This is in Grouper 2.2 UI. btw, Ive heard this does not work with IE8.
Set this in log4j.properties for enhanced logging
log4j.logger.edu.internet2.middleware.grouper.grouperUi.csrf.CsrfGuardLogger = DEBUG |
If you are using nginx make sure to set this setting
underscores_in_headers on; |
If you have logic running (other than what is built in to Grouper) in the Grouper UI application (this is not common), you can add CSRF protection in the grouper-ui.properties
# If you have logic running from the Grouper webapp, put some comma-separated URL patterns, starting with slash # and after the context, e.g. /grouperExternal/public/UiV2Public.index # ${valueType: "string"} csrfguard.extraFilterPatterns = |
If a request is made that is protected and the CSRF token is not present, an error will occur
You can see a log in the UI of what the request was:
2021-05-16 10:34:09,309: [http-nio-8400-exec-10] ERROR CsrfGuardLogger.log(47) - - potential cross-site request forgery (CSRF) attack thwarted (user:GrouperSystem, ip:0:0:0:0:0:0:0:1, method:GET, uri:/grouper/grouperUi/app/UiV2Main.gif, error:required token is missing from the request) |
You can unprotect URLs from CSRF in the Owasp.CsrfGuard.overlay.properties file (append to this file in a container script hook)
org.owasp.csrfguard.unprotected.<someUniqueKey>=%servletContext%/someUrl/whatever |