2 answers
- 10-1
Hi Anders,
First, thanks so much for all of the time and effort that you devote to supporting our community. It is much appreciated.
This issue has been a frustration ever since we started working on our project over a year ago on Joget 7. Our AWS Marketplace Joget instance sits behind an AWS Elastic Load Balancer in order to share our Certificate across our Live, Staging and Development servers. Calls to the server on https are routed through the Load Balancer and it's certificate which then satisfies the users browser. Then it is routed to the Joget port on http. However, it seems that Tomcat is confused and sees http and https as two differnet instances and complains, if I understand correctly. AWS engineers have not been able to offer a configuration solution for the Elastic Load Balancer, the Target Group or the Rules to make Tomcat happy. So in temporary desperation we disabled org.owasp.csrfguard and the errors stopped. But when we tried the same thing with 8 it no longer solved the issue. Here are some example of the current errors when we access Joget via the first URL below with the csrf properties unchanged.:
yields
with the full URL being:
The log yields
INFO 06 Jun 2023 15:47:04 org.displaytag.properties.TableProperties - LocaleResolver initialized to org.joget.apps.app.web.LocalLocaleResolver.
1699
INFO 06 Jun 2023 15:47:28 org.joget.apps.workflow.security.WorkflowAuthenticationProvider - Authentication for user admin (0:0:0:0:0:0:0:1) : true
1700
INFO 06 Jun 2023 15:47:42 org.joget.apps.workflow.security.WorkflowAuthenticationProvider - Authentication for user ruser (91.225.15.79) : true
1701
INFO 06 Jun 2023 15:47:42 org.joget.apps.workflow.security.WorkflowHttpAuthProcessingFilter - Authentication for user ruser (91.225.15.79) : true
1702
ERROR 06 Jun 2023 15:47:45 org.owasp.csrfguard.servlet.JavaScriptServlet - Referer domain 'https://ws5.ifcsn.org/jw/web/embed/userview/ifcsn/requesterDashboard/_/reqPro?var_rukey=wayneprinciplefoundationorg&j_username=ruser&j_password=passwordA1!&_lang=en' does not match request domain: 'http://ws5.ifcsn.org/jw/csrf'
1703
INFO 06 Jun 2023 15:47:45 org.joget.apps.workflow.security.WorkflowAuthenticationProvider - Authentication for user ruser (91.225.15.79) : true
1704
INFO 06 Jun 2023 15:47:45 org.joget.apps.workflow.security.WorkflowHttpAuthProcessingFilter - Authentication for user ruser (91.225.15.79) : true
1705
ERROR 06 Jun 2023 15:47:45 org.owasp.csrfguard.action.Log - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:172.31.38.179, method:POST, uri:/jw/web/embed/userview/ifcsn/requesterDashboard/_/reqPro, error:Request Token does not match the Master Token)- Anders
From the error messages, it appears that Tomcat does not know that it is in a HTTPS environment. I believe this could just be a Tomcat configuration issue. Perhaps you can try creating a separate Tomcat connector with the appropriate scheme like in https://serverfault.com/questions/742922/configure-tomcat-behind-reverseproxy/743947#743947. Then point your load balancer to that connector instead.
Add your comment... - 10-1
Hi, what is the error that you are getting? But why would you want to disable it in the first place? It is a security feature, and it should be kept enabled to protect against cross-site request forgery attacks.
- William Vasu
Please see my update.
Add your comment...
Like another questioner, I also was able to disable org.owasp.csrfguard.Enabled = true in JogetDX 7 but this yields an error in JogetDX 8. Also making DomainMatch=false as suggested by another member does not solve this for me.