https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/184208#M137338 <HTML><HEAD></HEAD><BODY><P><SPAN style="font-size: 14px; font-family: arial, helvetica, 'helvetica neue', verdana, sans-serif; color: #727174;">Hello everyone,</SPAN></P><P></P><P><SPAN style="font-size: 14px; font-family: arial, helvetica, 'helvetica neue', verdana, sans-serif; color: #727174;">I have a problem after put my alfresco behind apache httpd:</SPAN></P><P><SPAN>ProxyPass&nbsp;&nbsp;&nbsp;&nbsp; /share&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><A class="jive-link-external-small" href="http://127.0.0.1:8081/share" rel="nofollow noopener noreferrer" target="_blank">http://127.0.0.1:8081/share</A></P><P><SPAN>ProxyPassReverse /share&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><A class="jive-link-external-small" href="http://127.0.0.1:8081/share" rel="nofollow noopener noreferrer" target="_blank">http://127.0.0.1:8081/share</A></P><P>&lt;Location “/share&gt;</P><P>Order allow,deny</P><P>Allow from All</P><P>&lt;/Location&gt;</P><P>Getting error...</P><P></P><P></P><P>Oct 19, 2016 12:35:42 PM org.apache.catalina.core.ApplicationContext log</P><P>INFO: No Spring WebApplicationInitializer types detected on classpath</P><P>Oct 19, 2016 12:36:41 PM org.apache.catalina.core.StandardWrapperValve invoke</P><P><SPAN>SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Possible CSRF attack noted when asserting referer header '</SPAN><A class="jive-link-external-small" href="http://127.0.0.1/share/page" rel="nofollow noopener noreferrer" target="_blank">http://127.0.0.1/share/page</A><SPAN>'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: '</SPAN><A class="jive-link-external-small" href="http://127.0.0.1/share/page" rel="nofollow noopener noreferrer" target="_blank">http://127.0.0.1/share/page</A><SPAN>' vs server &amp; context: </SPAN><A class="jive-link-external-small" href="http://127.0.0.1:8081/" rel="nofollow noopener noreferrer" target="_blank">http://127.0.0.1:8081/</A><SPAN> (string) or&nbsp; (regexp)] with root cause</SPAN></P><P><SPAN>javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header '</SPAN><A class="jive-link-external-small" href="http://127.0.0.1/share/page" rel="nofollow noopener noreferrer" target="_blank">http://127.0.0.1/share/page</A><SPAN>'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: '</SPAN><A class="jive-link-external-small" href="http://127.0.0.1/share/page" rel="nofollow noopener noreferrer" target="_blank">http://127.0.0.1/share/page</A><SPAN>' vs server &amp; context: </SPAN><A class="jive-link-external-small" href="http://127.0.0.1:8081/" rel="nofollow noopener noreferrer" target="_blank">http://127.0.0.1:8081/</A><SPAN> (string) or&nbsp; (regexp)</SPAN></P><P>&nbsp; at org.alfresco.web.site.servlet.CSRFFilter$AssertRefererAction.run(CSRFFilter.java:1017)</P><P>&nbsp; at org.alfresco.web.site.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)</P><P>&nbsp; at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)</P><P>&nbsp; at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)</P><P>&nbsp; at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:450)</P><P>&nbsp; at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)</P><P>&nbsp; at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)</P><P>&nbsp; at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)</P><P>&nbsp; at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)</P><P>&nbsp; at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)</P><P>&nbsp; at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)</P><P>&nbsp; at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)</P><P>&nbsp; at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)</P><P>&nbsp; at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)</P><P>&nbsp; at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)</P><P>&nbsp; at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)</P><P>&nbsp; at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)</P><P>&nbsp; at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)</P><P>&nbsp; at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)</P><P>&nbsp; at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)</P><P>&nbsp; at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)</P><P>&nbsp; at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)</P><P>&nbsp; at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)</P><P>&nbsp; at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)</P><P>&nbsp; at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)</P><P>&nbsp; at java.lang.Thread.run(Unknown Source)</P></BODY></HTML> Wed, 19 Oct 2016 07:25:46 GMT ppg 2016-10-19T07:25:46Z https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/184208#M137338 Hello everyone,I have a problem after put my alfresco behind apache httpd<IMG id="smileytongue" class="emoticon emoticon-smileytongue" src="https://migration33.stage.lithium.com/i/smilies/16x16_smiley-tongue.png" alt="Smiley Tongue" title="Smiley Tongue" />roxyPass&nbsp;&nbsp;&nbsp;&nbsp; /share&nbsp;&nbsp;&nbsp;&nbsp; http://127.0.0.1:8081/shareProxyPassReverse /share&nbsp;&nbsp;&nbsp;&nbsp; http://127.0.0.1:8081/share&lt;Location “/share&gt;Order allow,denyAllow from All&lt;/Location&gt;Getting error...Oct 19, 2016 12:35:42 PM org.apa Wed, 19 Oct 2016 07:25:46 GMT https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/184208#M137338 ppg 2016-10-19T07:25:46Z https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/184209#M137339 <HTML><HEAD></HEAD><BODY><P>Buenas:</P><P></P><P>Simplemente esta cantando una policy de seguridad que tiene Alfresco Share (CSRF - <SPAN style="color: #222222; font-family: arial, sans-serif; font-size: 16px;">Cross-site request forgery</SPAN>).</P><P>Estas policies se configuran en el archivo $ALF_HOME/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml&nbsp; </P><P>Si quieres deshabilitar las policies de CSRF puedes hacerlo descomentando esta sección en el archivo: </P><P></P><BLOCKQUOTE><TABLE border="1"><TBODY><TR><TD><P>&nbsp;&nbsp; &lt;!-- Disable the CSRF Token Filter --&gt;</P><P>&nbsp;&nbsp; &lt;!--</P><P>&nbsp;&nbsp; &lt;config evaluator="string-compare" condition="CSRFPolicy" replace="true"&gt;</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;filter/&gt;</P><P>&nbsp;&nbsp; &lt;/config&gt;</P><P>&nbsp;&nbsp; --&gt;</P></TD></TR></TBODY></TABLE></BLOCKQUOTE><P></P><P>Aunque lo más adecuado es decirle a Alfresco qué hosts pueden hacerle peticiones de proxy.</P><P>Puedes leer más sobre CSRF en el whitepaper de <B>toni.delafuente _</B>​&nbsp; "Alfresco Security White Paper":</P><P></P><P><A href="http://blyx.com/2014/10/08/my-talk-about-alfresco-security-best-practices-at-the-alfresco-summit-2014/" title="http://blyx.com/2014/10/08/my-talk-about-alfresco-security-best-practices-at-the-alfresco-summit-2014/" rel="nofollow noopener noreferrer">My talk about “Alfresco Security Best Practices” at the Alfresco Summit 2014 – : : blyx.com : : Blog : : Toni de la Fuen…</A> </P><P></P><P>Saludos.</P><P></P><P>--C.</P></BODY></HTML> Wed, 19 Oct 2016 09:08:39 GMT https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/184209#M137339 cesarista 2016-10-19T09:08:39Z