CSRF Filter error on Share login with HTTPS/SSL

In Alfresco CSRF filter has been added to Share in order to prevent Cross-Site Request Forgery attacks. When you configure a web server in front of Share to serve virtual hosts through HTTPS, a CSRF error could occur. To run the CSRF Token Filterbehind a web server Apache with mod_proxy and SSLEngine you may need to update the Origin and Referer headers in the CSRF Token Filter. In this article I show two possible solutions.

Apache VirtualHost

<VirtualHost *:443>
       ServerName example.com
       ProxyPass / http://localhost:8080/
       ProxyPassReverse / http://localhost:8080/
       SSLEngine on
       SSLProtocol all
       SSLCertificateFile /SSL_PATH/mycert.crt
       SSLCertificateKeyFile /SSL_PATH/mycert.crt.key
       SSLCertificateChainFile /SSL_PATH/mycert.crt.intermediate
</VirtualHost>

CSRF possible error when you login to Share

INFO [site.servlet.CSRFFilter] [ajp-apr-8009-exec-4] Possible CSRF attack noted when asserting referer
header 'https://example.com/share/page/'. Request: POST /share/page/dologinERROR [alfresco.web.site] [ajp-apr-8009-exec-4] javax.servlet.ServletException: Possible CSRF attack noted when asserting referer
header 'https://example.com/share/page/'. Request: POST /share/page/dologin

SOLUTION

Set the Referer and Origin in the CSRF Token Filter
Edit “CSR Policy” in TOMCAT_HOME/shared/classes/alfresco/web-extension/share-config-custom.xml, Uncomment "CSRF Policy" and add referrer and origin properties

<config evaluator="string-compare" condition="CSRFPolicy" replace="true"> 

<properties> 

<token>Alfresco-CSRFToken</token> 

<referer>https://example.com/.*</referer>

<origin>https://example.com</origin>

</properties> 

</config>