AnsweredAssumed Answered

Authentication woes on share REST API

Question asked by jocylincouch on Sep 22, 2014
Latest reply on Oct 21, 2014 by jocylincouch
I'm trying to ultimately get a CSRF token to post to create-site. I start with the share login to get the JSESSIONID.

On executing the below, I have the following:

curl –junk-session-cookies -L -H "Content-Type: application/x-www-form-urlencoded" –cookie-jar cookies.txt –cookie cookies.txt -H "Origin: http://localhost:8080" -D headers.txt -e "http://localhost:8080/;auto" -X POST -d "username=username&password=password" http://localhost:8080/share/page/dologin

(u/n and p/w disguised for obvious reasons)

This gives an error:

javax.servlet.ServletException: Possible CSRF attack noted when comparing token in session and request header. Request: POST /share/page/user/admin/dashboard

Now I've been informed this is natural, and the JSESSIONID is usable.


I then do (to get a CSRF token) a get to create-site:

curl –cookie cookies.txt –cookie-jar cookies.txt -H "Origin: http://localhost:8080" -D headers.txt -e "http://localhost:8080/;auto" "http://localhost:8080/share/service/modules/create-site?htmlid=alfresco-createSite-instance"

yields:

Alfresco.util.addMessages({"error.loggedOut": "Your user session has timed out, please login and try again", "label.type": "Type", "title.collaborationSite": "Collaboration Site", "label.isPrivate": "Private", "message.creating": "Site is being created…", "label.moderatedHelp": "Site managers can control who joins the site", "error.noPermissions": "Could not create site. You do not have permissions to perform this operation.", "error.duplicateShortName": "Could not create site since the URL is already used", "label.isPublic": "Public", "label.shortNameHelp": "This is used to access the site URL in your browser<br\/>and also when accessing the site through other protocols<br\/>such as WebDav.<br>Do not use spaces or special characters.", "header.createSite": "Create Site", "error.create": "Could not create the site at this time. Please try again later.", "label.isModerated": "Moderated site membership", "message.failure": "Could not create site", "label.access": "Visibility", "label.shortName": "URL Name"}, "Alfresco.module.CreateSite")

I get the same result with a correct or incorrect password at the initial step.

The finally I get negative results posting to create-site:
curl –cookie cookies.txt -X POST –data @site.json -H "Content-Type:application/json;charset=UTF-8" -H "Origin: http://localhost:8080" -H 'Alfresco-CSRFToken: zL91jbFfxMNVIL8+svbXPx4a3vakN4pQ6VMIEU0Djzo=' -D headers,txt -e "http://localhost:8080/;auto" http://localhost:8080/share/service/modules/create-site
{
    "status" :
  {
    "code" : 400,
    "name" : "Bad Request",
    "description" : "Request sent by the client was syntactically incorrect."
  },

  "message" : "error.duplicateShortName",
  "exception" : "",

  "callstack" :
  [
         
  ],

  "server" : "Spring WebScripts - v1.2.0 (Release 1549) schema 1,000",
  "time" : "18-Sep-2014 16:11:59"
}

Now, the very first time I did this, it worked and a site was created. Note the obvious – the shortname does not exist and I have checked and confirmed this with existing repo sites and generated new random shortnames and I still get the same results. Note these results are the same whether or not I use a correct or incorrect password at step 1.

My initial indication is that there is a cookie lying around somewhere that Alfresco is looking at which I need to unset (although unlikely as I'm junking the session cookies (see curl command)), or I need to unset some state within Alfresco that it's holding on to.

Outcomes