000011606 - Unable to log on to the RSA Access Manager Entitlements Manger (AdminGUI) after upgrade

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000011606
Applies ToRSA Access Manager 6.1.4 (SP4)
RSA Access Manager Entitlements Manager (AdminGUI)
IssueUnable to log on to the RSA Access Manager Entitlements Manger (AdminGUI) after upgrade
The Entitlements Manger logon page is displayed and the administrator is able to log on, but then is directed to the InvalidSession.jsp page and the browser displays "Session Expired"
The tomcat access log file shows a 302 redirect to InvalidSession.jsp
The tomcat standard output log shows the following:
org.owasp.csrfguard.CsrfGuardException: required token is missing from the request
at org.owasp.csrfguard.CsrfGuard.verifyAjaxToken(CsrfGuard.java:596)
at org.owasp.csrfguard.CsrfGuard.isValidRequest(CsrfGuard.java:381)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:70)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:776)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:705)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:898)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
at java.lang.Thread.run(Unknown Source)
[Tue Nov 06 01:17:37 PST 2012] [Error] potential cross-site request forgery (CSRF) attack thwarted (
user:, ip:, uri:/axm-admin-gui-, error:required tok
en is missing from the request)
org.owasp.csrfguard.CsrfGuardException: required token is missing from the request
CauseIn SP4 a new security feature called CsrfGuard was introduced.  This servlet prevents cross site scripting (Cross Site Request Forgery) by introducing session tracking.  If  an new RSA Access Manger Entitlements Manager (AdminGUI) war file axm-admin-gui.war file is deployed and the previous installation was not completely removed then the application may incorrectly determine that an attack is being perpetrated.
ResolutionRemove the temporary files from the previous installation of the axm-admin-gui.war file 
Stop Apache Tomcat
Delete the axm-asmin-gui.war application
Delete the contents of the directory /Tomcat/work/catalina/Localhost/
Redeploy the axm-admin-gui.war file
Start Apache Tomcat
WorkaroundUpgraded to RSA Access Manger SP4 6.1.4
Legacy Article IDa61338