Details
-
Bug
-
Resolution: Invalid
-
Minor
-
None
-
None
-
None
Description
Importing configs by pasting contents and clicking submit. No change in the page. Grouper log shows
grouper_1 | grouper;grouper_error.log;dev;nothing;2024-01-22T00:29:29,780: [http-nio-0.0.0.0-8080-exec-2] ERROR JavaScriptServlet.writeJavaScript(267) - [] - Referer domain 'http://localhost:8080/grouper/grouperUi/app/UiV2Main.index?operation=UiV2Main.indexMain' does not match request domain: 'https://localhost:8080/grouper/grouperExternal/public/OwaspJavaScriptServlet'
|
grouper_1 | grouper;grouper_error.log;dev;nothing;2024-01-22T00:29:52,281: [http-nio-0.0.0.0-8080-exec-10] ERROR Log.execute(73) - [] - potential cross-site request forgery (CSRF) attack thwarted (user:GrouperSystem, ip:192.168.144.1, method:POST, uri:/grouper/grouperUi/app/UiV2Configure.configurationFileImportSubmit, error:Required Token is missing from the Request)
|
Config import works in 4.10.1 and is broken in 4.10.2.
This is a demo container running on 8080, so the issue may be related to that. These are the startup environment vars:
grouper:
|
image: "i2incommon/grouper:4.10.2"
|
restart: always
|
ports:
|
- 80:80
|
- 443:443
|
- 8080:8080
|
- 8443:8443
|
- 8000:5005
|
command:
|
- quickstart
|
environment:
|
- GROUPERSYSTEM_QUICKSTART_PASS=pass
|
- GROUPER_RUN_APACHE=false
|
- GROUPER_RUN_TOMCAT_NOT_SUPERVISOR=true
|
- GROUPER_RUN_SHIB_SP=false
|
- GROUPER_MORPHSTRING_ENCRYPT_KEY=abcd1234
|
- GROUPER_DATABASE_PASSWORD=pass
|
- GROUPER_DATABASE_USERNAME=postgres
|
- GROUPER_DATABASE_URL=jdbc:postgresql://postgres:5432/postgres
|
- GROUPER_AUTO_DDL_UPTOVERSION=4.*.*
|
volumes:
|
- ./grouper-files-common/grouper-loader.properties:/opt/grouper/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
|
- ./grouper-files-common/subject.properties:/opt/grouper/slashRoot/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties
|
I do see in 4.10.2, the GROUPER_HTTP_CONNECTOR env sets a connector for 8080, but which sets scheme="https". This may be the cause of the Owasp "does not match request domain" error.