Beginning with the Alfresco 4.1.4 release, Alfresco has introduced a Cross Site Request Forgery (CSRF) Filter into Alfresco Share. Although this feature is not described in the current set of online documentation pages (as of 4.1.5), a good overview is provided by Alfresco Engineering here:
A basic overview of CSRF can be found here on Wikipedia:
The Alfresco blog provides a great introduction to the new functionality, and worth reviewing if you are using a proxy server in front of Alfresco or have custom Share code.
The filter itself is defined in:
- share-security-config.xml
As is typical with Alfresco Share configuration, the configuration can be overridden in “share-config-custom.xml” if needed. The filter can be completely removed if required, or additional rules can be added to allow for additional exceptions.
Alfresco 4.1.5 provides bug fixes around some issues that were found in Alfresco 4.1.4 with the CSRF Filter and SSL. For example, if you are using Apache in front of Tomcat, and it is handling SSL, it is possible that some requests may get blocked in Alfresco 4.1.4.
When troubleshooting the CSRF filter, it is extremely useful to turn up logging on the filter itself. The following line can be added to the “log4j.properties” file for Alfresco Share, and debug logging can be obtained for the filter:
- log4j.logger.org.alfresco.web.site.servlet.CSRFFilter=debug
The Alfresco Engineering blog provides additional details about modifying the filter. However, turning on debug logging can provide a huge benefit, as you can see what the incoming request is, and what rule it is being validated against.
