Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

while I am submitting a form with post i am getting error of CSRF.

Go to answer
vikash_patel
Star Contributor
Star Contributor

‎12-13-2016 03:07 AM

Hi,

I have created a #dashlet which contains a from. 

#

<form id="${el}-form" action="${url.context}/page/user/${context.user.id}/dashboard" method="post">

<b> <label> ${msg("label.name")} </label></b><input type="text" name="leadName" required="required"/>
 <b><label> ${msg("label.contactNo")}</label></b><input type="text" name="leadContactNo" pattern=".{10,10}" required title="Please Enter Valid Number" maxlength="10" required="required"/>
 <b><label> ${msg("label.address")} </label></b><<textarea rows="03" cols="10" name="leadAddress" required="required" ></textarea>

<input type="reset" id="${el}-resetButton" value="${msg('resetButton.buttonLabel')}" tabindex="0"></b>

<input type="submit" id="${el}-submitButton" value="${msg('submitButton.buttonLabel')}" tabindex="0"/>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍


Everything is working fine with GET method, But when I am changing it to Post and submitting the form It gives me error like this on browser.

Something's wrong with this page...
We may have hit an error or something might have been removed or deleted, so check that the URL is correct.


I am getting this error on console.

2016-12-13 13:15:38,894 INFO [site.servlet.CSRFFilter] [http-apr-8080-exec-5] Possible CSRF attack noted when comparing token in session and request header. Request: POST /share/page/user/admin/dashboard
 Dec 13, 2016 1:15:38 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Possible CSRF attack noted when comparing token in session and request header. Request: POST /share/page/user/admin/dashboard] with root cause
javax.servlet.ServletException: Possible CSRF attack noted when comparing token in session and request header. Request: POST /share/page/user/admin/dashboard
 at org.alfresco.web.site.servlet.CSRFFilter$AssertTokenAction.run(CSRFFilter.java:827)
 at org.alfresco.web.site.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
 at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:450)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
 at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)
 at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
 at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
 at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
 at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
 at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
 at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
 at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
 at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
 at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
 at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
 at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
 at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
 at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)
 at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)
 at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
 at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
 at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
 at java.lang.Thread.run(Unknown Source)
2016-12-13 13:15:38,902 ERROR [alfresco.web.site] [http-apr-8080-exec-5] javax.servlet.ServletException: Possible CSRF attack noted when comparing token in session and request header. Request: POST /share/page/user/admin/dashboard‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍


How to solve this? please help.

Thanks.

Labels:
0 Kudos
1 ACCEPTED ANSWER

Go to answer
afaust
Legendary Innovator
Legendary Innovator
In response to romschn

‎12-13-2016 07:56 AM

Or even better: Add a client-side UI component (YUI or Aikau) and do a regular JSON Ajax call via the proxy servlet (/share/proxy/alfresco/) without putting a custom web script in the middle. The proxy servlet already does a very fine job of properly forwarding any request to the Repository-tier, and both YUI / Aikau Ajax services already take care of requried CSRF tokens in the request headers.

View answer in original post

8 REPLIES 8

Go to answer
ddraper
World-Class Innovator
World-Class Innovator

‎12-13-2016 03:17 AM

Could you explain what it is you're trying to do exactly? It looks like you're trying to POST to a dashboard page? I'm not sure if that's going to work - what are you expecting to happen to the data that is being sent (i.e. what do you have that is going to handle it?)

A CSRF error usually means that you're trying to POST to a different location from the host page - but that doesn't look to be the case from the code sample that you've shared.

Go to answer
vikash_patel
Star Contributor
Star Contributor
In response to ddraper

‎12-13-2016 03:57 AM

Thanks for your reply Dave,
This is my code of dashlet's javascript file

function main(){
var leadName = page.url.args["leadName"];
var leadContactNo = page.url.args["leadContactNo"];
var leadAddress = page.url.args["leadAddress"];
if(leadName!="" && leadContactNo!="" && leadAddress!=""){
var mylink=encodeURI("/test/myCustomRepoWebscript?leadName="+leadName+"&leadContactNo="+leadContactNo+"&leadAddress="+leadAddress);
connector = remote.connect("alfresco");
 userDetail = connector.get(mylink);
if(userDetail.status == 200)
 {
 var peopleObject = jsonUtils.toObject(userDetail);
}else {
 model.bodytext = "some error";
}
 }‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍
}
main();‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

 I wanted to submit data to a repository by using webscript with the required parameters, While submitting the form this code will call a repowebscript.
but while i am submitting a form with method "get" it works fine but while i am trying to submit form with "post" i am getting above error.

0 Kudos

Go to answer
ddraper
World-Class Innovator
World-Class Innovator
In response to vikash_patel

‎12-13-2016 04:21 AM

It looks like you're trying to post to a different server which would be a violation of CSRF policy. You should read up on CSRF on Wikipedia - in particular the section on "HTTP verbs and CSRF" which explains why GET requests are allowed (essentially because they should be "safe" and not change state).

It is possible to disable the CSRF filters in Share but I would strongly recommend against that as it will introduce potential security vulnerabilities into your application. It is also possible to configure allowed URLs which you may have a valid case for if you are controlling both locations (where you're posting from and where you're posting to)

Go to answer
romschn
Star Collaborator
Star Collaborator
In response to vikash_patel

‎12-13-2016 06:44 AM

Vikash Patel‌, If I understand correctly, from your share presentation tier web script's controller, you are trying to make a call to repository's post web script. Try using Connector.post instead of Connector.Get and see if it works for you. 

Ramesh Chauhan
www.techfundas.in
www.ecmtree.com

Go to answer
afaust
Legendary Innovator
Legendary Innovator
In response to romschn

‎12-13-2016 07:56 AM

Or even better: Add a client-side UI component (YUI or Aikau) and do a regular JSON Ajax call via the proxy servlet (/share/proxy/alfresco/) without putting a custom web script in the middle. The proxy servlet already does a very fine job of properly forwarding any request to the Repository-tier, and both YUI / Aikau Ajax services already take care of requried CSRF tokens in the request headers.

Go to answer
vikash_patel
Star Contributor
Star Contributor
In response to afaust

‎12-13-2016 09:55 AM

Thanks Axel,
I will try to do a regular JSON Ajax call.

0 Kudos

Go to answer
vikash_patel
Star Contributor
Star Contributor
In response to afaust

‎12-15-2016 12:46 AM

Hi Axel,
I have tried to call a repo webscript using AJAX and it is working now.

Thanks.

0 Kudos

Go to answer
vikash_patel
Star Contributor
Star Contributor
In response to romschn

‎12-13-2016 09:53 AM

Thanks, Ramesh sir.
I have tried it using connector.post, but still i am getting the same error.

0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC