Article Number
000035579
Applies To
RSA Product Set: Identity Governance & Lifecycle
RSA Version/Condition: All
Issue
In RSA Identity Governance & Lifecycle, the following warning is encountered during login:
No CSRF guard token was found in the submitted request
Observe the Admin Errors in the User Interface (
Admin >
Admin Errors > Summary tab):
Image description
The following warnings may be found in the
aveksaServer.log:
09/21/2017 09:19:45.654 WARN (http-0.0.0.0-8443-5) [com.aveksa.UI] com.aveksa.gui.core.GuiFramework.handleSecurityError(GuiFramework.java:520) - No CSRF guard token was found in the submitted request. This may indicate an attack on the server. Request is blocked.:
Login ID: 20378
Request: https://myaccess.server.com/aveksa/main?ReqType=GetPage&PageID=LoginPage&Action=Submit
Referrer: https://myaccess.server.com/aveksa/main?SSOLogin=false
com.aveksa.server.core.SecurityException: No CSRF guard token was found in the submitted request. This may indicate an attack on the server. Request is blocked.
at com.aveksa.gui.core.GuiFramework.handleSecurityError(GuiFramework.java:520)
at com.aveksa.gui.core.ACMFramework.handleSecurityError(ACMFramework.java:451)
at com.aveksa.gui.util.security.CSRFGuard.validateCRSFToken(CSRFGuard.java:63)
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:277)
at com.aveksa.gui.pages.PageManager.handleRequest(PageManager.java:254)
at com.aveksa.gui.core.MainManager.handleRequest(MainManager.java:176)
at com.aveksa.gui.core.MainManager.doGet(MainManager.java:125)
at com.aveksa.gui.core.MainManager.doPost(MainManager.java:411)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.aveksa.gui.core.filters.LoginFilter.doFilter(LoginFilter.java:67)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at com.aveksa.gui.util.security.XSSFilter.doFilter(XSSFilter.java:20)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:701)
09/21/2017 09:19:45.669 ERROR (http-0.0.0.0-8443-5) [com.aveksa.UI] com.aveksa.gui.core.MainManager.showRequestError(MainManager.java:356) - XXX.XX.XX.XXX invalid request: https://myaccess.server.com/aveksa/main?ReqType=GetPage&PageID=LoginPage&Action=Submit
or,
06/11/2015 12:22:26.936 WARN (http-0.0.0.0-8443-127) [com.aveksa.UI] com.aveksa.gui.core.GuiFramework.handleSecurityError(GuiFramework.java:494) - No CSRF guard token was found in the submitted request. This may indicate an attack on the server. Request is blocked.:
Login ID: x111111
Request: https://myaccess.server.com/aveksa/main?ReqType=GetPage&PageID=LoginPage&Action=Submit
Referrer: https://myaccess.server.com/aveksa/main?
com.aveksa.server.core.SecurityException: No CSRF guard token was found in the submitted request. This may indicate an attack on the server. Request is blocked.
at com.aveksa.gui.core.GuiFramework.handleSecurityError(GuiFramework.java:494)
at com.aveksa.gui.core.ACMFramework.handleSecurityError(ACMFramework.java:407)
-----
06/11/2015 12:57:08.534 INFO (http-0.0.0.0-8443-71) [com.aveksa.UI] com.aveksa.gui.core.LoginLogout.loginUser(LoginLogout.java:54) - User logged in: x111111::SessionCount=16::UserCount=16
06/11/2015 12:57:21.534 WARN (http-0.0.0.0-8443-71) [com.aveksa.server.help.HelpManager] Can't find Help mapping for pageID=ReviewReportDetailDashboard
06/11/2015 13:00:52.029 ERROR (http-0.0.0.0-8443-126) [com.aveksa.UI] com.aveksa.gui.components.table.core.DefaultTableModel.getObjects(DefaultTableModel.java:178)
Please refer to RSA Knowledge Base Article 000030327 -- Artifacts to gather in RSA Identity Governance & Lifecycle to find the location of the log files for your specific deployment.
Cause
Essentially any time you POST data to RSA Identity Governance & Lifecycle and you have an active session, the posted data has to include a Cross Site Scripting Forgery (CSRF) token that matches the one in your sessions.
The first time you login, the POST for the login page does not do this check, because you do not have a session yet. If you log in successfully, we generate a secure random token and associate it with the session. We also include the token as a hidden value on all forms the product generates. From that point forward, as long as that session is active, any requests that come from the browser will include the token (because we put it in all the forms before serving them to the client), and we can match it to the session. Any POST that comes from somewhere else, i.e. not from the same User Interface where the user logged in and had a CSRF generated, will not have the token, and will fail.
If you are seeing this error on login, then it means the system thinks you already have an active session. You might be working in different tabs of the same browser or a previous session is still active.
This is the most common problem when a CSRF error is generated. And this is the logic that happens with CSRF tokens. When a session is terminated, the token typically becomes invalid. In some cases, even if the session is terminated, the token remains valid for a while but that will cause no harm to the environment.
Resolution
If you are seeing this error on login, then it means the system thinks you already have an active session. Close out and restart your browser, then login to RSA Identity Governance & Lifecycle.