0
露天分享v5.2.d(r134641-B15,Aikau 1.0.101.3,春衝浪 5.2.d,春天WebScripts 6.13,Freemarker的2.3.20-露天打補丁,犀牛1.7R4,露天打補丁,衣2.9.0-露天-20141223)
露天社區V5.2.0(r134428-B13)架構10005
我想使用工作流管理控制檯。控制檯可以通過鏈接:http://....:8080/alfresco/s/admin/admin-workflowconsole
我希望能夠看到所有的流程定義,刪除過程的定義等
例如:
show definitions all
undeploy definition ...
use definition ...
etc
訪問後控制檯我嘗試執行任何命令,但得到這個異常(從屏幕拷貝):
HTTP Status 500 - Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
type Exception report
message Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
description The server encountered an internal error that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
org.springframework.extensions.webscripts.servlet.CSRFFilter$AssertTokenAction.run(CSRFFilter.java:845)
org.springframework.extensions.webscripts.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
如何配置工作流管理控制檯?
什麼,我試圖做的事:
至於寫Axel Faust,
的網絡客戶端的安全-config.xml中先後爲 CSRFPolicy段默認配置,並且可以通過重寫在露天/擴展路徑 網頁腳本 - 配置 - custom.xml文件。
因此,我創建的文件web-scripts-config-custom.xml,然後添加到它缺少規則,並把它放在路徑/opt/alfresco-community/tomcat/shared/classes/alfresco/extension下:
<alfrescoco-config>
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter>
<rule>
<request>
<method>GET</method>
<path>/service/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
</filter>
</config>
</alfresco-config>
它不工作...
我加滿配置:
<alfresco-config>
<!--
CSRF filter config to mitigate CSRF/Seasurfing/XSRF attacks
To disable the CSRF filter override the <filter> to not contain any values, for example:
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter/>
</config>
@since 5.2
-->
<config evaluator="string-compare" condition="CSRFPolicy">
<!--
Force creation of a Session when the filter matches a path - this should only be used when you are
confident the filtered part of the web application is using an authentication mechanism that will avoid
protected pages being accessed until the user is authenticated. Otherwise this would be a route to
a Session fixation attack.
-->
<session>true</session>
<!--
Properties that may be used inside the rest of the CSRFPolicy config to avoid repetition but
also making it possible to provide different values in different environments.
I.e. Different "Referer" & "Origin" properties for test & production etc.
Reference a property using "{propertyName}".
-->
<properties>
<!-- There is normally no need to override this property -->
<token>alf-csrftoken</token>
<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Referer header.
-->
<referer></referer>
<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Origin header.
-->
<origin></origin>
</properties>
<!--
Will be used and exposed to the client side code in Admin.CSRF
Use the Admin.CSRF.getHeader() or Admin.CSRF.getParameter() with Admin.CSRF.getToken()
to set the token in custom 3rd party code.
-->
<client>
<cookie>{token}</cookie>
<header>{token}</header>
<parameter>{token}</parameter>
</client>
<!-- The first rule with a matching request will get its action invoked, the remaining rules will be ignored. -->
<filter>
<!-- Refresh token on each new page visit -->
<rule>
<request>
<method>GET</method>
<path>/service/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/service/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<!--
Verify multipart requests contain the token as a parameter
and also correct referer & origin header if available
-->
<rule>
<request>
<method>POST</method>
<header name="Content-Type">multipart/.+</header>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="parameter">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
<!--
Verify that all remaining state changing requests contain a token in the header and correct referer & origin headers
if available. We "catch" all content types since just setting it to "application/json.*" since a webscript that doesn't
require a json request body otherwise would be successfully executed using i.e."text/plain".
-->
<rule>
<request>
<method>POST|PUT|DELETE</method>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="header">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
</filter>
</config>
</alfresco-config>
它不工作...
如上所述here,我加入到web.xml如下:
<filter-mapping>
<filter-name>CSRF Token Filter</filter-name>
<url-pattern>/service/admin/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CSRF Token Filter</filter-name>
<url-pattern>/s/admin/*</url-pattern>
</filter-mapping>
它不工作...
我試圖通過以下方法來禁用CSRF過濾:
<alfresco-config>
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter/>
</config>
</alfresco-config>
它不工作...
如何配置工作流管理控制檯?
我將非常感激這些信息。謝謝大家。
請參閱該社區鏈接https://community.alfresco.com/thread/228162-hitting-csrf-when-trying-to-use-the-workflow -admin-console – vikash
非常感謝您的評論,Axel Faust已經在該帖子中指出。我已經閱讀過它,但我沒有在我的配置中找到文件「web-scripts-config-custom.xml」。相反,我使用了'web-client-security-config.xml'並在其中添加了缺少的規則。 –
我從'/ opt/alfresco-community/tomcat/webapps/alfresco/WEB-INF/classes/alfresco'中複製了這個文件,並將它(通過添加的規則)放到'/ opt/alfresco-community/tomcat/shared/classes/alfresco/extension',然後重新部署,但舊文件'web-client-security-config.xml'保留在'/ webapps /'中。然後,我將'web-client-security-config.xml'添加到'/ opt/alfresco-community/tomcat/shared/classes/alfresco /'中,但它沒有幫助。我應該使用什麼配置以及它放在哪裏?.. –