12-14-2020 07:50 AM
Hi Team,
Application security team wants to allow only Get and Post method on any page.
For that i have tried below options:
1. Added CORS config in alfresco-global.properties file
cors.enabled=true cors.allowed.methods=Get,Post
2. Enabled CORS config in web.xml (tomcat/webapps/alfresco/WEB-INF)
<!-- CORS Filter Begin --> <filter> <filter-name>CORS</filter-name> <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class> <init-param> <param-name>cors.allowGenericHttpRequests</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>cors.allowOrigin</param-name> <!-- <param-value>http://localhost:8081</param-value> --> <param-value>*</param-value> </init-param> <init-param> <param-name>cors.allowSubdomains</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>cors.supportedMethods</param-name> <param-value>GET, POST</param-value> </init-param> <init-param> <param-name>cors.supportedHeaders</param-name> <param-value>origin, authorization, x-file-size, x-file-name, content-type, accept, x-file-type</param-value> </init-param> <init-param> <param-name>cors.supportsCredentials</param-name> <param-value>true</param-value> </init-param> <init-param> <param-name>cors.maxAge</param-name> <param-value>3600</param-value> </init-param> </filter> <!-- CORS Filter End --> <!-- CORS Filter Mappings Begin --> <filter-mapping> <filter-name>CORS</filter-name> <url-pattern>/api/*</url-pattern> <url-pattern>/service/*</url-pattern> <url-pattern>/s/*</url-pattern> <url-pattern>/cmisbrowser/*</url-pattern> </filter-mapping> <!-- CORS Filter Mappings End -->
3. Added security constraint in web.xml(tomcat/conf)
<security-constraint> <web-resource-collection> <web-resource-name>restricted methods</web-resource-name> <url-pattern>/*</url-pattern> <http-method>DELETE</http-method> <http-method>OPTIONS</http-method> <http-method>TRACE</http-method> <http-method>PUT</http-method> </web-resource-collection> <auth-constraint /> </security-constraint>
Any of the above mentioned configuration didn't helped to achieve the required thing.
Anyone has configured the same?
Attached screen-shot of burp suite tool.
Thanks,
Hardik
Explore our Alfresco products with the links below. Use labels to filter content by product module.