English
Italian
Starting from Alfresco 4.1, a CSRF filter has been added to Share in order to prevent Cross-Site Request Forgery attacks. When you configure a web server in front of Share to serve virtual hosts through HTTPS, a CSRF error could occur. To run the CSRF Token Filter behind a web server Apache with mod_proxy and SSLEngine you may need to update the Origin and Referer headers in the CSRF Token Filter. In this article I show two possible solutions.
Apache SSL VirtualHost
### Apache vhost config: /etc/httpd/conf.d/my_virtual_hosts.conf
###
<VirtualHost *:443>
ServerName myalfresco.com
ProxyPass /share http://host:8080/share
ProxyPassReverse /share http://host:8080/share
SSLEngine on
SSLProtocol all
SSLCertificateFile /secure_path_to_ssl_certs/mycert.crt
SSLCertificateKeyFile /secure_path_to_ssl_certs/mycert.crt.key
SSLCertificateChainFile /secure_path_to_ssl_certs/mycert.crt.intermediate
</VirtualHost>
CSRF Error when you login to Share
INFO [site.servlet.CSRFFilter] [ajp-apr-8009-exec-4] Possible CSRF attack noted when asserting referer header 'https://myalfresco.com/share/page/'. Request: POST /share/page/dologin ERROR [alfresco.web.site] [ajp-apr-8009-exec-4] javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://myalfresco.com/share/page/'. Request: POST /share/page/dologin
SOLUTION 1 – Set the Referer and Origin in the CSRF Token Filter
Step1. Copy the “CSRFPolicy” default config from:
TOMCAT_HOME/webapps/share/WEB-INF/classes/alfresco/share-security-config.xml
to:
TOMCAT_HOME/shared/classes/alfresco/web-extension/share-config-custom.xml
Step 2. Add the attribute replace=”true” like below
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
Step 3. Update the properties referer e origin with the FQDN (https) of the Apache VirtualHost
<config evaluator="string-compare" condition="CSRFPolicy" replace="true"> <properties> <token>Alfresco-CSRFToken</token> <!-- Use the pipe | in the regex as OR operator: URL1|URL2|... --> <referer>https://myalfresco.com/.*</referer> <origin>https://myalfresco.com</origin> </properties> <!-- blablabla --> </config>
SOLUTION 2 – Disable the CSRF Token Filter
Uncomment the “CSRFPolicy” config in:
TOMCAT_HOME/shared/classes/alfresco/web-extension/share-config-custom.xml
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter/>
</config>
CSRF Error on Alfresco Admin Console (Node Browser)
The CSRF error could occur when you use the Alfresco Admin Console utilities (/alfresco/s/admin) for example the Node Browser tool.
SOLUTION 1 – Disabile the CSRF filter on requests like /alfresco/s/admin/admin-nodebrowser
Step 1. Update (or create) file: <ALFRESCO_HOME>/tomcat/shared/classes/alfresco/extension/web-scripts-config-custom.xml
Step 2. Configure the CSRFPolicy evaluator with replace=”true”
<!-- Disable CSRF filter. Config below overrides those include here: alfresco/WEB-INF/classes/alfresco/web-client-security-config.xml CSRF Filter disabled on URLs /alfresco/s/* --> <alfresco-config> <config evaluator="string-compare" condition="CSRFPolicy" replace="true"> <filter/> </config> </alfresco-config>
Hi Giuseppe,
This issue take a lot my time. (the beginner of Alfresco)
Thanks for your post.
I hope it was helpful for you
Thanks for comment.
Hello Giuseppe,
it works like a charm. I knew of the reasons for this issue to happen, but wasn’t sure of how to fix it.
Thanks!
Thank you very much Sergio,
the topic is well documented here:
http://docs.alfresco.com/5.0/concepts/share-policies.html