cancel
Showing results for 
Search instead for 
Did you mean: 

CSRFFilter error: mod_proxy and alfresco 4.2.d: login to share fails (solved)

wurstgelee
Champ in-the-making
Champ in-the-making
Hi everyone!

I´ve been digging around this for several hours now and I`m not sure whether this is a general problem or a problem of my mod_proxy configuration:

Steps to reproduce:

- install alfresco community 4.2.d (on centos x64) with default options, only using mysql instead of postgresql (latest nightly build)
- configure apache httpd as reverse proxy, relevant config:


<VirtualHost *:80>
Servername docsdev.mydomain.de
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</VirtualHost>


<VirtualHost 172.27.25.4:443>
  ServerName docsdev.mydomain.de
  DocumentRoot /opt/alfresco-4.2.d/tomcat
                                                       
  ProxyRequests Off
  #ProxyPreserveHost On

  SSLEngine on
  SSLCertificateFile /etc/httpd/conf.d/docsdev.mydomain.de.crt
  SSLCertificateKeyFile /etc/httpd/conf.d/docsdev.mydomain.de.key
   
  #ProxyPass /share ajp://127.0.0.1:8009/share
  #ProxyPassReverse /share ajp://127.0.0.1:8009/share
  #ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco
  #ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
  ProxyPass / ajp://127.0.0.1:8009/
  ProxyPassReverse / ajp://127.0.0.1:8009/
</VirtualHost>


- trying to login into share (with admin user) results in (catalina.out):

2013-02-26 12:50:05,267  INFO  [site.servlet.CSRFFilter] [ajp-apr-8009-exec-4] Possible CSRF attack noted when asserting referer header 'https://docsdev.mydomain.de/share/page/'. Request: POST /share/page/dologin
2013-02-26 12:50:05,270  ERROR [alfresco.web.site] [ajp-apr-8009-exec-4] javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://docsdev.mydomain.de/share/page/'. Request: POST /share/page/dologin


What am I doing wrong?  Please enlighten me!

Edit: Login to Alfresco Explorer UI works fine.
5 REPLIES 5

wurstgelee
Champ in-the-making
Champ in-the-making
Update: Shouldn´t this part of "share-security-config.xml" prevent the referer-check for /share/dologin?:

<!– Certain Share POST requests does NOT require a token –>
         <rule>
            <request>
               <method>POST</method>
               <path>^/page/dologin.*|^\/page/site\/[^\/]+\/start-workflow|^\/page/start-workflow</path>
            </request>
            <action name="assertReferer">
               <param name="always">false</param>
            </action>
            <action name="assertOrigin">
               <param name="always">false</param>
            </action>
         </rule>


Additional question: How can I turn on CSRF debug logging?

wurstgelee
Champ in-the-making
Champ in-the-making

wurstgelee
Champ in-the-making
Champ in-the-making
Seems to be a problem with ssl & mod_proxy. if i use the config below (http instead of https), it works:


<VirtualHost 172.27.25.4:80>
Servername docsdev.mydomain.de
DocumentRoot /opt/alfresco-4.2.d/tomcat
                                                       
  ProxyRequests Off
  ProxyPreserveHost On

ProxyPass / ajp://docsdev.mydomain.de:8009/
ProxyPassReverse / ajp://docsdev.mydomain.de:8009/


</VirtualHost>


So the SSLEngine is responsible?! I`m clueless……

wurstgelee
Champ in-the-making
Champ in-the-making
Trying stuff:

Using mod_jk produces exactly the same error - at least with ssl.

wurstgelee
Champ in-the-making
Champ in-the-making
Issue resolved, see JIRA link posted earlier.