Multi-tenancy with https

cancel
Showing results for 
Search instead for 
Did you mean: 
jbrasil
Active Member II

Multi-tenancy with https

Hi,
The tenant, does not want to work with https.
Have you seen the error below?

HTTP Status 500 - Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)

type Exception report

message Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)
org.springframework.extensions.webscripts.servlet.CSRFFilter$AssertRefererAction.run(CSRFFilter.java:1017)
org.springframework.extensions.webscripts.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)

note The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.
Apache Tomcat/8.0.50

With best regards,
José Roberto.

4 Replies
afaust
Master

Re: Multi-tenancy with https

You have not correctly configured the CSRF filter parameters in alfresco-global.properties. It looks though since you have already modified the csrf.filter.referer and csrf.filter.origin values to use your domain name, but you have not accounted for the http vs https difference on your reverse proxy. Since those two properties technically hold regular expressions, you should be able to work with the following values

csrf.filter.referer=^https?://app\.processoverde\.com\.br(?:$|/.+$)
csrf.filter.origin=^https?://app\.processoverde\.com\.br(?:$|/.+$)
jbrasil
Active Member II

Re: Multi-tenancy with https

Hi afaust Master,
I added the parameters in the global properties.

The same error occurred:

HTTP Status 500 - Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)

type Exception report

message Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)

description The server encountered an internal error that prevented it from fulfilling this request.

exception

javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)
org.springframework.extensions.webscripts.servlet.CSRFFilter$AssertRefererAction.run(CSRFFilter.java:1017)
org.springframework.extensions.webscripts.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)

note The full stack trace of the root cause is available in the Apache Tomcat/8.0.50 logs.
Apache Tomcat/8.0.50


See the catalina.out log

2020-07-09 17:17:15,429 INFO [webscripts.servlet.CSRFFilter] [http-nio-8080-exec-34] Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole
jul 09, 2020 5:17:15 PM org.apache.catalina.core.StandardWrapperValve invoke
GRAVE: Servlet.service() for servlet [apiServlet] in context with path [/alfresco] threw exception [Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)] with root cause
javax.servlet.ServletException: Possible CSRF attack noted when asserting referer header 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole'. Request: POST /alfresco/s/admin/admin-tenantconsole, FAILED TEST: Assert referer POST /alfresco/s/admin/admin-tenantconsole :: referer: 'https://app.processoverde.com.br/alfresco/s/admin/admin-tenantconsole' vs server & context: http://app.processoverde.com.br/ (string) or (regexp)
at org.springframework.extensions.webscripts.servlet.CSRFFilter$AssertRefererAction.run(CSRFFilter.java:1017)
at org.springframework.extensions.webscripts.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:240)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:207)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:212)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:94)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:141)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:502)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1132)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:684)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1539)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1495)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

Anything else that can be done?
Thanks a lot!
José Roberto

 

 

afaust
Master

Re: Multi-tenancy with https

It does not look like your configuration took effect - at least the error messages do not show that the configuration values I provided are being used.

jbrasil
Active Member II

Re: Multi-tenancy with https

Hi afaust,
I left the alfresco service.
Anything else that needs to be done?

Thanks a lot!
José Roberto.