Details
-
Improvement
-
Resolution: Unresolved
-
Minor
-
None
-
None
-
None
Description
Trying to debug a Grouper UI error going to any page besides the main page. Comparing the browser headers vs. the ones seen by the server, the OWASP_CSRFTOKEN header is missing. There is an nginx front end forwarding to Grouper, but possibly another hop too.
Internet searches suggest that nginx by default doesn't pass headers containing an underscore. See https://stackoverflow.com/q/17920949 . The fix is likely to configure nignx to allow underscores:
server {
|
...
|
underscores_in_headers on;
|
but I haven't tested this yet. Longer-term, if it's possible to change this header name to replace or remove the underscore, it means Grouper would work out of the box with nginx without customization. The header string is both in the Owasp configuration, javascript, and Java code, so it may not be a trivial change that end users can do.