Cross Site Request Forgery (CSRF) Filter now in Alfresco Share

Share This Post

Beginning with the Alfresco 4.1.4 release, Alfresco has introduced a Cross Site Request Forgery (CSRF) Filter into Alfresco Share.  Although this feature is not described in the current set of online documentation pages (as of 4.1.5), a good overview is provided by Alfresco Engineering here:

A basic overview of CSRF can be found here on Wikipedia:

The Alfresco blog provides a great introduction to the new functionality, and worth reviewing if you are using a proxy server in front of Alfresco or have custom Share code.

The filter itself is defined in:

  • share-security-config.xml

As is typical with Alfresco Share configuration, the configuration can be overridden in “share-config-custom.xml” if needed.  The filter can be completely removed if required, or additional rules can be added to allow for additional exceptions.

Alfresco 4.1.5 provides bug fixes around some issues that were found in Alfresco 4.1.4 with the CSRF Filter and SSL. For example, if you are using Apache in front of Tomcat, and it is handling SSL, it is possible that some requests may get blocked in Alfresco 4.1.4.

When troubleshooting the CSRF filter, it is extremely useful to turn up logging on the filter itself.  The following line can be added to the “log4j.properties” file for Alfresco Share, and debug logging can be obtained for the filter:

  • log4j.logger.org.alfresco.web.site.servlet.CSRFFilter=debug

The Alfresco Engineering blog provides additional details about modifying the filter. However, turning on debug logging can provide a huge benefit, as you can see what the incoming request is, and what rule it is being validated against.

More To Explore

b2b auto pay

B2B Auto Pay: Automation Use Cases

Migrating a B2B “Auto Pay” Program Companies migrating to SAP often have daunting challenges to overcome in Accounts Receivable as part of the transition. You might have different divisions running

ArgonDigital | Making Technology a Strategic Advantage