CSRF login Issue

CSRF login Issue

Issue:

CSRF token mismatch during login.

Trace:

[07:01:21:901]|[10-05-2021]|[com.adventnet.servicedesk.authentication.internal.LoginUtil]|[INFO]|[69]: Invalid login CSRF token provided ::: sessionToken : null; cookieToken : 79928721-48fc-4f84-9236-e78667e7a846; paramToken : c7d8f99c-b34a-4233-bcec-b0990e73700e;|
[07:01:21:901]|[10-05-2021]|[SYSERR]|[INFO]|[69]: java.lang.NullPointerException|
[07:01:21:901]|[10-05-2021]|[SYSERR]|[INFO]|[69]: at com.adventnet.servicedesk.authentication.internal.LoginUtil.isCaptchaAuthEnabled(LoginUtil.java:539)|

Fix:

  1. For versions above 14303 there won't be any CSRF issue.
  2. For versions above 13008, upgrade to latest version or contact support for partial workaround of SD-106516
    1. If -Ddisable_login_page_csrf is present in run.sh, run.bat or wrapper.conf then need to remove the entire line (if it resembles the line as given in 'older workaround') in all files.
  3. For versions above 11308, upgrade to latest version to get fix for both  SD-106516 and SD-102314
    1. If not try the 'Older Workaround'
  4. For older versions, kindly upgrade to get all fixes, if not try the 'Older Workaround'



Fix for certain versions:

Please don't apply these fixes if you are on a different version
  1. Download the zip named csrf_<version>.zip from the attachments and unzip it.
  2. Place csrf_<version>.fjar in '<sdp>/fixes' folder 
  3. If the zip has Login.js file, then go to '<sdp>/webapps/ROOT/scripts'
    1. rename Login.js to Login.js.old (or move the file away to desktop or any safe location away from SDP)
    2. place the Login.js which was downloaded.
  4. Restart SDP service for the changes to take effect.
  5. To revert, undo the changes and restart SDP service.

Version
Jars/Scripts
To apply
14205
csrf_14205_v2.fjar
fjar 
14700
csrf_v3_14700.zip
fjar + script




This workaround is only for versions below 13008. Do not try this if your version is 13008 or above. On the contrary, the following should be removed in versions above 13008.
  1. Add a new line in the conf/wrapper.conf:
      For example, if 43 is the last added line in wrapper.conf,
            wrapper.java.additional.43=-Djdk.http.auth.tunneling.disabledSchemes=
      We need to add a new line with number 44 like below:
            wrapper.java.additional.44=-Ddisable_login_page_csrf=true
  1. For starting via run.bat, search for 'tunneling' and add the following line next to the searched line in run.bat.

            set JAVA_OPTS=%JAVA_OPTS% -Ddisable_login_page_csrf=true
  1. For starting via run.sh, search for 'tunneling' and add the following line next to the searched line in run.sh.
            JAVA_OPTS="$JAVA_OPTS -Ddisable_login_page_csrf=true"
  1. Restart SDP service (or re-run app from run.bat/run.sh to apply the changes)

                  New to ADSelfService Plus?

                    • Related Articles

                    • How to apply fjar ?

                      Fjar file       Fjar file is a jar file that might contain fix / workaround for the issue or might have some debug traces which will be needed by the development team for debugging purpose.  How to apply ?       1. Download the .fjar file       2. ...
                    • Bypass concurrent login verification during mobile authentication.

                      Scenario: When we have an active session in the web browser, we're unable to log in via mobile. Fix: We will skip the verification of concurrent login when the request is made through mobile. Resolution: The fix for the issue has been attached with ...
                    • SAML | Multiple Login URLs for SAML Response

                      Issue: Even if SDP can be accessed with multiple URLs like internal.servicedesk.com and external.servicedesk.com, the SAML response is always received at the same URL that is configured in Alias URL. Fix: The acs_url column in the SAMLSP table can be ...
                    • Login | Account is not locked even after multiple tries (SD-121377)

                      Issue: The account is not locked when account lockout is configured and wrong password is entered multiple times Resolution: This is noted as issue SD-121377 and fixed in 14830. Kindly upgrade your application to 14830 or above. Workaround: If you ...
                    • #9006579 - Debug fjar for customer regarding ADlogin issue

                      Issue : ADLogin issue for single user, were the user is can't able to login resulting in invalid password. Debug : To analyze this further, we have prepared a debug jar to get additional prints in the serverout logs. Steps to apply this and collect ...