topic Re: Alfresco 5 community edition CSRF error when using load balancer in AWS in Alfresco Forum

Alfresco 5 community edition CSRF error when using load balancer in AWS

samis — Wed, 11 Nov 2020 14:54:30 GMT

Hey!

We are having an issue with Alfresco 5 community edition and CSRF protection. We are trying to deploy Alfresco into AWS where a load balancer is forwarding the traffic to Alfresco.

As you can see from this error the issue seems to be that we are using https when connecting to the load balancer and alfresco is configured to use http.

javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://ourdomain/alfresco/s/admin/admin-nodebrowser'. Request: POST /alfresco/s/admin/admin-nodebrowser, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-nodebrowser :: referer: 'https://ourdomain/alfresco/s/admin/admin-nodebrowser' vs server & context: http://ourdomain/ (string) or  (regexp)

I found this file which contains some configurations related to CSRF (web-scripts-config-custom.xml)

<alfresco-config>
    <config evaluator="string-compare" condition="CSRFPolicy">
        <filter>
            <rule>
                <request>
                    <method>GET</method>
                    <path>/service/admin/.*</path>
                </request>
                <action name="generateToken">
                    <param name="session">{token}</param>
                    <param name="cookie">{token}</param>
                </action>
            </rule>
            <rule>
                <request>
                    <method>GET</method>
                    <path>/s/admin/.*</path>
                </request>
                <action name="generateToken">
                    <param name="session">{token}</param>
                    <param name="cookie">{token}</param>
                </action>
            </rule>
        </filter>
    </config>
</alfresco-config>

So my question is that can I configure Alfresco to ignore the difference between http and https or should I rather just try to configure Alfresco to use https? (I am not sure how to approach the https solution, should the load balancer and alfresco use the same certificate?)

If there is any more information I can give or if I didn't explain this well enought please let me know.

(also sorry if this is the wrong forum section, I wasn't able to find any description what should go where)

Re: Alfresco 5 community edition CSRF error when using load balancer in AWS

abhinavmishra14 — Fri, 13 Nov 2020 16:41:04 GMT

If loadbalancer is configured to use https, you should check and setup https configs. The error might be due to that.

here is a doc: https://docs.alfresco.com/5.2/tasks/configure-ssl-prod.html

You can also try disabling the CSRF, add the following in share config and try again:

 <config evaluator="string-compare" condition="CSRFPolicy" replace="true">
        <filter/>
</config>

you can also disable CSRF via alfresco-global.properties by adding following property:

csrf.filter.enabled=false

You can find the documentation about CSRF here: https://docs.alfresco.com/5.2/concepts/csrf-policy.html

Re: Alfresco 5 community edition CSRF error when using load balancer in AWS

samis — Tue, 17 Nov 2020 13:37:56 GMT

Thanks for the reply!

I started by going throught the ssl article and configuring our aws load balancer according to this article https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/

Unfortunately that didn't make any difference, we were still using Alfresco via https, and going to the node browser gave the same error.

Adding csrf.filter.enabled=false to our alfresco-global.properties didn't do anything, but adding the xml you suggested into the web-scripts-config-custom.xml file did disable the CSRF checks and our systems are now working.

I will leave it disabled for now as the aws version is not live yet, but I might need to return to this later after we evaluate if the CSRF protection is necessary.

Re: Alfresco 5 community edition CSRF error when using load balancer in AWS

abhinavmishra14 — Tue, 17 Nov 2020 14:33:33 GMT

@samis wrote:

Thanks for the reply!

I started by going throught the ssl article and configuring our aws load balancer according to this article https://aws.amazon.com/premiumsupport/knowledge-center/elb-redirect-http-to-https-using-alb/

Unfortunately that didn't make any difference, we were still using Alfresco via https, and going to the node browser gave the same error.

Adding csrf.filter.enabled=false to our alfresco-global.properties didn't do anything, but adding the xml you suggested into the web-scripts-config-custom.xml file did disable the CSRF checks and our systems are now working.

I will leave it disabled for now as the aws version is not live yet, but I might need to return to this later after we evaluate if the CSRF protection is necessary.

Did you configured the steps given in this documentation to configure SSL on alfresco/share hosts?

Check the step5 which has instructions about some properties that needs to be set.

Re: Alfresco 5 community edition CSRF error when using load balancer in AWS

samis — Wed, 18 Nov 2020 08:15:43 GMT

Yeah we have made those configurations in step 5, and I think they allow us to use Alfresco via https (it seems to work fine otherwise except for the CSRF error). We set these properties to alfresco via JAVA_OPTS.

alfresco.context=alfresco
alfresco.host=ourdomain.com
alfresco.port=443
alfresco.protocol=https
share.context=share
share.host=ourdomain.com
share.port=443
share.protocol=https
opencmis.context.override=false
opencmis.context.value=
opencmis.servletpath.override=false
opencmis.servletpath.value=
opencmis.server.override=true
opencmis.server.value=https://ourdomain.com
aos.baseUrlOverwrite=https://ourdomain.com/alfresco/aos

edit: fixed line breaks in code block