6

I have a new installation of JasperReports Server 6.2 using the bundled Tomcat on Ubuntu 14.04 LTS with an Nginx proxy so I can access https://mydomain.xyz/jasperserver. It mostly works, but I'm not able to manage users and roles. If I bypass Nginx and go straight to Tomcat http://123.123.123.123:8080/jasperserver, everything works perfectly. The log indicates:

2016-02-28 19:44:08,024 ERROR CsrfGuard,http-nio-8080-exec-3:44 - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, uri:/jasperserver/flow.html, error:required token is missing from the request)

This is exactly the same as this older question: Running jasperserver behind nginx: Potential CSRF attack. But I've tried both mitigations suggested, and it's still not working.

  • I tried setting underscores_in_headers on;, first in just http, then in server, then in both.
  • When that didn't work, I removed the underscores from JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN in WEB-INF/esapi/Owasp.CsrfGuard.properties

I rebooted the server just to be sure everything was cleared and restarted, but still not working.

I'm seeking suggestions for a resolution and/or guidance on where to look to diagnose the problem better. I'm new to Jasper and my Java/Tomcat skills are rusty.

Community
  • 1
  • 1
radshop
  • 602
  • 5
  • 19

4 Answers4

0

I know this is old now, but as of JasperReports Server 7.X, and probably earlier versions:

When proxying through Nginx to JasperReports Server, the underscores_in_headers on; setting must be in the nginx configuration.

It looks like from the discussion here the default OWASP_CSRFGUARD header JasperReports Server uses will be dropped by Nginx silently without this setting. No other proxy and load balancer I have come across does this.

Sherman Wood
  • 1
0

I was struggeling with similar issues and found no information in the logs at all but this topic with the error message potential cross-site request forgery (CSRF) attack thwartedgave me an idea: I had a strict no-refferer policy in place by default. I changed that to a slightly opener policy and Jasper started working as expected.

Problem

You are able to navigate to your Jasper server and can login. But when you open a report you get an error message like this:

There was an error on the server. Try again or contact site administrators. (Error UID: some-stupid-uid-you'll-find-nowhere)

Cause

Locking down the referrer policy will cause the mentioned problem.

add_header Referrer-Policy "no-referrer" always;

Solution

You need to allow at least referrer information when the origin and destination are the same. One example is:

add_header Referrer-Policy "no-referrer-when-downgrade, origin-when-cross-origin" always;

FOr more details about the Referrer-Policy see https://scotthelme.co.uk/a-new-security-header-referrer-policy/

J J
  • 398
  • 1
  • 2
  • 13
0

I have same mistake in Jasper Reports Server 7.2.X.

For me the solution was change OWASP_CSRFTOKEN to OWASP-CSRFTOKEN.

# Change the token name to remove underscore
# http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
# https://tools.ietf.org/html/rfc7230#section-3.2
# https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
sed -i -e "s|OWASP_CSRFTOKEN|OWASP-CSRFTOKEN|g" /usr/local/tomcat/webapps/ROOT/WEB-INF/csrf/jrs.csrfguard.properties
Deusimar Ferreira
  • 325
  • 4
  • 4
0

As of version 8, none of these solutions work. I turned of CSRF by modifying this file. WEB-INF/csrf/jrs.csrfguard.properties

org.owasp.csrfguard.Enabled = false
org.owasp.csrfguard.Ajax=false
org.owasp.csrfguard.Config.Print = false

You will still get a JavaScript errors but login and authentication works. You can probably review the JS file jrs.csrfguard.js to see why its still throwing the error. This worked in FireFox but not in Chrome.

manit
  • 604
  • 7
  • 11