Solved: Possible CSRF attack noted when asserting referer ...

ppg · ‎19 Oct 2016

Hello everyone,

I have a problem after put my alfresco behind apache httpd:

ProxyPass /share http://127.0.0.1:8081/share

ProxyPassReverse /share http://127.0.0.1:8081/share

Order allow,deny

Allow from All

</Location>

Getting error...

Oct 19, 2016 12:35:42 PM org.apache.catalina.core.ApplicationContext log

INFO: No Spring WebApplicationInitializer types detected on classpath

Oct 19, 2016 12:36:41 PM org.apache.catalina.core.StandardWrapperValve invoke

SEVERE: Servlet.service() for servlet [Spring Surf Dispatcher Servlet] in context with path [/share] threw exception [Possible CSRF attack noted when asserting referer header 'http://127.0.0.1/share/page'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'http://127.0.0.1/share/page' vs server & context: http://127.0.0.1:8081/ (string) or (regexp)] with root cause

javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'http://127.0.0.1/share/page'. Request: POST /share/page/dologin, FAILED TEST: Assert referer POST /share/page/dologin :: referer: 'http://127.0.0.1/share/page' vs server & context: http://127.0.0.1:8081/ (string) or (regexp)

at org.alfresco.web.site.servlet.CSRFFilter$AssertRefererAction.run(CSRFFilter.java:1017)

at org.alfresco.web.site.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.alfresco.web.site.servlet.SSOAuthenticationFilter.doFilter(SSOAuthenticationFilter.java:450)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.alfresco.web.site.servlet.MTAuthenticationFilter.doFilter(MTAuthenticationFilter.java:74)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)

at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)

at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)

at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)

at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Unknown Source)

cesarista · ‎19 Oct 2016

Buenas:

Simplemente esta cantando una policy de seguridad que tiene Alfresco Share (CSRF - Cross-site request forgery).

Estas policies se configuran en el archivo $ALF_HOME/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

Si quieres deshabilitar las policies de CSRF puedes hacerlo descomentando esta sección en el archivo:

Aunque lo más adecuado es decirle a Alfresco qué hosts pueden hacerle peticiones de proxy.

Puedes leer más sobre CSRF en el whitepaper de toni.delafuente _ "Alfresco Security White Paper":

My talk about “Alfresco Security Best Practices” at the Alfresco Summit 2014 – : : blyx.com : : Blog...

Saludos.

--C.

View solution in original post

cesarista · ‎19 Oct 2016

Buenas:

Simplemente esta cantando una policy de seguridad que tiene Alfresco Share (CSRF - Cross-site request forgery).

Estas policies se configuran en el archivo $ALF_HOME/tomcat/shared/classes/alfresco/web-extension/share-config-custom.xml

Si quieres deshabilitar las policies de CSRF puedes hacerlo descomentando esta sección en el archivo:

Aunque lo más adecuado es decirle a Alfresco qué hosts pueden hacerle peticiones de proxy.

Puedes leer más sobre CSRF en el whitepaper de toni.delafuente _ "Alfresco Security White Paper":

My talk about “Alfresco Security Best Practices” at the Alfresco Summit 2014 – : : blyx.com : : Blog...

Saludos.

--C.

Possible CSRF attack noted when asserting referer header

Possible CSRF attack noted when asserting referer header

Re: Possible CSRF attack noted when asserting referer header

Re: Possible CSRF attack noted when asserting referer header

Possible CSRF attack noted when asserting referer header

Possible CSRF attack noted when asserting referer header

Re: Possible CSRF attack noted when asserting referer header

Re: Possible CSRF attack noted when asserting referer header

We use cookies on this site to enhance your user experience