September 22, 2017

Alfresco tips and tricks – #13 CSRF Filter error on Share login with Apache mod_proxy and SSLEngine on

Starting from Alfresco 4.1, a CSRF filter has been added to Share in order to prevent Cross-Site Request Forgery attacks. When you configure a web server in front of Share to serve virtual hosts through HTTPS, a CSRF error could occur. To run the CSRF Token Filter behind a web server Apache with mod_proxy and SSLEngine you may need to update the Origin and Referer headers in the CSRF Token Filter. In this article I show two possible solutions.

Apache SSL VirtualHost

CSRF possible error when you login to Share

SOLUTION 1 – Set the Referer and Origin in the CSRF Token Filter

Step1. Copy the “CSRFPolicy” default config from:
TOMCAT_HOME/webapps/share/WEB-INF/classes/alfresco/share-security-config.xml
to:
TOMCAT_HOME/shared/classes/alfresco/web-extension/share-config-custom.xml

Step 2. Add the attribute replace=”true” like below

Step 3. Update the properties referer e origin with the FQDN (https) of the Apache VirtualHost

SOLUTION 2 – Disable the CSRF Token Filter

Uncomment the “CSRFPolicy” config in:
TOMCAT_HOME/shared/classes/alfresco/web-extension/share-config-custom.xml

4 Comments

  1. Sergio

    Hello Giuseppe,

    it works like a charm. I knew of the reasons for this issue to happen, but wasn’t sure of how to fix it.

    Thanks!

    Reply

Leave a Reply

Your email address will not be published.