AnsweredAssumed Answered

CSRFFilter error: mod_proxy and alfresco 4.2.d: login to share fails (solved)

Question asked by wurstgelee on Feb 26, 2013
Latest reply on Feb 28, 2013 by wurstgelee
Hi everyone!

I´ve been digging around this for several hours now and I`m not sure whether this is a general problem or a problem of my mod_proxy configuration:

Steps to reproduce:

- install alfresco community 4.2.d (on centos x64) with default options, only using mysql instead of postgresql (latest nightly build)
- configure apache httpd as reverse proxy, relevant config:


<VirtualHost *:80>
Servername docsdev.mydomain.de
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule ^/(.*) https://%{SERVER_NAME}%{REQUEST_URI} [R]
</VirtualHost>


<VirtualHost 172.27.25.4:443>
  ServerName docsdev.mydomain.de
  DocumentRoot /opt/alfresco-4.2.d/tomcat
                                                       
  ProxyRequests Off
  #ProxyPreserveHost On

  SSLEngine on
  SSLCertificateFile /etc/httpd/conf.d/docsdev.mydomain.de.crt
  SSLCertificateKeyFile /etc/httpd/conf.d/docsdev.mydomain.de.key
   
  #ProxyPass /share ajp://127.0.0.1:8009/share
  #ProxyPassReverse /share ajp://127.0.0.1:8009/share
  #ProxyPass /alfresco ajp://127.0.0.1:8009/alfresco
  #ProxyPassReverse /alfresco ajp://127.0.0.1:8009/alfresco
  ProxyPass / ajp://127.0.0.1:8009/
  ProxyPassReverse / ajp://127.0.0.1:8009/
</VirtualHost>


- trying to login into share (with admin user) results in (catalina.out):

2013-02-26 12:50:05,267  INFO  [site.servlet.CSRFFilter] [ajp-apr-8009-exec-4] Possible CSRF attack noted when asserting referer header 'https://docsdev.mydomain.de/share/page/'. Request: POST /share/page/dologin
2013-02-26 12:50:05,270  ERROR [alfresco.web.site] [ajp-apr-8009-exec-4] javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://docsdev.mydomain.de/share/page/'. Request: POST /share/page/dologin


What am I doing wrong?  Please enlighten me!

Edit: Login to Alfresco Explorer UI works fine.

Outcomes