Help

CSRF Token

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
rekhaahir
Active Member
‎23 Oct 2019 1:23 PM

CSRF Token

hello,

 I get CSRF Token "Possible CSRF attack noted when comparing token in session and request parameter" Error  when Multipart/formdata is passed in parameter to send file .

0 Kudos
Reply
7 Replies
afaust
Master
‎23 Oct 2019 9:21 PM

Re: CSRF Token

Did you configure CSRF properly? Is the client you are using correctly setting the CSRF token in its POST requests?

Reply
rekhaahir
Active Member
‎24 Oct 2019 6:04 AM

Re: CSRF Token

yes

i had done  configuration on share side and also i tried to send token at the time of calling webscript.but after getting  token it gives same error. 

may be some configuration will be  missing so please guide me.

0 Kudos
Reply
abhinavmishra14
Advanced
‎28 Oct 2019 3:04 PM

Re: CSRF Token

What is the rquest format you are using, what is request URI and what all params you are sending. 

What is your current CSRF configuration is share-config-custom.xml file ? Can you also share the full log?

Please share all the details so we can look at it. 

~Abhinav
(ACSCE, AWS SAA, Azure Admin)
Reply
rekhaahir
Active Member
‎5 Nov 2019 4:54 AM

Re: CSRF Token

 

<config evaluator="string-compare" condition="CSRFPolicy" replace="true">

<!--
Force creation of a Session when the filter matches a path - this should only be used when you are
confident the filtered part of the web application is using an authentication mechanism that will avoid
protected pages being accessed until the user is authenticated. Otherwise this would be a route to
a Session fixation attack.
-->
<session>true</session>

<!--
Properties that may be used inside the rest of the CSRFPolicy config to avoid repetition but
also making it possible to provide different values in different environments.
I.e. Different "Referer" & "Origin" properties for test & production etc.
Reference a property using "{propertyName}".
-->
<properties>

<!-- There is normally no need to override this property -->
<token>alf-csrftoken</token>

<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Referer header.
-->
<referer></referer>

<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Origin header.
-->
<origin></origin>
</properties>

<!--
Will be used and exposed to the client side code in Admin.CSRF
Use the Admin.CSRF.getHeader() or Admin.CSRF.getParameter() with Admin.CSRF.getToken()
to set the token in custom 3rd party code.
-->
<client>
<cookie>{token}</cookie>
<header>{token}</header>
<parameter>{token}</parameter>
</client>

<!-- The first rule with a matching request will get its action invoked, the remaining rules will be ignored. -->
<filter>

<!-- Refresh token on each new page visit -->
<rule>
<request>
<method>GET</method>
<path>/service/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/service/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>

<!--
Verify multipart requests contain the token as a parameter
and also correct referer & origin header if available
-->
<rule>
<request>
<method>POST</method>
<header name="Content-Type">multipart/.+</header>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="parameter">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>

<!--
Verify that all remaining state changing requests contain a token in the header and correct referer & origin headers
if available. We "catch" all content types since just setting it to "application/json.*" since a webscript that doesn't
require a json request body otherwise would be successfully executed using i.e."text/plain".
-->
<!-- <rule>
<request>
<method>POST|PUT|DELETE</method>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="header">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule> -->
</filter>

</config>

 

 

this is my share config.after this code  every where in upload api csrf token is getting null.so i cant use inbuilt upload functionality and also get error in my  custom upload api too.

please guide me..

0 Kudos
Reply
rekhaahir
Active Member
‎5 Nov 2019 11:45 AM

Re: CSRF Token

function postForm(htmlBody,formTitle) {
var xmlhttp = new XMLHttpRequest(); // new HttpRequest instance
var allcookies = document.cookie;

// Get all the cookies pairs in an array
cookiearray = allcookies.split(';');

// Now take key value pair out of this array
value = cookiearray[2].split('=')[1];
alert( " and Value is : " + value);

// var url="share/proxy/alfresco/save-form/save-form?Alfresco-CSRFToken="+value;
xmlhttp.open("POST", 'share/proxy/alfresco/save-form/save-form?Alfresco-CSRFToken='+value);
xmlhttp.setRequestHeader("Content-Type", "application/json");
xmlhttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
xmlhttp.send(JSON.stringify({"htmlBody":htmlBody,"formTitle":formTitle}));
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState>3 && xmlhttp.status==200) {
alert( xmlhttp.responseText.trim());
}
};
}

 

code for calling...

0 Kudos
Reply
abhinavmishra14
Advanced
‎6 Nov 2019 2:30 PM

Re: CSRF Token

Which version of alfresco you are using ? and can you point out the customizations you have done in the CSRF Token handling in your share-config-custom file for the URIs you are trying to pass?

~Abhinav
(ACSCE, AWS SAA, Azure Admin)
0 Kudos
Reply
abhinavmishra14
Advanced
‎6 Nov 2019 2:41 PM

Re: CSRF Token

Instead of using this type of code, use alfresco standard java script for calling any apis. you are using typical java script ajax which is why you may be getting csrf error. 

Use ajax something like this from your share side component:

 

var payload = {
	    		"htmlBody":htmlBody,
	    		"formTitle":formTitle
	    };

Alfresco.util.Ajax.request({
			url :Alfresco.constants.PROXY_URI + "save-form/save-form",
			requestContentType:Alfresco.util.Ajax.JSON,
			responseContentType: Alfresco.util.Ajax.JSON,
			dataObj:JSON.stringify(payload),
			method: Alfresco.util.Ajax.POST,
			successCallback : {
				fn : function (res) {
					Alfresco.util.PopupManager.displayMessage({
						text : "Processing the request"
					});
				},
				
				scope : this
			},
			failureCallback : {
				fn : function (res) {
					Alfresco.util.PopupManager.displayMessage({
						text : "Unable to process the request"
					});
			},
			scope : this
		}
	});
~Abhinav
(ACSCE, AWS SAA, Azure Admin)
0 Kudos
Reply
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.