topic Re: CSRFFilter error in catalina.out in Alfresco Archive

CSRFFilter error in catalina.out

aweber1nj — Fri, 15 Feb 2013 01:48:58 GMT

Running some tests with 4.2.d, and we have a web proxy in front of tomcat on linux. When we tried to use the default action to start a workflow, it threw this CSRFTokenFilter error: "Possible CSRF attack noted when comparing token in session and request header…"Is there a specific header that maybe

Re: CSRFFilter error in catalina.out

scouil — Fri, 22 Feb 2013 10:04:17 GMT

Hello,

Is it the same problem as described here?:
https://issues.alfresco.com/jira/browse/ALF-17872

Re: CSRFFilter error in catalina.out

aweber1nj — Fri, 22 Feb 2013 13:56:27 GMT

However, that issue indicates it's fixed in 4.1.4, and I'm reporting this issue against 4.2 (Community). So it may have re-appeared.

Either way, the JIRA article doesn't tell me WHY it is happening or give any information about how to fix it or pass any necessary headers that the servlet filter might be looking for. And I still can't find the source code for that filter, or I might be a little further along.

Thanks,
AJ

Re: CSRFFilter error in catalina.out

scouil — Fri, 22 Feb 2013 14:26:42 GMT

Hello aweber,

Actually I don't think it's a regression. It was fixed about 2 weeks ago and may not have been ported to the community version code yet.
And no, it doesn't directly tell you how to fix it.

However what it does tell you:
- It's the expected behavior that the POST request is sent without token. The bug is in Alfresco where the server shouldn't require it.
- It has been fixed in revision r46356 on HEAD

Starting from here, you can try to run a diff on r46356 and the previous version to see what have changed and see if you can produce a patch for your own version.

But all this is if it's actually the same problem.
If not you can still try to bypass your web proxy and directly reach your Alfresco server to see if your problem lies in your proxy configuration.

Good luck fixing your problem.

Re: CSRFFilter error in catalina.out

aweber1nj — Fri, 22 Feb 2013 16:19:39 GMT

I have reviewed all the tabs of that JIRA issue, and I can't find any identification of WHICH files were updated to fix this. I would've thought this would be documented somewhere in one of the "Work Log" or "Activity" tabs.

It references some kind of "list" that specifies POST requests not requiring this security. That would be interesting too (and might be the source code I'm looking for).

Thanks again for all the pointers.
-AJ

PS: I probably posted this in the "End Users" section of the forum erroneously. It's probably more apt for the Developers Discussions (in case any forum mods are looking and want to move this).

Re: CSRFFilter error in catalina.out

scouil — Mon, 25 Feb 2013 07:55:09 GMT

Hello,

Actually it is documented. He told you the revision it was fixed.
Now if you browse Alfresco svn log you'll see:
r46356 ewinlof 2013/02/07 2:42:39PM Fixed ALF-17872 "A user cannot start a workflow in Share UI." - Added start workflow to the list of POST requests that does NOT require a token (since it isn't a state changing request)

The only modified file is:
/alfresco/HEAD/root/projects/slingshot/config/alfresco/share-config.xml
This corresponds to:
<tomcat home>/webapps/share/WEB-INF/classes/alfresco/share-config.xml

I've attached the diff of what have been modified this version (renamed as txt of this forum wouldn't let me upload it)
The full file in its current version can be seen here: http://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/HEAD/root/projects/slingshot/config/alfresco/share-config.xml

Good luck with your patching