AnsweredAssumed Answered

Cannot configure CSRF origin server for Admin console post requests

Question asked by kevinoudot on Mar 19, 2019
Latest reply on Apr 9, 2019 by afaust

Hello,

 

I have difficulties setting the CSRF policy to work with the admin console (for exemple, the workflow console when typing "help" for exemple"). I first encountered this problem with share and find out in the documentation to modify the share-config-custom.xml file. I did the change and it's working perfectly.
But now, I tried to use any of the "admin console" (/alfresco/s/admin/admin-workflowconsole), and I get the same issue. I looked in the forum and found this topic Workflow admin console doesn't work: Possible CSRF attack noted  that seems to old to be relevant as things should have been patched. I'm using Alfresco free community edition 6.6.

 

 

 Possible CSRF attack noted when asserting referer header 'https://XXXX/alfresco/s/admin/admin-workflowconsole'. Request: POST /alfresco/s/admin/admin-workflowconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-workflowconsole :: referer: 'https://XXXX/alfresco/s/admin/admin-workflowconsole' vs server & context: http://YYYY:8080/ (string) or (regexp)

 

The "YYYY" server & context is certainly based on the "hostname" value on CentOs, which I cannot change, but i'm using an apache in front of the tomcat to manage the requests and redirect from a specific DNS "XXXX".

 

I tried to add some filters in the xml such as 

 <rule>
<request>
<method>POST</method>
<path>/alfresco/s/admin/(\?.+)?</path>
</request>
<action name="assertReferer">
<param name="referer">{referer}</param>
<param name="referer">https://XXXX/.*</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
<param name="origin">https://XXXX</param>
</action>
</rule>



But I don't think I got how it works... 

Could you give me some hint please ?

 

 

Outcomes