Maximo

Maximo

Come for answers, stay for best practices. All we're missing is you.

 View Only
Back to discussions
Expand all | Collapse all

Anywhere 764 - CSRF token is required

  • 1.  Anywhere 764 - CSRF token is required

    Posted Tue April 21, 2020 04:19 PM
    Hi, we just installed Anywhere 764 and we kept having an error telling us that a valid CSRF token is required to perfom this action (BMXAA9486E).

    We have this message everytime we try to do a transaction within the app. We use Technician,CycleCounts and IssueReturns and it happens on all of them.

    Does anyone got this issue ? 

    Thank you

    ------------------------------
    Mathieu Guilmette
    ------------------------------



    #MaximoAnywhere
    #Maximo
    #AssetandFacilitiesManagement


  • 2.  RE: Anywhere 764 - CSRF token is required

    Posted Wed April 22, 2020 08:09 AM
    Can you check the system property application in Maximo to see if you have mxe.oslc.enforcecsrf enabled (set to 1 or true)? I assume the answer is yes. We didn't have it enabled in our demo environment and haven't moved any of our customers to this release yet so it could be a regression with the new Anywhere release. I would suggest opening a case with IBM since it's something not enabled by default (and honestly, not enabled that often). I could definitely see there being an issue with this release with that setting.

    ------------------------------
    Steven Shull
    Director of Development
    Projetech Inc
    Cincinnati OH
    ------------------------------

    Original Message


  • 3.  RE: Anywhere 764 - CSRF token is required

    Posted Wed April 22, 2020 09:26 AM
    mxe.oslc.enforecsrf is set to 0.
    I opened a case too.

    Thank you​

    ------------------------------
    Mathieu Guilmette
    ------------------------------

    Original Message


  • 4.  RE: Anywhere 764 - CSRF token is required

    Posted Thu April 23, 2020 10:29 AM
    Hello, we have the same issue. Enforcecsrf set to 0. Will you please let us know if you resolve the problem?

    Thank you, 
    Robi

    ------------------------------
    Robi Cavnik
    Troia d.o.o.
    ------------------------------

    Original Message


  • 5.  RE: Anywhere 764 - CSRF token is required

    Posted Thu April 23, 2020 10:51 AM
    Hi,

    Sure i'll do it !


    ------------------------------
    Mathieu Guilmette
    ------------------------------

    Original Message


  • 6.  RE: Anywhere 764 - CSRF token is required

    Posted Thu April 23, 2020 11:49 AM
    Hi,

    IBM resolved my case. The answer to my problem was to set the property for mxe.oslc.aclalloworigin.  to *

    thank you,
    Mathieu

    ------------------------------
    Mathieu Guilmette
    ------------------------------

    Original Message


  • 7.  RE: Anywhere 764 - CSRF token is required

    Posted Fri April 24, 2020 01:44 AM
    Hello,

    thank you for the solution!

    Kind Regards

    ------------------------------
    Robi Cavnik
    Troia d.o.o.
    ------------------------------

    Original Message


  • 8.  RE: Anywhere 764 - CSRF token is required

    Posted Mon June 08, 2020 04:13 PM
    Matthieu and Robi, 

    We had the same issue.  May I ask, are you running android and if so are your devices running android system webview or google chrome as its webview implementation?  

    Thanks.

    ------------------------------
    Victor Chin
    ------------------------------

    Original Message


  • 9.  RE: Anywhere 764 - CSRF token is required

    Posted Mon June 08, 2020 04:23 PM
    Hello, 

    we are using Android devices with Google Chrome WebView.

    Best Regards

    Robi Cavnik

    Svetovalec za informacijske sisteme / IT consultant

    TROIA, informacijske storitve, d.o.o
    Ozare 19
    2380 Slovenj Gradec
    Slovenija

    		 M: +386 41 886 404
    T: +386 2 70 71 250
    E: robi.cavnik@troia.si
    W: www.troia.si

    To elektronsko sporočilo in vse morebitne priloge (v nadaljevanju dokument) lahko vsebujejo poslovne skrivnosti TROIA d.o.o. in so namenjene izključno naslovniku. Če ste pomotoma prejeli ta dokument, vas prosimo, da obvestite pošiljatelja, dokument pa takoj uničite. Kakršnokoli razkritje, distribucija ali kopiranje vsebine dokumenta je izrecno prepovedano. TROIA d.o.o. ni odgovoren za spremenjen, preurejen ali ponarejen dokument niti za izgubo ali škodo, ki bi bila povzročena z uporabo dokumenta ali njemu pripetih datotek.

    This e-mail and any attachments (the message) may contain confidential and/or privileged information of TROIA d.o.o. and are intended solely for the addressee(s). If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. TROIA d.o.o. cannot accept any responsibility if the document is altered, changed or falsified and also not for loss or damage arising from the use of this e-mail or its attachments.




    Original Message


  • 10.  RE: Anywhere 764 - CSRF token is required

    Posted Tue June 09, 2020 10:13 AM
    So I am by no means a developer and web security expert, thus I am in the process of educating myself on CORS and CSRF.   WIth that said, I am hoping someone is able to shed some light on exactly what making this setting change does.  It seems to me that it is relaxing CORS policies.  Is it then also bypassing CSRF validation and thus, why it fixes the original issue? 

    So my concern is that this does indeed fix the issue at hand but the change to CORS and/or CSRF in turn opens up the application to not meet security standards when it goes through its security audits/assessemnts.

    ------------------------------
    Victor Chin
    ------------------------------

    Original Message