Product: TIBCO Spotfire®
Accessing TIBCO Spotfire Server URL leads to error "Failed to load application" "Could not load configuration" "Could not load labels"
When accessing TIBCO Spotfire Server URL over the http connector (for example: http://spotfireservername/) then you might see the error "Failed to load application" "Could not load configuration" "Could not load localized labels" as seen in below screenshot:
This issue can happen if the TIBCO Spotfire Server (TSS) is configured to accept both HTTP and HTTPS connections or in certain setups with reverse proxies / load balancers. Below are some solutions that might apply here:
- If you have a load balancer or a proxy that redirects requests to the Spotfire Server then ensure to have sticky sessions configured. The Browser needs to hit the same Spotfire Server for it's whole session (as seen from the jsession cookie), which can be up to 24 hours long.
- Check if you are using both the https and http connector on the Spotfire Server (see Configuring HTTPS for more details). In case of HTTP to HTTPS it has been seen that when accessing the Spotfire Server over non-secure HTTP:// the TIBCO Spotfire Server tries to set a non-secure cookie but there exists one already with the same name marked as secure (when you access the HTTPS url first) and it cannot be overwritten. So if one accesses the TSS over HTTPS first and then over HTTP you will get an error message because the client refuses to accept the session cookies. The only resolution would be to either use HTTPS only or write a redirect rule from HTTP to HTTPS. See KB How to perform HTTP to HTTPS redirection in TIBCO Spotfire Server versions 7.5 and higher
- Check if the clocks on the load balancer machine, TIBCO Spotfire Servers and TIBCO Node Managers are in sync.
- Try disabling CSRF-token on Spotfire Server side only if you are using load balancer which sets a CSRF token. For example: F5's Application Security Manager (ASM) is usually configured for CSRF protection. You can disable this within the Spotfire configuration as F5 ASM will assign another CSRF token to the request, resulting in access denied errors on the Spotfire side.
See KB Request for URL /wp/render/.../WebViewRead.ashx is denied because the request does not contain the required CSRF token
Note: There is an impact disabling csrf protection on TIBCO Spotfire server if you are not using Load Balancer. It opens up for CSRF attack. See https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
If the issue persists and you cannot determine a root cause, please contact TIBCO Spotfire support at https://support.tibco.com for further assistance. KBA: Request for URL /wp/render/.../WebViewRead.ashx is denied because the request does not contain the required CSRF token
KBA: How to perform HTTP to HTTPS redirection in TIBCO Spotfire Server versions 7.5 and higher.