CSRF token mismatch during login.
Trace:
[07:01:21:901]|[10-05-2021]|[com.adventnet.servicedesk.authentication.internal.LoginUtil]|[INFO]|[69]: Invalid login CSRF token provided ::: sessionToken : null; cookieToken : 79928721-48fc-4f84-9236-e78667e7a846; paramToken : c7d8f99c-b34a-4233-bcec-b0990e73700e;|
[07:01:21:901]|[10-05-2021]|[SYSERR]|[INFO]|[69]: java.lang.NullPointerException|
[07:01:21:901]|[10-05-2021]|[SYSERR]|[INFO]|[69]: at com.adventnet.servicedesk.authentication.internal.LoginUtil.isCaptchaAuthEnabled(LoginUtil.java:539)|
Fix:
- For versions above 14303 there won't be any CSRF issue.
- For versions above 13008, upgrade to latest version or contact support for partial workaround of SD-106516
- If -Ddisable_login_page_csrf is present in run.sh, run.bat or wrapper.conf then need to remove the entire line (if it resembles the line as given in 'older workaround') in all files.
- For versions above 11308, upgrade to latest version to get fix for both SD-106516 and SD-102314
- If not try the 'Older Workaround'
- For older versions, kindly upgrade to get all fixes, if not try the 'Older Workaround'
Older Workaround (not recommended):
This workaround is only for versions below 13008. Do not try this if your version is 13008 or above. On the contrary, the following should be removed in versions above 13008.
- Add a new line in the conf/wrapper.conf:
For example, if 43 is the last added line in wrapper.conf,
wrapper.java.additional.43=-Djdk.http.auth.tunneling.disabledSchemes=
We need to add a new line with number 44 like below:
wrapper.java.additional.44=-Ddisable_login_page_csrf=true
- For starting via run.bat, search for 'tunneling' and add the following line next to the searched line in run.bat.
set JAVA_OPTS=%JAVA_OPTS% -Ddisable_login_page_csrf=true
- For starting via run.sh, search for 'tunneling' and add the following line next to the searched line in run.sh.
JAVA_OPTS="$JAVA_OPTS -Ddisable_login_page_csrf=true"
- Restart SDP service (or re-run app from run.bat/run.sh to apply the changes)
Fix for certain versions:
Please don't apply these fixes if you are on a different version
- Download the zip named csrf_<version>.zip from the attachments and unzip it.
- Place csrf_<version>.fjar in '<sdp>/fixes' folder
- If the zip has Login.js file, then go to '<sdp>/webapps/ROOT/scripts'
- rename Login.js to Login.js.old (or move the file away to desktop or any safe location away from SDP)
- place the Login.js which was downloaded.
- Restart SDP service for the changes to take effect.
- To revert, undo the changes and restart SDP service.