JasperServer代理CSRF错误 [英] JasperServer proxy CSRF error

问题描述

我在具有Nginx代理的Ubuntu 14.04 LTS上使用捆绑的Tomcat进行了JasperReports Server 6.2的新安装，因此我可以访问 https://mydomain.xyz/jasperserver .它通常可以正常工作，但是我无法管理用户和角色.如果我绕过Nginx并直接转到Tomcat http://123.123.123.123:8080/jasperserver ，完美地工作.日志指示:

I have a new installation of JasperReports Server 6.2 using the bundled Tomcat on Ubuntu 14.04 LTS with an Nginx proxy so I can access https://mydomain.xyz/jasperserver. It mostly works, but I'm not able to manage users and roles. If I bypass Nginx and go straight to Tomcat http://123.123.123.123:8080/jasperserver, everything works perfectly. The log indicates:

2016-02-28 19:44:08,024错误CsrfGuard，http-nio-8080-exec-3:44-潜在的跨站点请求伪造(CSRF)攻击受阻(用户:，ip:127.0.0.1，uri :/jasperserver/flow.html，错误:请求中缺少必需的令牌)

2016-02-28 19:44:08,024 ERROR CsrfGuard,http-nio-8080-exec-3:44 - potential cross-site request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, uri:/jasperserver/flow.html, error:required token is missing from the request)

这与这个较早的问题完全相同:在nginx后面运行jasperserver:潜在的CSRF攻击.但是我尝试了建议的两种缓解措施，但仍无法正常工作.

This is exactly the same as this older question: Running jasperserver behind nginx: Potential CSRF attack. But I've tried both mitigations suggested, and it's still not working.

• 我尝试先在http中设置underscores_in_headers on;，然后在server中设置，然后在两者中设置.
• 如果这不起作用，我从WEB-INF/esapi/Owasp.CsrfGuard.properties的JASPER_CSRF_TOKEN和OWASP_CSRFTOKEN中删除了下划线.

• I tried setting underscores_in_headers on;, first in just http, then in server, then in both.
• When that didn't work, I removed the underscores from JASPER_CSRF_TOKEN and OWASP_CSRFTOKEN in WEB-INF/esapi/Owasp.CsrfGuard.properties

我重新启动服务器只是为了确保所有内容均已清除并重新启动，但仍然无法正常工作.

I rebooted the server just to be sure everything was cleared and restarted, but still not working.

我正在寻找解决方案的建议和/或指导，以期在哪里可以更好地诊断问题.我是Jasper的新手，我的Java/Tomcat技能很生锈.

I'm seeking suggestions for a resolution and/or guidance on where to look to diagnose the problem better. I'm new to Jasper and my Java/Tomcat skills are rusty.

推荐答案

我在Jasper Reports Server 7.2.X中有相同的错误.

I have same mistake in Jasper Reports Server 7.2.X.

对我来说，解决方案是将 OWASP_CSRFTOKEN 更改为 OWASP-CSRFTOKEN .

For me the solution was change OWASP_CSRFTOKEN to OWASP-CSRFTOKEN.

# Change the token name to remove underscore
# http://nginx.org/en/docs/http/ngx_http_core_module.html#underscores_in_headers
# https://tools.ietf.org/html/rfc7230#section-3.2
# https://www.w3.org/Protocols/rfc2616/rfc2616-sec4.html#sec4.2
sed -i -e "s|OWASP_CSRFTOKEN|OWASP-CSRFTOKEN|g" /usr/local/tomcat/webapps/ROOT/WEB-INF/csrf/jrs.csrfguard.properties

这篇关于JasperServer代理CSRF错误的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！