September 18, 2019

Alfresco tips and tricks – #13 CSRF Filter error on Share login with Apache mod_proxy and SSLEngine on

Starting from Alfresco 4.1, a CSRF filter has been added to Share in order to prevent Cross-Site Request Forgery attacks. When you configure a web server in front of Share to serve virtual hosts through HTTPS, a CSRF error could occur. To run the CSRF Token Filter behind a web server Apache with mod_proxy and SSLEngine you may need to update the Origin and Referer headers in the CSRF Token Filter. In this article I show two possible solutions.

Apache SSL VirtualHost

### Apache vhost config: /etc/httpd/conf.d/my_virtual_hosts.conf
###
<VirtualHost *:443>
        ServerName myalfresco.com
        ProxyPass /share http://host:8080/share
        ProxyPassReverse /share http://host:8080/share
        SSLEngine on
        SSLProtocol all
        SSLCertificateFile /secure_path_to_ssl_certs/mycert.crt
        SSLCertificateKeyFile /secure_path_to_ssl_certs/mycert.crt.key
        SSLCertificateChainFile /secure_path_to_ssl_certs/mycert.crt.intermediate
</VirtualHost>

CSRF possible error when you login to Share

INFO [site.servlet.CSRFFilter] [ajp-apr-8009-exec-4] Possible CSRF attack noted when asserting
 referer header 'https://myalfresco.com/share/page/'. Request: POST /share/page/dologin
ERROR [alfresco.web.site] [ajp-apr-8009-exec-4] javax.servlet.ServletException: Possible CSRF attack noted when asserting
 referer header 'https://myalfresco.com/share/page/'. Request: POST /share/page/dologin

SOLUTION 1 – Set the Referer and Origin in the CSRF Token Filter

Step1. Copy the “CSRFPolicy” default config from:
TOMCAT_HOME/webapps/share/WEB-INF/classes/alfresco/share-security-config.xml
to:
TOMCAT_HOME/shared/classes/alfresco/web-extension/share-config-custom.xml

Step 2. Add the attribute replace=”true” like below

<config evaluator="string-compare" condition="CSRFPolicy" replace="true">

Step 3. Update the properties referer e origin with the FQDN (https) of the Apache VirtualHost

<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<properties>
<token>Alfresco-CSRFToken</token>

<!-- Use the pipe | in the regex as OR operator: URL1|URL2|... -->
<referer>https://myalfresco.com/.*</referer>
<origin>https://myalfresco.com</origin>

</properties>
<!-- blablabla -->
</config>

SOLUTION 2 – Disable the CSRF Token Filter

Uncomment the “CSRFPolicy” config in:
TOMCAT_HOME/shared/classes/alfresco/web-extension/share-config-custom.xml

<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
      <filter/>
</config>

4 Comments

  1. Sergio

    Hello Giuseppe,

    it works like a charm. I knew of the reasons for this issue to happen, but wasn’t sure of how to fix it.

    Thanks!

    Reply

Leave a Reply

Your email address will not be published.