Cross Site Request Forgery (CSRF) Filter now in Alfresco Share

Share This Post

Beginning with the Alfresco 4.1.4 release, Alfresco has introduced a Cross Site Request Forgery (CSRF) Filter into Alfresco Share.  Although this feature is not described in the current set of online documentation pages (as of 4.1.5), a good overview is provided by Alfresco Engineering here:

A basic overview of CSRF can be found here on Wikipedia:

The Alfresco blog provides a great introduction to the new functionality, and worth reviewing if you are using a proxy server in front of Alfresco or have custom Share code.

The filter itself is defined in:

  • share-security-config.xml

As is typical with Alfresco Share configuration, the configuration can be overridden in “share-config-custom.xml” if needed.  The filter can be completely removed if required, or additional rules can be added to allow for additional exceptions.

Alfresco 4.1.5 provides bug fixes around some issues that were found in Alfresco 4.1.4 with the CSRF Filter and SSL. For example, if you are using Apache in front of Tomcat, and it is handling SSL, it is possible that some requests may get blocked in Alfresco 4.1.4.

When troubleshooting the CSRF filter, it is extremely useful to turn up logging on the filter itself.  The following line can be added to the “” file for Alfresco Share, and debug logging can be obtained for the filter:


The Alfresco Engineering blog provides additional details about modifying the filter. However, turning on debug logging can provide a huge benefit, as you can see what the incoming request is, and what rule it is being validated against.

More To Explore

great software requirements word cloud

The Value of Documenting Great Requirements

Why Great Requirements Matter When properly captured, requirements are the ground-level representation of core business goals. Defining good requirements can lead to fantastic products and