Subsonic Forum

forum.subsonic.org
http://forum.subsonic.org/forum/

"CSRF Security Error" with Glassfish

http://forum.subsonic.org/forum/viewtopic.php?f=2&t=8210

Page 1 of 1

"CSRF Security Error" with Glassfish

PostPosted: Fri Nov 04, 2011 9:25 pm
by linuxforever
Hi folks,

I have a problem with Subsonic when I try to add elements in the playlist and to start listening music. Each times I have a popup with "CSRF Security Error".
I pass through a reverse proxy to have an access to the Glassfish server containing Subsonic. I can listen music with my smartphone, but I can't use the web interface.

Anyone can help me ?

Tim.

Re: "CSRF Security Error" with Glassfish

PostPosted: Tue Dec 25, 2012 8:09 pm
by Fieryhail
I also am having the same issue. I am running Glassfish 3.1.1 and subsonic 4.7 deployed on it. No issues with third party players whether iSub for IOS, the Android player, or even SubAir on the desktop. However, any time I use the web interface I continuously get "CSRF Security Error" popups. I have run a much earlier version of Subsonic (Somewhere in early 3.x) on Glassfish 2.x server but this was some time ago. I remember I had some difficulties in getting everything working but eventually all was good. From what I'm seeing this issue is related to the web server side of Glassfish? Has anyone else found a resolution to this? Having a similar issue?

Re: "CSRF Security Error" with Glassfish

PostPosted: Tue Dec 25, 2012 8:26 pm
by hakko
When I ran into it, I followed the first post from Google on how to solve it and it worked. I can't tell exactly what the security implications are, though.

http://pwu-developer.blogspot.se/2011/0 ... error.html

Re: "CSRF Security Error" with Glassfish

PostPosted: Tue Dec 25, 2012 11:42 pm
by Fieryhail
Thanks,

After doing some research into HTTPOnly itself and specifically in the Glassfish realm I discovered that it is enabled as a default in GF 3.1. I used the information at this site:

http://java.net/jira/browse/GLASSFISH-15730

Specifically:

--------
HttpOnly is set to true by default for security reason.

If the the app does not have a cookie-config in the web.xml, then it can overridden by a default value in default-web.xml by
adding the following:
<session-config>
<cookie-config>
<http-only>false</http-only>
</cookie-config>
</session-config>
-----

This seems to work, no more issues with CSRF Security, however, maybe better option would be to extract the .war file and create the setting in the subsonic app itself and then re-packaging it so as not to enable that for the entire GF domain.

Re: "CSRF Security Error" with Glassfish

PostPosted: Wed Dec 26, 2012 7:34 am
by hakko
Thanks for reading up on in and posting that link! That's some useful information.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/