topic Re: Multi-tenancy with https in Alfresco Forum

Multi-tenancy with https

jbrasil — Tue, 07 Jul 2020 14:45:28 GMT

Hi,
The tenant, does not want to work with https.
Have you seen the error below?

HTTP Status 500 - Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)

type Exception report

message Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)
org.springframework.extensions.webscripts.servlet.CSRFFilter$AssertRefererAction.run(CSRFFilter.java:1017)
org.springframework.extensions.webscripts.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)

note The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.
Apache Tomcat/8.0.50

With best regards,
José Roberto.

Re: Multi-tenancy with https

afaust — Thu, 09 Jul 2020 07:37:33 GMT

You have not correctly configured the CSRF filter parameters in alfresco-global.properties. It looks though since you have already modified the csrf.filter.referer and csrf.filter.origin values to use your domain name, but you have not accounted for the http vs https difference on your reverse proxy. Since those two properties technically hold regular expressions, you should be able to work with the following values

csrf.filter.referer=^https?://app\.processoverde\.com\.br(?:$|/.+$)
csrf.filter.origin=^https?://app\.processoverde\.com\.br(?:$|/.+$)

Re: Multi-tenancy with https

jbrasil — Thu, 09 Jul 2020 20:23:05 GMT

Hi afaust Master,
I added the parameters in the global properties.

The same error occurred:

type Exception report

description The server encountered an internal error that prevented it from fulfilling this request.

exception

note The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.
Apache Tomcat/8.0.50

See the catalina.out log

2020-07-09 17:17:15,429 INFO [webscripts.servlet.CSRFFilter] [http-nio-8080-exec-34] Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole
jul 09, 2020 5:17:15 PM org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: Servlet.service() for servlet [apiServlet] in context with path [/alfresco] threw exception [Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)] with root cause
javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)
at org.springframework.extensions.webscripts.servlet.CSRFFilter$AssertRefererAction.run(CSRFFilter.java:1017)
at org.springframework.extensions.webscripts.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

Anything else that can be done?
Thanks a lot!
José Roberto

Re: Multi-tenancy with https

afaust — Tue, 14 Jul 2020 07:35:41 GMT

It does not look like your configuration took effect - at least the error messages do not show that the configuration values I provided are being used.

Re: Multi-tenancy with https

jbrasil — Mon, 27 Jul 2020 19:56:58 GMT

Hi afaust,
I left the alfresco service.
Anything else that needs to be done?
Thanks a lot!
José Roberto.