I am closing this for the platform 2.7.0 release.

CSRF Guard appends a hidden input field with the CSRF token at the end of the form. For this particular form, the form data was too much that tomcat just ignored the extra parameters including the one that CSRF Guard had appended. This explains why you would not reproduce this error when the number of global properties was small. That is how i fixed it on dev3 by simply resetting it and hence reducing the number of global properties to the initial default. I was able to reproduce it locally by simply increasing my number of global properties to something like 450.

So the fix is to make CSRF Guard insert the CSRF token hidden input field as the first child such that it does not get ignored by the server when the parameters are too many. The other alternative would be to configure tomcat parameters like maxParameterCount to increase the size.

I was able to reproduce this at: https://qa-refapp.openmrs.org/openmrs/admin/maintenance/globalProps.form

Back ported to the 2.6.x branch at https://github.com/openmrs/openmrs-core/commit/613ea56a45d64ac51ab3360d8c20bfbb301308b0

Committed at https://github.com/openmrs/openmrs-core/commit/adcb16aeb7b589f862f3edb1dea5c55c9e6ad5e8