.html, error:required token is missing from the request)
This is exactly the same as this older question: Running jasperserver behind nginx: Potential CSRF attack. But I've tried both mitigations suggested, and it's still not working.
- I tried setting
underscores_in_headers on;
, first in justhttp
, then inserver
, then in both. - When that didn't work, I removed the underscores from
JASPER_CSRF_TOKEN
andOWASP_CSRFTOKEN
inWEB-INF/esapi/Owasp.CsrfGuard.properties
I rebooted the server just to be sure everything was cleared and restarted, but still not working.
I'm seeking suggestions for a resolution and/or guidance on where to look to diagnose the problem better. I'm new to Jasper and my Java/Tomcat skills are rusty.
回答1:
I know this is old now, but as of JasperReports Server 7.X, and probably earlier versions:
When proxying through Nginx to JasperReports Server, the underscores_in_headers on;
setting must be in the nginx configuration.
It looks like from the discussion here the default OWASP_CSRFGUARD header JasperReports Server uses will be dropped by Nginx silently without this setting. No other proxy and load balancer I have come across does this.
来源:https://stackoverflow.com/questions/35691799/jasperserver-proxy-csrf-error