5

I have a new installation of JasperReports Server 6.2 using the bundled Tomcat on Ubuntu 14.04 LTS with an Nginx proxy so I can access https://mydomain.xyz/jasperserver. It mostly works, but I'm not able to manage users and roles. If I bypass Nginx and go straight to Tomcat http://123.123.123.123:8080/jasperserver, everything works perfectly. The log indicates:

2016-02-28 19:44:08,024 ERROR CsrfGuard,http-nio-8080-exec-3:44 - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, uri:/jasperserver/flow.html, error:required token is missing from the request)

This is exactly the same as this older question: Running jasperserver behind nginx: Potential CSRF attack. But I've tried both mitigations suggested, and it's still not working.

  • I tried setting underscores_in_headers on;, first in just http, then in server, then in both.
  • When that didn't work, I removed the underscores from JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN in WEB-INF/esapi/Owasp.CsrfGuard.properties

I rebooted the server just to be sure everything was cleared and restarted, but still not working.

I'm seeking suggestions for a resolution and/or guidance on where to look to diagnose the problem better. I'm new to Jasper and my Java/Tomcat skills are rusty.

Community
  • 1
  • 1
radshop
  • 570
  • 4
  • 16

3 Answers3

0

I know this is old now, but as of JasperReports Server 7.X, and probably earlier versions:

When proxying through Nginx to JasperReports Server, the underscores_in_headers on; setting must be in the nginx configuration.

It looks like from the discussion here the default OWASP_CSRFGUARD header JasperReports Server uses will be dropped by Nginx silently without this setting. No other proxy and load balancer I have come across does this.

Sherman Wood
  • 1
0

I was struggeling with similar issues and found no information in the logs at all but this topic with the error message potential cross-site request forgery (CSRF) attack thwartedgave me an idea: I had a strict no-refferer policy in place by default. I changed that to a slightly opener policy and Jasper started working as expected.

Problem

You are able to navigate to your Jasper server and can login. But when you open a report you get an error message like this:

There was an error on the server. Try again or contact site administrators. (Error UID: some-stupid-uid-you'll-find-nowhere)

Cause

Locking down the referrer policy will cause the mentioned problem.

add_header Referrer-Policy "no-referrer" always;

Solution

You need to allow at least referrer information when the origin and destination are the same. One example is:

add_header Referrer-Policy "no-referrer-when-downgrade, origin-when-cross-origin" always;

FOr more details about the Referrer-Policy see https://scotthelme.co.uk/a-new-security-header-referrer-policy/

J J
  • 380
  • 1
  • 2
  • 12
0

I have same mistake in Jasper Reports Server 7.2.X.

For me the solution was change OWASP_CSRFTOKEN to OWASP-CSRFTOKEN.

# Change the token name to remove underscore
# http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
# https://tools.ietf.org/html/rfc7230#section-3.2
# https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
sed -i -e "s|OWASP_CSRFTOKEN|OWASP-CSRFTOKEN|g" /usr/local/tomcat/webapps/ROOT/WEB-INF/csrf/jrs.csrfguard.properties
Deusimar Ferreira
  • 255
  • 4
  • 4