cancel
Showing results for 
Search instead for 
Did you mean: 

Hitting CSRF when trying to use the workflow admin console

matteo_l_sc
Champ on-the-rise
Champ on-the-rise

Hi all,

I setup up Alfresco Community edition build 201701 (Platform 5.2.e, Share 5.2.d) on a Ubuntu 16.04 VM. I also have an Apache (2.4) proxy with the SSL and JK modules, configured according to the guide.

I can access the Workflow admin console (https://<my hostname>/alfresco/s/admin/admin-workflowconsole) but when I try to execute a command, i.e., show definitions all, I get the following in catalina.out

2017-02-10 17:48:16,270 INFO [webscripts.servlet.CSRFFilter] [ajp-apr-8009-exec-1] Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
Feb 10, 2017 5:48:16 PM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [apiServlet] in context with path [/alfresco] threw exception [Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole] with root cause
javax.servlet.ServletException: Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
at org.springframework.extensions.webscripts.servlet.CSRFFilter$AssertTokenAction.run(CSRFFilter.java:845)
at org.springframework.extensions.webscripts.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
at org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:188)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
at org.apache.tomcat.util.net.AprEndpoint$SocketWithOptionsProcessor.run(AprEndpoint.java:2403)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)

I tried to look for that, but most of the results refer to a match on the header rather than the token and setting up / modifying filter rules in share-config-custom.xml didn't help. 

Does anyone have an advice?

Thanks in advance.

Matteo

1 ACCEPTED ANSWER

kevinr1
Star Contributor
Star Contributor

It appears some configuration is missing for the Community version of the repository admin console. See here for what to add:

[ALF-21809] The Community admin console isn't using the CSRF prevention token - Alfresco JIRA it will be resolved in next Nightly build, you can patch as per the suggested changes or disable the CSRF for now if preferred.

View answer in original post

10 REPLIES 10

jego
Star Contributor
Star Contributor

Matteo,

can you please check if the error message bumps up in the repository? If yes, this might be a bug introduced with the latest releases. 

Can somebody confirm that CSRF is now enabled on repository side, too? Maybe it was introduced with the new REST API...

cc:

thanks

Jens

matteo_l_sc
Champ on-the-rise
Champ on-the-rise

Hi Jens,

thanks for the answer. I'm quite a newbie with Alfresco. The error is

logged in /alfresco.log too. Is this what you

want to know?

The same error is given no matter which console I try to use (Model

Messages, Tenant, Workflow, Node Browser), while Alfresco share works

flawlessly.

As I mentioned, I'm running Ubuntu 16.04 LTS.

My /etc/hosts contains

127.0.0.1 localhost

127.0.1.1 alfresco alfresco.my.domain

I tried to replace 127.0.1.1 with the IP (it's a private, I'm in a LAN). No

success.

Currently the OS gets the IP from DHCP and there's no DNS record

associated. I added the mapping to the /etc/hosts of my machine.

Best,

Matteo

afaust
Legendary Innovator
Legendary Innovator

Since it sounds like you are using Alfresco behind a proxy you need to make the CSRF filter aware of that. Unfortunately that kind of documentation is hard to find... The following example reflects what I know needs to be adapted in that case (for CSRF only - proper proxy setup requires configuration for other aspects)

<config evaluator="string-compare" condition="CSRFPolicy">
    <properties>
        <!-- these can be regex expressions for matching valid referrers / origins if behind a proxy that does not rewrite referrer / origin before forwarding -->
        <referer>http://proxyHostName/.*</referer>
        <origin>http://proxyHostName/.*</origin>
    </properties>
</config>‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

Hi Axel,

I think you're referring to this page. I noticed it last week, I tried to add a new rule to the filter, but it didn't work, so I didn't mention it in my original message. However, since you pointed it out, I went back and tried something more, unfortunately with no success:

  • in the folder <ALFRESCO INSTALLATION>/tomcat/webapps/share/WEB-INF/classes/alfresco I copied the CSRFPolicy section from share-security-config.xml into share-config-custom.xml and set replace="true"
  • according to this post the Alfresco-CSRFToken has no entries for the "referer" and the "origin", hence I set them to "https://my.domain/.*" and "https://my.domain", respectively
  • I also added a new rule for <method> POST and <path> /alfresco/s/admin/.*, using the same values as above for the referer and the origin
  • I found this request, very similar to my case. A link is suggested, but unfortunately it's broken
  • I modified the config of the Apache Proxy rewriting the X-Forwarded-For, X-Forwarded-by and Referer headers to "https://my.domain". Sorry, but I can't find the link to the page where I've read it anymore.

Are there any other suggestions?

Thanks,

Matteo