hello,
I get CSRF Token "Possible CSRF attack noted when comparing token in session and request parameter" Error when Multipart/formdata is passed in parameter to send file .
Did you configure CSRF properly? Is the client you are using correctly setting the CSRF token in its POST requests?
yes
i had done configuration on share side and also i tried to send token at the time of calling webscript.but after getting token it gives same error.
may be some configuration will be missing so please guide me.
What is the rquest format you are using, what is request URI and what all params you are sending.
What is your current CSRF configuration is share-config-custom.xml file ? Can you also share the full log?
Please share all the details so we can look at it.
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<!--
Force creation of a Session when the filter matches a path - this should only be used when you are
confident the filtered part of the web application is using an authentication mechanism that will avoid
protected pages being accessed until the user is authenticated. Otherwise this would be a route to
a Session fixation attack.
-->
<session>true</session>
<!--
Properties that may be used inside the rest of the CSRFPolicy config to avoid repetition but
also making it possible to provide different values in different environments.
I.e. Different "Referer" & "Origin" properties for test & production etc.
Reference a property using "{propertyName}".
-->
<properties>
<!-- There is normally no need to override this property -->
<token>alf-csrftoken</token>
<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Referer header.
-->
<referer></referer>
<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Origin header.
-->
<origin></origin>
</properties>
<!--
Will be used and exposed to the client side code in Admin.CSRF
Use the Admin.CSRF.getHeader() or Admin.CSRF.getParameter() with Admin.CSRF.getToken()
to set the token in custom 3rd party code.
-->
<client>
<cookie>{token}</cookie>
<header>{token}</header>
<parameter>{token}</parameter>
</client>
<!-- The first rule with a matching request will get its action invoked, the remaining rules will be ignored. -->
<filter>
<!-- Refresh token on each new page visit -->
<rule>
<request>
<method>GET</method>
<path>/service/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/service/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<!--
Verify multipart requests contain the token as a parameter
and also correct referer & origin header if available
-->
<rule>
<request>
<method>POST</method>
<header name="Content-Type">multipart/.+</header>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="parameter">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
<!--
Verify that all remaining state changing requests contain a token in the header and correct referer & origin headers
if available. We "catch" all content types since just setting it to "application/json.*" since a webscript that doesn't
require a json request body otherwise would be successfully executed using i.e."text/plain".
-->
<!-- <rule>
<request>
<method>POST|PUT|DELETE</method>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="header">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule> -->
</filter>
</config>
this is my share config.after this code every where in upload api csrf token is getting null.so i cant use inbuilt upload functionality and also get error in my custom upload api too.
please guide me..
function postForm(htmlBody,formTitle) {
var xmlhttp = new XMLHttpRequest(); // new HttpRequest instance
var allcookies = document.cookie;
// Get all the cookies pairs in an array
cookiearray = allcookies.split(';');
// Now take key value pair out of this array
value = cookiearray[2].split('=')[1];
alert( " and Value is : " + value);
// var url="share/proxy/alfresco/save-form/save-form?Alfresco-CSRFToken="+value;
xmlhttp.open("POST", 'share/proxy/alfresco/save-form/save-form?Alfresco-CSRFToken='+value);
xmlhttp.setRequestHeader("Content-Type", "application/json");
xmlhttp.setRequestHeader('X-Requested-With', 'XMLHttpRequest');
xmlhttp.send(JSON.stringify({"htmlBody":htmlBody,"formTitle":formTitle}));
xmlhttp.onreadystatechange = function() {
if (xmlhttp.readyState>3 && xmlhttp.status==200) {
alert( xmlhttp.responseText.trim());
}
};
}
code for calling...
Which version of alfresco you are using ? and can you point out the customizations you have done in the CSRF Token handling in your share-config-custom file for the URIs you are trying to pass?
Instead of using this type of code, use alfresco standard java script for calling any apis. you are using typical java script ajax which is why you may be getting csrf error.
Use ajax something like this from your share side component:
var payload = { "htmlBody":htmlBody, "formTitle":formTitle }; Alfresco.util.Ajax.request({ url :Alfresco.constants.PROXY_URI + "save-form/save-form", requestContentType:Alfresco.util.Ajax.JSON, responseContentType: Alfresco.util.Ajax.JSON, dataObj:JSON.stringify(payload), method: Alfresco.util.Ajax.POST, successCallback : { fn : function (res) { Alfresco.util.PopupManager.displayMessage({ text : "Processing the request" }); }, scope : this }, failureCallback : { fn : function (res) { Alfresco.util.PopupManager.displayMessage({ text : "Unable to process the request" }); }, scope : this } });
Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.
Related links:
By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods). If you are not ok with these terms, please do not use this website.