https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/292005#M245135 <HTML><HEAD></HEAD><BODY><SPAN>I did a search for this in the forums and I came to this </SPAN><A href="http://forums.alfresco.com/forum/installation-upgrades-configuration-integration/installation-upgrades/csrffilter-error" rel="nofollow noopener noreferrer">THREAD</A><SPAN> in that thread there is a link to a JIRA issue that was raised on it. Supposedly this was to be fixed in 4.2.d.</SPAN><BR /><BR /><SPAN>I'm having an issue using 4.2.d when trying to log in. Here is the exception that comes up.</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE><BR />javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header '<A href="https://FQDN/share/page/" rel="nofollow noopener noreferrer">https://FQDN/share/page/</A>'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: '<A href="https://FQDN/share/page/" rel="nofollow noopener noreferrer">https://FQDN/share/page/</A>' vs server &amp;amp; context: <A href="http://127.0.0.1:8080/" rel="nofollow noopener noreferrer">http://127.0.0.1:8080/</A> (string) or FQDN:443 (regexp)<BR />&nbsp;&nbsp;&nbsp;at org.alfresco.web.site.servlet.CSRFFilter$AssertRefererAction.run(CSRFFilter.java:920)<BR />&nbsp;&nbsp;&nbsp;at org.alfresco.web.site.servlet.CSRFFilter.doFilter(CSRFFilter.java:310)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)<BR />&nbsp;&nbsp;&nbsp;at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:378)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:222)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:123)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:171)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:99)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:953)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)<BR />&nbsp;&nbsp;&nbsp;at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)<BR />&nbsp;&nbsp;&nbsp;at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1023)<BR />&nbsp;&nbsp;&nbsp;at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:589)<BR />&nbsp;&nbsp;&nbsp;at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:1810)<BR />&nbsp;&nbsp;&nbsp;at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)<BR />&nbsp;&nbsp;&nbsp;at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)<BR />&nbsp;&nbsp;&nbsp;at java.lang.Thread.run(Thread.java:724)<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><SPAN>I'm on linux 6.4 CentOS using apache as my ssl authentication. According to the JIRA link in the above link I mentioned there is some code to insert into share-config-custom.xml. I did so and put the referer (4 places) as my FQDN:443</SPAN><BR /><SPAN>My apache config looks like this…</SPAN><BR /><BR /><PRE class="language-none line-numbers"><CODE><BR />&lt;VirtualHost *:443&gt;<BR />&nbsp; ServerName FQDN<BR /><BR />&nbsp; SSLEngine on<BR />&nbsp; SSLCertificateKeyFile <BR />&nbsp; SSLCertificateFile <BR />&nbsp; SSLCACertificateFile omitted these lines from your view<BR /><BR /><BR />&nbsp; ProxyPass /paste <A href="http://192.168.3.125/paste/" rel="nofollow noopener noreferrer">http://192.168.3.125/paste/</A><BR />&nbsp; ProxyPassReverse /paste <A href="http://192.168.3.125/paste/" rel="nofollow noopener noreferrer">http://192.168.3.125/paste/</A><BR /><BR /><BR />&nbsp; ProxyPass / <A href="http://127.0.0.1:8080/" rel="nofollow noopener noreferrer">http://127.0.0.1:8080/</A><BR />&nbsp; ProxyPassReverse / <A href="http://127.0.0.1:8080/" rel="nofollow noopener noreferrer">http://127.0.0.1:8080/</A><BR /><BR /><BR />&nbsp; ProxyTimeout 300<BR />&nbsp; SSLProxyEngine on<BR /><BR />&nbsp; &lt;Proxy *&gt;<BR />&nbsp;&nbsp;&nbsp; allow from all<BR />&nbsp; &lt;/Proxy&gt;<BR /><BR />&lt;/VirtualHost&gt;<BR /><SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><BR /><BR /><SPAN>I'm wondering if anyone else is having this issue AND/OR why this is still happening if it was to be fixed in 4.2.d.</SPAN><BR /><BR /><SPAN>Any input on the resolution of this would be great. I'm wanting to move to 4.2.d from 4.2.c.</SPAN></BODY></HTML> Wed, 25 Sep 2013 17:23:59 GMT eswbitto 2013-09-25T17:23:59Z https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/292005#M245135 I did a search for this in the forums and I came to this THREAD in that thread there is a link to a JIRA issue that was raised on it. Supposedly this was to be fixed in 4.2.d.I'm having an issue using 4.2.d when trying to log in. Here is the exception that comes up.javax.servlet.ServletException: Po Wed, 25 Sep 2013 17:23:59 GMT https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/292005#M245135 eswbitto 2013-09-25T17:23:59Z https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/292006#M245136 <HTML><HEAD></HEAD><BODY><SPAN>What doesn't make sense to me is that….when I first downloaded 4.2.d to install on the server. I installed the software. Configured it and it all worked with no problems whatsoever. I had to reboot the server and since that time I can not get 4.2.d to work. </SPAN><BR /><BR /><SPAN>I followed the instructions from </SPAN><A href="http://blogs.alfresco.com/wp/ewinlof/2013/03/11/introducing-the-new-csrf-filter-in-alfresco-share/" rel="nofollow noopener noreferrer">HERE</A><SPAN> with no success. I'm scratching my head and running out of ideas to try.</SPAN><BR /><BR /></BODY></HTML> Thu, 26 Sep 2013 17:12:52 GMT https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/292006#M245136 eswbitto 2013-09-26T17:12:52Z https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/292007#M245137 <HTML><HEAD></HEAD><BODY><SPAN>Solved:</SPAN><BR /><SPAN>The referer I was using was slightly not correct. It is working perfectly now. See the attached txt file.</SPAN><BR /><BR /></BODY></HTML> Thu, 26 Sep 2013 20:24:06 GMT https://connect.hyland.com/t5/alfresco-archive/possible-csrf-attack-noted-when-asserting-referer-header/m-p/292007#M245137 eswbitto 2013-09-26T20:24:06Z