CSRF Filters not working in 8.0.4

Yellowfin FAQ shared this problem 13 months ago
Defect Fixed

CSRF Filters are currently not working in 8.0.4. This behavior will first present itself as a an "HTTP Status 403 - Forbidden" error page upon attempting to login.

The stacktrace in the logs will be as follows:

YF:2019-12-22 21:55:07: WARN (CSRFFilter:internalDoFilter) - ===== Nounce did not match! Requested Path: /BrowserCheck.i4 ===== 
Technically, you can workaround this by adding to the Ignore parameters in your web.xml file a "*.i4" parameter for each "HTTP Status 403 - Forbidden" page error you receive. For example, to login you can add "/BrowserCheck.i4, /MIEntry.i4". But of course, you'll likely run into this all over the application. As one additional example, if you attempt to navigate Browse > Browse All, you'll run into same issue with MIDashboard.i4.

There is a defect logged for this with Highest priority and will be addressed by the dev team as soon as possible. We'll provide further updates as they come along.

Comments (4)

photo
1

Updates regarding this will be posted here.

photo
1

This Idea has been resolved and can be found in latest build 8.0.5. You can download latest builds of Yellowfin here.

Regards,

Mike

photo
1

Hi Mike,

Getting a similar sort of error in 8.02:

BMC:SR:2020-12-17 08:52:05:DEBUG (AdministrationService:remoteAdministrationCall) - Authenticated User: 14180 for remote login (NTLM)

BMC:SR:2020-12-17 08:52:05:DEBUG (AdministrationService:remoteAdministrationCall) - remoteAdministrationCall() completed with status: SUCCESS

BMC:SR:2020-12-17 08:52:05:DEBUG (BrowserInfo:A) - Could not match user-agent string: Java/12.0.2

BMC:SR:2020-12-17 08:52:05: INFO (YFErroPage:processError) - Processing Error Page...

BMC:SR:2020-12-17 08:52:05: WARN (CSRFFilter:internalDoFilter) - ===== Nounce did not match! Requested Path: /SmartReporting/onboarding/router.jsp =====

BMC:SR:2020-12-17 08:52:05: INFO (YFErroPage:processError) - Processing Error Page...

Any idea if it's related?

Thanks,

Nick

photo
1

Hi Nick,

This looks to be related. This was fixed in 8.0.4, so it makes sense you may experience this issue in 8.0.2.

Regards,

Mike