It may not be possible to access the Web Player due the following errors:
"Failed to load application"
"Could not load configuration"
"Could not load labels"
This may be seen as in the screenshot below
This could also manifest itself as a 403 Access Denied message in the browser.
Upon checking the server logs, as error similiar to below will be seen.
WARN 2024-04-29T15:41:28,939+0100 [unknown, #B-2780, #7504] server.security.SecurityInterceptor:
Request for URL /rest/pub/headerConfig is denied because the request
does not contain the required CSRF token |
Spotfire Server and session cookies
When accessing the web player via a browser, a HTTP persistent session is established via a JSESSIONID cookie. Another cookie called XSRF-TOKEN is also issued which helps prevent CSRF (Cross Site Request Forgery) attacks.
These can be observed using the Developer Tools / Network in the browser.
Since this is a persisent session, these same two cookies (and values) will be seen in each subsequent request/response to the spotfire server URL. The server will respond with the same cookies/values and the client (browser) will include the same cookies/values in each request.
The error illustrated above means that a spotfire server has not received the correct value for the XSRF-TOKEN cookie that it originally issued at the start of the sesssion.
This issue can be resolved in the following ways
Note: You may find other articles recommending to disable CSRF protection on the Spotfire. This would be inadvisable, especially if the Spotfire server is publically accessible over the internet. The security of your spotfire cluster may be compromised and this should only be performed as a temporary or troubleshooting step. |
Multiple Spotfire servers in a load balanced configuration
In a load balanced configuration where there are two or more Spotfire servers, it must be ensured that a client session is routed to the same Spotfire server. Otherwise, the other Spotfire servers which are not aware of the issued XSRF token will generate this error.
This is acheived via session affinity (sticky sessions). Please check your load balancing documentation on how to implement this. The session affinity should be based on an application cookie. In this case it should be based on the application (Spotfire server) cookie JSESSIONID
For example in AWS, this can be configured on the Target Group Attributes
Cookies are being issued with the SameSite=None attribute
The following applies with even a single Spotfire server.
Chrome and Edge will not issue cookies if the cookie attribute SameSite is set to None and the Secure attribute is not set on the cookie. In other words the connection is not via HTTPS.
At the time of writing this does not apply to the Firefox browser, so different behaviour might be observed.
A default installation of Spotfire server will not set the SameSite attribute on any cookies. However if for some reason the SameSite=None
attribute is being set on cookies via the set-config-prop
command, then this issue will be encountered when accessing the Spotfire server URL via HTTP.
If there is a valid reason for this setting, then please contact Revvity support for assistance in resolving this issue. Otherwise, simply remove the cookie attribute declarations from the Spotfire configuration.
1) Export the server configuration (Linux users must run config.sh). This will dump the current configuration to a file called configuration.xmlconfig.bat export-config
2) Find the lines which decare the SameSite attribute and remove all three of them.<cookies>
<same-site>None</same-site>
</cookies>
3) Import the configuration back into Spotfireconfig.bat import-config -C "Removed SameSite attribute from cookies"
4) Restart the Spotfire server.
Disabling CSRF protection
As mentioned earlier, disabling CSRF protection is not the correct solution for this issue in most scenarios. It could be done as a temporary or diagnostic step to troubleshooting the issue.
To implement, export the server configuration as above. Then issue the commandconfig.bat config-csrf-protection --enabled false
Finally, reimport the server configurationconfig.bat import-config -c "Disabled CRF protection"
With this configuration the Spotfire server will still be issuing the XSRF-TOKEN cookie, but the check to make sure they are valid will be disabled.
If the issue persists, please contact Revvity support for further assistance.
Comments
0 comments
Article is closed for comments.