cancel
Showing results for 
Search instead for 
Did you mean: 

Cannot configure CSRF origin server for Admin console post requests

kevinoudot
Champ in-the-making
Champ in-the-making

Hello,

I have difficulties setting the CSRF policy to work with the admin console (for exemple, the workflow console when typing "help" for exemple"). I first encountered this problem with share and find out in the documentation to modify the share-config-custom.xml file. I did the change and it's working perfectly.
But now, I tried to use any of the "admin console" (/alfresco/s/admin/admin-workflowconsole), and I get the same issue. I looked in the forum and found this topic Workflow admin console doesn't work: Possible CSRF attack noted  that seems to old to be relevant as things should have been patched. I'm using Alfresco free community edition 6.6.

 Possible CSRF attack noted when asserting referer header 'https://XXXX/alfresco/s/admin/admin-workflowconsole'. Request: POST /alfresco/s/admin/admin-workflowconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-workflowconsole :: referer: 'https://XXXX/alfresco/s/admin/admin-workflowconsole' vs server & context: http://YYYY:8080/ (string) or (regexp)

The "YYYY" server & context is certainly based on the "hostname" value on CentOs, which I cannot change, but i'm using an apache in front of the tomcat to manage the requests and redirect from a specific DNS "XXXX".

I tried to add some filters in the xml such as 

 <rule>
<request>
<method>POST</method>
<path>/alfresco/s/admin/(\?.+)?</path>
</request>
<action name="assertReferer">
<param name="referer">{referer}</param>
<param name="referer">https://XXXX/.*</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
<param name="origin">https://XXXX</param>
</action>
</rule>



But I don't think I got how it works... 

Could you give me some hint please ?

6 REPLIES 6

afaust
Legendary Innovator
Legendary Innovator

Check Cross-Site Request Forgery (CSRF) filters for repository | Alfresco Documentation  - the configuration for the Repository-tier CSRF has been simplified with Alfresco 6.0. You need to provide valid regex-patterns for referrer and origin which cover both the public address with which users access Alfresco via the frontend proxy, and the local address, if some admin may be accessing Tomcat directly. This also includes configuring the pattern for different protocols and ports, if there may be differences.

kevinoudot
Champ in-the-making
Champ in-the-making

Hi,

thank you for your answer. I already tried something like that, but still it doesn't work.
I also tried to disable the CSRF filtering for testing. But setting "csrf.filter.enabled=false" in the alfresco-global.properties doesn't work. I still get "Possible CSRF attack" when sending the form from admin consoles.

In the error, the "vs server & context: http://hostname:8080/ (string) or (regexp)" remains the same no matter what I configure in the .properties file

Do you have any idea how to fix this please ?

kevinoudot
Champ in-the-making
Champ in-the-making

Hi !

Okay, it's weird but only this configuration in alfresco-global.properties seems to work :

# CSRF filter overrides
csrf.filter.enabled=false

If I let it true, and add something like that :

# CSRF filter overrides
csrf.filter.enabled=true
csrf.filter.referer=https://mywensote.fr/*.
csrf.filter.referer.always=false
csrf.filter.origin=https://mywebsite.fr
csrf.filter.origin.always=false

It's not taken into account. The origin remains the machine name and not the DNS name ...

By the way, configuring this in the .properties file doesn't fix the CSRF policy with "alfresco share". To be able to use the forms (for login for example) in share, I still need to configure alfresco/web-extension/share-config-custom.xml

At this point, I don't understand the why it"s working with share with alfresco/web-extension/share-config-custom.xml and why it needs to be "disabled" for the admin console. Moreover, I don't think it's secure then considering it's for admin console...

Is this a bug ?

afaust
Legendary Innovator
Legendary Innovator

Repository and Share are separate applications, and Share does not use alfresco-global.properties. That is the reason you have to separately configure CSRF in the share-config-custom.xml file.

I am not sure what is the problem in your case. Configuring Repository CSRF via alfresco-global.properties works perfectly in all Alfresco 6.x version I have worked with so far - Community and Enterprise, Docker-ified or plain Tomcat setups.

I don't know how you have set up your Alfresco installation, but I would first make sure that your alfresco-global.properties is actually being used / loaded. Change some other, non-CSRF configuration and see if that has any effect on a restart. Check catalina.properties in the Tomcat conf directory if it correctly includes the shared/classes folder in its shared.loader setting. Make sure that there are not environment variables or -D parameters passed to the Java application that could override your settings.

kevinoudot
Champ in-the-making
Champ in-the-making

Hello,

Ok, now I understand clearly how share works with properties and why the xml "share-config-custom" is not applied to all alfresco forms.

Nevertheless, I can confirm my alfresco-global.properties file is used and loaded fine. For exemple, changing the database connection information for example give me this message at the index of alfresco :

Cannot find Alfresco Repository on this server. (Does this application have access to alfresco-global.properties? Does this application have cross-context permissions?)

Moreover, using this line allow me to fix the problem with the form :

csrf.filter.enabled=false

Confirming again that the alfresco-global.properties file is loaded.

The problem is, when this filter is enabled (set to true), this is not taking into account the other CSRF filters :

csrf.filter.referer=https://mywensote.fr/*.
csrf.filter.referer.always=false
csrf.filter.origin=https://mywebsite.fr
csrf.filter.origin.always=false

It's only working when csrf.filter.enabled is set to false.

There is no -D option in the java args nor environment variables to override this setting and the catalina shared.loader is well configured !

thanks for your help !

afaust
Legendary Innovator
Legendary Innovator

Then the only other option to explain the problem is that the values for your configuration of referer and origin patterns are incorrect. The values are supposed to be regex patterns, so characters like . and * have special meaning. The values I typically use for these properties look like this:

^https?://my\.host\.tld(?:$|/.+$)

though quite often they are even more complex to deal with private / public access, e.g. access directly via Tomcat and access via a user-facing web server acting as a proxy. E.g. like this:

^https?://(my\.host\.tld|(196\.168\.0\.13|localhost):8080)(?:$|/.+$)