AnsweredAssumed Answered

Workflow admin console doesn't work: Possible CSRF attack noted

Question asked by Aleksey Bykov on Feb 16, 2017
Latest reply on Feb 20, 2017 by Aleksey Bykov

What I have:

 

Alfresco Share v5.2.d (r134641-b15, Aikau 1.0.101.3, 
Spring Surf 5.2.d, Spring WebScripts 6.13,
Freemarker 2.3.20-alfresco-patched, Rhino 1.7R4-alfresco-patched,
Yui 2.9.0-alfresco-20141223)

Alfresco Community v5.2.0 (r134428-b13) schema 10005

I want to use the workflow admin console. The console is available by link:

 

http://....:8080/alfresco/s/admin/admin-workflowconsole

 

I'd like to be able to view all process definitions, delete the definition of the process, etc. For example:

 

show definitions all
undeploy definition ...
use definition ...

etc...

 

After accessing the console I try to execute any command, but get this exception (copy from screen):

 

HTTP Status 500 - Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole

type Exception report

message Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole    org.springframework.extensions.webscripts.servlet.CSRFFilter$AssertTokenAction.run(CSRFFilter.java:845)    org.springframework.extensions.webscripts.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)    org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)

 

What I was trying to do:

 

I created the file web-scripts-config-custom.xml, then added to it missing rule and placed it under the path /opt/alfresco-community/tomcat/shared/classes/alfresco/extension:

 

<alfrescoco-config>    
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">      
<filter>         
<rule>            
<request>               
<method>GET</method>               
<path>/service/admin/.*</path>            
</request>            
<action name="generateToken">               
<param name="session">{token}</param>               
<param name="cookie">{token}</param>            
</action>         
</rule>         
<rule>            
<request>               
<method>GET</method>               
<path>/s/admin/.*</path>            
</request>            
<action name="generateToken">               
<param name="session">{token}</param>               
<param name="cookie">{token}</param>            
</action>         
</rule>      
</filter>   
</config>
</alfresco-config>

It doesn't work...

I added this rule to the full configuration, but It doesn't work...

 

I added to the web.xml the following:

 

<filter-mapping>      
   <filter-name>CSRF Token Filter</filter-name>     
      <url-pattern>/service/admin/*</url-pattern>  
   </filter-mapping>

   <filter-mapping>     
      <filter-name>CSRF Token Filter</filter-name>     
      <url-pattern>/s/admin/*</url-pattern>  
</filter-mapping>

 

 

It doesn't work...

 

I tried to disable CSRF filter by the following way:

 

<alfresco-config>
    <config evaluator="string-compare" condition="CSRFPolicy" replace="true">
        <filter/>
    </config>
</alfresco-config>

 

It doesn't work...

 

How to configure workflow admin console?..

 

I would be very grateful for the information. Thanks to all.

Outcomes