This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA® Access Manager Knowledge Base

Find answers to your questions and identify resolutions for known issues with knowledge base articles written by RSA Access Manager experts.

Unable to log on to the RSA Access Manager Entitlements Manger (AdminGUI) after upgrade

Article Number

000011606

Applies To

RSA Access Manager 6.1.4 (SP4)
RSA Access Manager Entitlements Manager (AdminGUI)

Issue

Unable to log on to the RSA Access Manager Entitlements Manger (AdminGUI) after upgrade
The Entitlements Manger logon page is displayed and the administrator is able to log on, but then is directed to the InvalidSession.jsp page and the browser displays "Session Expired"
The tomcat access log file shows a 302 redirect to InvalidSession.jsp
The tomcat standard output log shows the following:
org.owasp.csrfguard.CsrfGuardException: required token is missing from the request
at org.owasp.csrfguard.CsrfGuard.verifyAjaxToken(CsrfGuard.java:596)
at org.owasp.csrfguard.CsrfGuard.isValidRequest(CsrfGuard.java:381)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:70)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.j
ava:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
at org.apache.jk.server.JkCoyoteHandler.invoke(JkCoyoteHandler.java:190)
at org.apache.jk.common.HandlerRequest.invoke(HandlerRequest.java:291)
at org.apache.jk.common.ChannelSocket.invoke(ChannelSocket.java:776)
at org.apache.jk.common.ChannelSocket.processConnection(ChannelSocket.java:705)
at org.apache.jk.common.ChannelSocket$SocketConnection.runIt(ChannelSocket.java:898)
at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:690)
at java.lang.Thread.run(Unknown Source)
[Tue Nov 06 01:17:37 PST 2012] [Error] potential cross-site request forgery (CSRF) attack thwarted (
user:, ip:10.31.137.93, uri:/axm-admin-gui-6.1.4.02/JavaScriptServlet, error:required tok
en is missing from the request)
org.owasp.csrfguard.CsrfGuardException: required token is missing from the request

Cause

In SP4 a new security feature called CsrfGuard was introduced.  This servlet prevents cross site scripting (Cross Site Request Forgery) by introducing session tracking.  If  an new RSA Access Manger Entitlements Manager (AdminGUI) war file axm-admin-gui.war file is deployed and the previous installation was not completely removed then the application may incorrectly determine that an attack is being perpetrated.

Resolution

Remove the temporary files from the previous installation of the axm-admin-gui.war file 
Stop Apache Tomcat
Delete the axm-asmin-gui.war application
Delete the contents of the directory /Tomcat/work/catalina/Localhost/
Redeploy the axm-admin-gui.war file
Start Apache Tomcat

Workaround

Upgraded to RSA Access Manger SP4 6.1.4
0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2020-12-13 05:38 AM
Updated by:
Administrator Administrator

Related Content

© 2023 RSA Security LLC or its affiliates. All rights reserved.