CSRF Filters not working in 8.0.4

Yellowfin FAQ shared this problem 2 years ago
Defect Fixed

CSRF Filters are currently not working in 8.0.4. This behavior will first present itself as a an "HTTP Status 403 - Forbidden" error page upon attempting to login.

The stacktrace in the logs will be as follows:

YF:2019-12-22 21:55:07: WARN (CSRFFilter:internalDoFilter) - ===== Nounce did not match! Requested Path: /BrowserCheck.i4 ===== 
Technically, you can workaround this by adding to the Ignore parameters in your web.xml file a "*.i4" parameter for each "HTTP Status 403 - Forbidden" page error you receive. For example, to login you can add "/BrowserCheck.i4, /MIEntry.i4". But of course, you'll likely run into this all over the application. As one additional example, if you attempt to navigate Browse > Browse All, you'll run into same issue with MIDashboard.i4.

There is a defect logged for this with Highest priority and will be addressed by the dev team as soon as possible. We'll provide further updates as they come along.

Comments (4)

photo
1

Updates regarding this will be posted here.

photo
1

This Idea has been resolved and can be found in latest build 8.0.5. You can download latest builds of Yellowfin here.

Regards,

Mike

photo
1

Hi Mike,

Getting a similar sort of error in 8.02:

BMC:SR:2020-12-17 08:52:05:DEBUG (AdministrationService:remoteAdministrationCall) - Authenticated User: 14180 for remote login (NTLM)

BMC:SR:2020-12-17 08:52:05:DEBUG (AdministrationService:remoteAdministrationCall) - remoteAdministrationCall() completed with status: SUCCESS

BMC:SR:2020-12-17 08:52:05:DEBUG (BrowserInfo:A) - Could not match user-agent string: Java/12.0.2

BMC:SR:2020-12-17 08:52:05: INFO (YFErroPage:processError) - Processing Error Page...

BMC:SR:2020-12-17 08:52:05: WARN (CSRFFilter:internalDoFilter) - ===== Nounce did not match! Requested Path: /SmartReporting/onboarding/router.jsp =====

BMC:SR:2020-12-17 08:52:05: INFO (YFErroPage:processError) - Processing Error Page...

Any idea if it's related?

Thanks,

Nick

photo
1

Hi Nick,

This looks to be related. This was fixed in 8.0.4, so it makes sense you may experience this issue in 8.0.2.

Regards,

Mike