8

I'm trying out the WSO2 Identity Server.
I downloaded the version 5.4.0, and started the server on my Windows machine with wso2server.bat --run.
If I try to login to the console with the default credentials (admin / admin), I get an error 403 - Forbidden, and the console shows this message:

WARN {org.owasp.csrfguard.log.JavaLogger} - potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:0:0:0:0:0:0:0:1, method:POST, uri:/carbon/admin/login_action.jsp, error:required token is missing from the request)

Is there something else I need to configure before I can try out the console?

Paolo Tedesco
  • 49,782
  • 29
  • 130
  • 181

2 Answers2

8

This is a known issue with JDK 8u151. You can use JDK 8u144.

Ref: https://docs.wso2.com/display/AM210/Installation+Prerequisites

Bee
  • 11,225
  • 8
  • 39
  • 68
  • 5
    Thanks for the link, instead of downgrading the JDK I turned off compression in /repository/conf/tomcat/catalina-server.xml and it worked. – Paolo Tedesco Dec 18 '17 at 15:11
  • 4
    On MacOS, staying at JDK 8u144 does *not* resolve the problem. As @Paolo Tedesco notes, the solution is to turn off compression -- compression=off; and make sure you set this for port 443 (it appears in two places in the xml config). – Jim Flood Jan 09 '18 at 21:40
  • Thank you , turning off compression works, but can you tell me what exactly happens when we turn off compression , and is it advisable if we do the same in production environement – amg_amit Aug 09 '18 at 07:47
  • When you enable compression, data flowing through the network will be compressed. That leads to low network bandwidth consumption. Disabling it in production has no any other effects. However, with the latest JDK, this is working. – Bee Aug 09 '18 at 18:40
2

Simple fix ... go to directory "wso2ei-6.2.0\conf\security" and open the "Owasp.CsrfGuard.Carbon.properties" file with any text editor (line number 49)

# If csrfguard filter is enabled
org.owasp.csrfguard.Enabled = true

change it to false

# If csrfguard filter is enabled
org.owasp.csrfguard.Enabled = false
Pierre.Vriens
  • 2,049
  • 60
  • 24
  • 39
Dinuka Wanasinghe
  • 501
  • 2
  • 4
  • 21