topic Re: Cannot configure CSRF origin server for Admin console post requests in Alfresco Forum

Cannot configure CSRF origin server for Admin console post requests

kevinoudot — Tue, 19 Mar 2019 15:21:01 GMT

Hello,I have difficulties setting the CSRF policy to work with the admin console (for exemple, the workflow console when typing "help" for exemple"). I first encountered this problem with share and find out in the documentation to modify the share-config-custom.xml file. I did the change and it's wo

Re: Cannot configure CSRF origin server for Admin console post requests

afaust — Wed, 20 Mar 2019 20:38:40 GMT

Check Cross-Site Request Forgery (CSRF) filters for repository | Alfresco Documentation - the configuration for the Repository-tier CSRF has been simplified with Alfresco 6.0. You need to provide valid regex-patterns for referrer and origin which cover both the public address with which users access Alfresco via the frontend proxy, and the local address, if some admin may be accessing Tomcat directly. This also includes configuring the pattern for different protocols and ports, if there may be differences.

Re: Cannot configure CSRF origin server for Admin console post requests

kevinoudot — Wed, 27 Mar 2019 13:59:42 GMT

Hi,

thank you for your answer. I already tried something like that, but still it doesn't work.
I also tried to disable the CSRF filtering for testing. But setting "csrf.filter.enabled=false" in the alfresco-global.properties doesn't work. I still get "Possible CSRF attack" when sending the form from admin consoles.

In the error, the "vs server & context: http://hostname:8080/ (string) or (regexp)" remains the same no matter what I configure in the .properties file

Do you have any idea how to fix this please ?

Re: Cannot configure CSRF origin server for Admin console post requests

kevinoudot — Fri, 29 Mar 2019 10:40:46 GMT

Hi !

Okay, it's weird but only this configuration in alfresco-global.properties seems to work :

# CSRF filter overrides
csrf.filter.enabled=false

If I let it true, and add something like that :

# CSRF filter overrides
csrf.filter.enabled=true
csrf.filter.referer=https://mywensote.fr/*.
csrf.filter.referer.always=false
csrf.filter.origin=https://mywebsite.fr
csrf.filter.origin.always=false

It's not taken into account. The origin remains the machine name and not the DNS name ...

By the way, configuring this in the .properties file doesn't fix the CSRF policy with "alfresco share". To be able to use the forms (for login for example) in share, I still need to configure alfresco/web-extension/share-config-custom.xml

At this point, I don't understand the why it"s working with share with alfresco/web-extension/share-config-custom.xml and why it needs to be "disabled" for the admin console. Moreover, I don't think it's secure then considering it's for admin console...

Is this a bug ?

Re: Cannot configure CSRF origin server for Admin console post requests

afaust — Mon, 08 Apr 2019 21:43:44 GMT

Repository and Share are separate applications, and Share does not use alfresco-global.properties. That is the reason you have to separately configure CSRF in the share-config-custom.xml file.

I am not sure what is the problem in your case. Configuring Repository CSRF via alfresco-global.properties works perfectly in all Alfresco 6.x version I have worked with so far - Community and Enterprise, Docker-ified or plain Tomcat setups.

I don't know how you have set up your Alfresco installation, but I would first make sure that your alfresco-global.properties is actually being used / loaded. Change some other, non-CSRF configuration and see if that has any effect on a restart. Check catalina.properties in the Tomcat conf directory if it correctly includes the shared/classes folder in its shared.loader setting. Make sure that there are not environment variables or -D parameters passed to the Java application that could override your settings.

Re: Cannot configure CSRF origin server for Admin console post requests

kevinoudot — Tue, 09 Apr 2019 09:11:18 GMT

Hello,

Ok, now I understand clearly how share works with properties and why the xml "share-config-custom" is not applied to all alfresco forms.

Nevertheless, I can confirm my alfresco-global.properties file is used and loaded fine. For exemple, changing the database connection information for example give me this message at the index of alfresco :

Cannot find Alfresco Repository on this server. (Does this application have access to alfresco-global.properties? Does this application have cross-context permissions?)

Moreover, using this line allow me to fix the problem with the form :

csrf.filter.enabled=false

Confirming again that the alfresco-global.properties file is loaded.

The problem is, when this filter is enabled (set to true), this is not taking into account the other CSRF filters :

csrf.filter.referer=https://mywensote.fr/*.
csrf.filter.referer.always=false
csrf.filter.origin=https://mywebsite.fr
csrf.filter.origin.always=false

It's only working when csrf.filter.enabled is set to false.

There is no -D option in the java args nor environment variables to override this setting and the catalina shared.loader is well configured !

thanks for your help !

Re: Cannot configure CSRF origin server for Admin console post requests

afaust — Tue, 09 Apr 2019 12:03:20 GMT

Then the only other option to explain the problem is that the values for your configuration of referer and origin patterns are incorrect. The values are supposed to be regex patterns, so characters like . and * have special meaning. The values I typically use for these properties look like this:

^https?://my\.host\.tld(?:$|/.+$)

though quite often they are even more complex to deal with private / public access, e.g. access directly via Tomcat and access via a user-facing web server acting as a proxy. E.g. like this:

^https?://(my\.host\.tld|(196\.168\.0\.13|localhost):8080)(?:$|/.+$)