000035579 - In RSA Identity Governance & Lifecycle the warning 'No CSRF guard token was found in the submitted request' is encountered during login

Document created by RSA Customer Support Employee on Apr 4, 2018Last modified by RSA Customer Support Employee on Aug 15, 2019
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000035579
Applies ToRSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: All
IssueIn RSA Identity Governance & Lifecycle, the following warning is encountered during login:

No CSRF guard token was found in the submitted request


Observe the Admin Errors in the User Interface (Admin > Admin Errors > Summary tab):
 
No CSRF guard token error



The following warnings may be found in the aveksaServer.log:
 
09/21/2017 09:19:45.654 WARN (http-0.0.0.0-8443-5) [com.aveksa.UI] com.aveksa.gui.core.GuiFramework.handleSecurityError(GuiFramework.java:520) - No CSRF guard token was found in the submitted request. This may indicate an attack on the server. Request is blocked.:

Login ID: 20378
Request: https://myaccess.server.com/aveksa/main?ReqType=GetPage&PageID=LoginPage&Action=Submit
Referrer: https://myaccess.server.com/aveksa/main?SSOLogin=false
com.aveksa.server.core.SecurityException: No CSRF guard token was found in the submitted request. This may indicate an attack on the server. Request is blocked.
at com.aveksa.gui.core.GuiFramework.handleSecurityError(GuiFramework.java:520)
at com.aveksa.gui.core.ACMFramework.handleSecurityError(ACMFramework.java:451)
at com.aveksa.gui.util.security.CSRFGuard.validateCRSFToken(CSRFGuard.java:63)
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:277)
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:254)
at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:176)
at com.aveksa.gui.core.MainManager.doGet(MainManager.java:125)
at com.aveksa.gui.core.MainManager.doPost(MainManager.java:411)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:67)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:701)
09/21/2017 09:19:45.669 ERROR (http-0.0.0.0-8443-5) [com.aveksa.UI] com.aveksa.gui.core.MainManager.showRequestError(MainManager.java:356) - XXX.XX.XX.XXX invalid request: https://myaccess.server.com/aveksa/main?ReqType=GetPage&PageID=LoginPage&Action=Submit


 


or,



06/11/2015 12:22:26.936 WARN (http-0.0.0.0-8443-127) [com.aveksa.UI] com.aveksa.gui.core.GuiFramework.handleSecurityError(GuiFramework.java:494) - No CSRF guard token was found in the submitted request. This may indicate an attack on the server. Request is blocked.:

Login ID: x111111
Request: https://myaccess.server.com/aveksa/main?ReqType=GetPage&PageID=LoginPage&Action=Submit
Referrer: https://myaccess.server.com/aveksa/main?
com.aveksa.server.core.SecurityException: No CSRF guard token was found in the submitted request. This may indicate an attack on the server. Request is blocked.
at com.aveksa.gui.core.GuiFramework.handleSecurityError(GuiFramework.java:494)
at com.aveksa.gui.core.ACMFramework.handleSecurityError(ACMFramework.java:407)
-----
06/11/2015 12:57:08.534 INFO (http-0.0.0.0-8443-71) [com.aveksa.UI] com.aveksa.gui.core.LoginLogout.loginUser(LoginLogout.java:54) - User logged in: x111111::SessionCount=16::UserCount=16
06/11/2015 12:57:21.534 WARN (http-0.0.0.0-8443-71) [com.aveksa.server.help.HelpManager] Can't find Help mapping for pageID=ReviewReportDetailDashboard
06/11/2015 13:00:52.029 ERROR (http-0.0.0.0-8443-126) [com.aveksa.UI] com.aveksa.gui.components.table.core.DefaultTableModel.getObjects(DefaultTableModel.java:178)

 



Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the log files for your specific deployment.
 

CauseEssentially any time you POST data to RSA Identity Governance & Lifecycle and you have an active session, the posted data has to include a Cross Site Scripting Forgery (CSRF) token that matches the one in your sessions.

The first time you login, the POST for the login page does not do this check, because you do not have a session yet. If you log in successfully, we generate a secure random token and associate it with the session. We also include the token as a hidden value on all forms the product generates. From that point forward, as long as that session is active, any requests that come from the browser will include the token (because we put it in all the forms before serving them to the client), and we can match it to the session. Any POST that comes from somewhere else, i.e. not from the same User Interface where the user logged in and had a CSRF generated, will not have the token, and will fail.

If you are seeing this error on login, then it means the system thinks you already have an active session. You might be working in different tabs of the same browser or a previous session is still active.

This is the most common problem when a CSRF error is generated. And this is the logic that happens with CSRF tokens. When a session is terminated, the token typically becomes invalid. In some cases, even if the session is terminated, the token remains valid for a while but that will cause no harm to the environment.
Resolution If you are seeing this error on login, then it means the system thinks you already have an active session. Close out and restart your browser, then login to RSA Identity Governance & Lifecycle.

Attachments

    Outcomes