Hyland Connect

aweber1nj · ‎02-14-2013

Running some tests with 4.2.d, and we have a web proxy in front of tomcat on linux. When we tried to use the default action to start a workflow, it threw this CSRFTokenFilter error: "Possible CSRF attack noted when comparing token in session and request header…"

Is there a specific header that maybe I need to explicitly tell my proxy to pass back-and-forth between tomcat and the client? I haven't been able to locate the java source code thus far, and thought maybe someone would have seen this already and know what it takes to get it working.

Thanks,
AJ

scouil · ‎02-22-2013

Hello,

Is it the same problem as described here?:
https://issues.alfresco.com/jira/browse/ALF-17872

aweber1nj · ‎02-22-2013

However, that issue indicates it's fixed in 4.1.4, and I'm reporting this issue against 4.2 (Community). So it may have re-appeared.

Either way, the JIRA article doesn't tell me WHY it is happening or give any information about how to fix it or pass any necessary headers that the servlet filter might be looking for. And I still can't find the source code for that filter, or I might be a little further along.

Thanks,
AJ

scouil · ‎02-22-2013

Hello aweber,

Actually I don't think it's a regression. It was fixed about 2 weeks ago and may not have been ported to the community version code yet.
And no, it doesn't directly tell you how to fix it.

However what it does tell you:
- It's the expected behavior that the POST request is sent without token. The bug is in Alfresco where the server shouldn't require it.
- It has been fixed in revision r46356 on HEAD

Starting from here, you can try to run a diff on r46356 and the previous version to see what have changed and see if you can produce a patch for your own version.

But all this is if it's actually the same problem.
If not you can still try to bypass your web proxy and directly reach your Alfresco server to see if your problem lies in your proxy configuration.

Good luck fixing your problem.

aweber1nj · ‎02-22-2013

I have reviewed all the tabs of that JIRA issue, and I can't find any identification of WHICH files were updated to fix this. I would've thought this would be documented somewhere in one of the "Work Log" or "Activity" tabs.

It references some kind of "list" that specifies POST requests not requiring this security. That would be interesting too (and might be the source code I'm looking for).

Thanks again for all the pointers.
-AJ

PS: I probably posted this in the "End Users" section of the forum erroneously. It's probably more apt for the Developers Discussions (in case any forum mods are looking and want to move this).

scouil · ‎02-25-2013

Hello,

Actually it is documented. He told you the revision it was fixed.
Now if you browse Alfresco svn log you'll see:
r46356 ewinlof 2013/02/07 2:42:39PM Fixed ALF-17872 "A user cannot start a workflow in Share UI." - Added start workflow to the list of POST requests that does NOT require a token (since it isn't a state changing request)

The only modified file is:
/alfresco/HEAD/root/projects/slingshot/config/alfresco/share-config.xml
This corresponds to:
<tomcat home>/webapps/share/WEB-INF/classes/alfresco/share-config.xml

I've attached the diff of what have been modified this version (renamed as txt of this forum wouldn't let me upload it)
The full file in its current version can be seen here: http://svn.alfresco.com/repos/alfresco-open-mirror/alfresco/HEAD/root/projects/slingshot/config/alfr...

Good luck with your patching

Hyland Connect

CSRFFilter error in catalina.out