Hi folks,
I have a problem with Subsonic when I try to add elements in the playlist and to start listening music. Each times I have a popup with "CSRF Security Error".
I pass through a reverse proxy to have an access to the Glassfish server containing Subsonic. I can listen music with my smartphone, but I can't use the web interface.
Anyone can help me ?
Tim.
"CSRF Security Error" with Glassfish
Moderator: moderators
5 posts
• Page 1 of 1
"CSRF Security Error" with Glassfish
by linuxforever » Fri Nov 04, 2011 9:25 pm
- linuxforever
- Posts: 1
- Joined: Fri Nov 04, 2011 9:19 pm
Re: "CSRF Security Error" with Glassfish
by Fieryhail » Tue Dec 25, 2012 8:09 pm
I also am having the same issue. I am running Glassfish 3.1.1 and subsonic 4.7 deployed on it. No issues with third party players whether iSub for IOS, the Android player, or even SubAir on the desktop. However, any time I use the web interface I continuously get "CSRF Security Error" popups. I have run a much earlier version of Subsonic (Somewhere in early 3.x) on Glassfish 2.x server but this was some time ago. I remember I had some difficulties in getting everything working but eventually all was good. From what I'm seeing this issue is related to the web server side of Glassfish? Has anyone else found a resolution to this? Having a similar issue?
- Fieryhail
- Posts: 6
- Joined: Wed Mar 09, 2011 9:10 pm
Re: "CSRF Security Error" with Glassfish
by hakko » Tue Dec 25, 2012 8:26 pm
When I ran into it, I followed the first post from Google on how to solve it and it worked. I can't tell exactly what the security implications are, though.
http://pwu-developer.blogspot.se/2011/0 ... error.html
http://pwu-developer.blogspot.se/2011/0 ... error.html
MusicCabinet developer
- hakko
- Posts: 1416
- Joined: Tue Apr 17, 2012 7:05 pm
- Location: Sweden
Re: "CSRF Security Error" with Glassfish
by Fieryhail » Tue Dec 25, 2012 11:42 pm
Thanks,
After doing some research into HTTPOnly itself and specifically in the Glassfish realm I discovered that it is enabled as a default in GF 3.1. I used the information at this site:
http://java.net/jira/browse/GLASSFISH-15730
Specifically:
--------
HttpOnly is set to true by default for security reason.
If the the app does not have a cookie-config in the web.xml, then it can overridden by a default value in default-web.xml by
adding the following:
<session-config>
<cookie-config>
<http-only>false</http-only>
</cookie-config>
</session-config>
-----
This seems to work, no more issues with CSRF Security, however, maybe better option would be to extract the .war file and create the setting in the subsonic app itself and then re-packaging it so as not to enable that for the entire GF domain.
After doing some research into HTTPOnly itself and specifically in the Glassfish realm I discovered that it is enabled as a default in GF 3.1. I used the information at this site:
http://java.net/jira/browse/GLASSFISH-15730
Specifically:
--------
HttpOnly is set to true by default for security reason.
If the the app does not have a cookie-config in the web.xml, then it can overridden by a default value in default-web.xml by
adding the following:
<session-config>
<cookie-config>
<http-only>false</http-only>
</cookie-config>
</session-config>
-----
This seems to work, no more issues with CSRF Security, however, maybe better option would be to extract the .war file and create the setting in the subsonic app itself and then re-packaging it so as not to enable that for the entire GF domain.
- Fieryhail
- Posts: 6
- Joined: Wed Mar 09, 2011 9:10 pm
Re: "CSRF Security Error" with Glassfish
by hakko » Wed Dec 26, 2012 7:34 am
Thanks for reading up on in and posting that link! That's some useful information.
MusicCabinet developer
- hakko
- Posts: 1416
- Joined: Tue Apr 17, 2012 7:05 pm
- Location: Sweden
5 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 59 guests