What I have:
Alfresco Share v5.2.d (r134641-b15, Aikau 1.0.101.3, Spring Surf
5.2.d, Spring WebScripts 6.13, Freemarker 2.3.20-alfresco-patched, Rhino 1.7R4-alfresco-patched, Yui 2.9.0-alfresco-20141223)
Alfresco Community v5.2.0 (r134428-b13) schema 10005
I want to use the workflow admin console. The console is available by link: http://....:8080/alfresco/s/admin/admin-workflowconsole
I'd like to be able to view all process definitions, delete the definition of the process, etc.
For example:
show definitions all
undeploy definition ...
use definition ...
etc
After accessing the console I try to execute any command, but get this exception (copy from screen):
HTTP Status 500 - Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
type Exception report
message Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
description The server encountered an internal error that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
org.springframework.extensions.webscripts.servlet.CSRFFilter$AssertTokenAction.run(CSRFFilter.java:845)
org.springframework.extensions.webscripts.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
How to configure workflow admin console?
What I was trying to do:
As written by Axel Faust,
The web-client-security-config.xml has a default configuration for the
CSRFPolicy segment and can be overriden via the
web-scripts-config-custom.xml file in the alfresco/extension path.
Thus, I created the file web-scripts-config-custom.xml, then added to it missing rule and placed it under the path /opt/alfresco-community/tomcat/shared/classes/alfresco/extension:
<alfrescoco-config>
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter>
<rule>
<request>
<method>GET</method>
<path>/service/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
</filter>
</config>
</alfresco-config>
It doesn't work...
I added full configuration:
<alfresco-config>
<!--
CSRF filter config to mitigate CSRF/Seasurfing/XSRF attacks
To disable the CSRF filter override the <filter> to not contain any values, for example:
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter/>
</config>
#since 5.2
-->
<config evaluator="string-compare" condition="CSRFPolicy">
<!--
Force creation of a Session when the filter matches a path - this should only be used when you are
confident the filtered part of the web application is using an authentication mechanism that will avoid
protected pages being accessed until the user is authenticated. Otherwise this would be a route to
a Session fixation attack.
-->
<session>true</session>
<!--
Properties that may be used inside the rest of the CSRFPolicy config to avoid repetition but
also making it possible to provide different values in different environments.
I.e. Different "Referer" & "Origin" properties for test & production etc.
Reference a property using "{propertyName}".
-->
<properties>
<!-- There is normally no need to override this property -->
<token>alf-csrftoken</token>
<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Referer header.
-->
<referer></referer>
<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Origin header.
-->
<origin></origin>
</properties>
<!--
Will be used and exposed to the client side code in Admin.CSRF
Use the Admin.CSRF.getHeader() or Admin.CSRF.getParameter() with Admin.CSRF.getToken()
to set the token in custom 3rd party code.
-->
<client>
<cookie>{token}</cookie>
<header>{token}</header>
<parameter>{token}</parameter>
</client>
<!-- The first rule with a matching request will get its action invoked, the remaining rules will be ignored. -->
<filter>
<!-- Refresh token on each new page visit -->
<rule>
<request>
<method>GET</method>
<path>/service/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/service/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<!--
Verify multipart requests contain the token as a parameter
and also correct referer & origin header if available
-->
<rule>
<request>
<method>POST</method>
<header name="Content-Type">multipart/.+</header>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="parameter">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
<!--
Verify that all remaining state changing requests contain a token in the header and correct referer & origin headers
if available. We "catch" all content types since just setting it to "application/json.*" since a webscript that doesn't
require a json request body otherwise would be successfully executed using i.e."text/plain".
-->
<rule>
<request>
<method>POST|PUT|DELETE</method>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="header">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
</filter>
</config>
</alfresco-config>
It doesn't work...
As described here, I added to the web.xml the following:
<filter-mapping>
<filter-name>CSRF Token Filter</filter-name>
<url-pattern>/service/admin/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CSRF Token Filter</filter-name>
<url-pattern>/s/admin/*</url-pattern>
</filter-mapping>
It doesn't work...
I tried to disable CSRF filter by the following way:
<alfresco-config>
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter/>
</config>
</alfresco-config>
It doesn't work...
How to configure workflow admin console?
Finally, I found my mistake!..
Instead of the web-scripts-config-custom.xml I created web-script-config-custom.xml. I missed the letter 's'
Now everything is OK.
Thank you very much, Axel Faust!..
Related
How to access IIS-configured response headers from a Web API 2 service?
In my IIS configuration there is a pre-configured response header Environment=DEV, which I need to check to figure out which environment settings to use.
When I check headers in my current response via HttpContext.Current.Response.Headers, I'm only seeing Server, and nothing else.
I don't think you should dependent on response headers as they are added to response by IIS at a very later stage in the pipeline and the control is already out of WEB API.
If you have to do this you can go with URL Rewrite + Server Variables. Install URL Rewrite and add a rule in your web.config under system.webServer as below
<rewrite>
<rules>
<rule name="GetEnvironmentInfo">
<match url=".*" />
<serverVariables>
<set name="Environment" value="Dev" />
</serverVariables>
<action type="Rewrite" url="{R:0}" />
</rule>
</rules>
</rewrite>
Also you can add this rule from IIS UI. Now depending upon webAPI configuration you can fetch server variables using below code
string output = string.Empty;
if (Request.Properties.ContainsKey("MS_HttpContext"))
{
output = ((System.Web.HttpContextWrapper)Request.Properties["MS_HttpContext"]).Request.ServerVariables["Environment"];
}
else if (Request.Properties.ContainsKey("MS_OwinContext"))
{
var httpContextWrapper = ((OwinContext)Request.Properties["MS_OwinContext"]).Environment["System.Web.HttpContextBase"] as HttpContextWrapper;
output = httpContextWrapper.Request.ServerVariables["Environment"];
}
The above XML can be generated from IIS GUI at server level
1.Install URL Rewrite.
2.Open IIS Manger (Windows Run -> Inetmgr)
3.Select Server in left menu
4.In the central pane double click URL Rewrite. In the Actions pane on the right hand side click Add Rule
5.Set values as below
and the save.
This will add same XML but now at the server level i.e. in C:\Windows\System32\inetsrv\Config\applicationHost.config file
<globalRules>
<rule name="GetEnInfo">
<match url=".*" />
<action type="Rewrite" url="{R:0}" />
<serverVariables>
<set name="Environment" value="dev" />
</serverVariables>
</rule>
</globalRules>
Regarding fetching response headers from IIS there could be a way but I wouldn't recommend it due to the reason mentioned in the beginning of the answer.
Hope this helps.
My application can have below URLs:
/siteadmin/homepage/
/siteusers/customer/createCustomer
Below is my spring-security.xml:
<beans:beans>
<http auto-config="true">
<intercept-url pattern="/siteusers***" access="isAuthenticated()" />
<!-- <intercept-url pattern="siteusers/home/*" access="hasRole('USER') OR hasRole('ADMIN')" /> -->
<intercept-url pattern="/siteadmin***" access="hasRole('ROLE_ADMIN')" />`enter code here`
<form-login login-page="/siteusers/loginprocess/login" default-target-url="/siteusers/home/homepage"
login-processing-url="/siteusers/loginprocess/login"
authentication-failure-url="/siteusers/loginprocess/login?error" username-parameter="username"
password-parameter="password" />
<logout logout-success-url="/siteusers/loginprocess/login?logout" logout-url="/siteusers/loginprocess/logout" />
<!-- enable csrf protection -->
<csrf />
</http>
<authentication-manager>
<authentication-provider>
<user-service>
<user name="b" password="123456" authorities="ROLE_ADMIN" />
<user name="a" password="a" authorities="ROLE_USER" /><!-- This user can not access /admin url -->
</user-service>
</authentication-provider>
</authentication-manager>
</beans:beans>
If I logged in with user 'a' and hit URL http://localhost:8080/siteadmin/homepage/ it is allowing user 'a' to view the page although his role is not admin. But when I try to hit http://localhost:8080/siteadmin then Spring Security is working fine ie. its showing access denied page.
I want to restrict /admin/* URLs for users who doesn't have Admin role.
See AntPathMatcher:
The mapping matches URLs using the following rules:
? matches one character
* matches zero or more characters
** matches zero or more directories in a path
Some examples:
com/t?st.jsp - matches com/test.jsp but also com/tast.jsp or com/txst.jsp
com/*.jsp - matches all .jsp files in the com directory
com/**/test.jsp - matches all test.jsp files underneath the com path
org/springframework/**/*.jsp - matches all .jsp files underneath the org/springframework path
org/**/servlet/bla.jsp - matches org/springframework/servlet/bla.jsp but also org/springframework/testing/servlet/bla.jsp and org/servlet/bla.jsp
Your pattern /siteadmin***misses slashes. Use /siteadmin/**.
I have an MVC project that I deploy on Azure Web-Apps. I'm trying to remove the excessive header information. The reason I'm trying to remove this information is because it's a standard security practice. (Reference)
I'm trying to remove the below information from response headers:
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-POWERED-BY: PHP/5.4.38
X-POWERED-BY: ASP.NET
I have the following code in my Global.asax.cs file:
protected void Application_PreSendRequestHeaders()
{
Response.Headers.Remove("Server");
Response.Headers.Remove("X-AspNet-Version");
Response.Headers.Remove("X-AspNetMvc-Version");
}
But it's not effecting the result.
Try this instead:
protected void Application_PreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Remove("Server");
HttpContext.Current.Response.Headers.Remove("X-AspNet-Version");
HttpContext.Current.Response.Headers.Remove("X-AspNetMvc-Version");
}
Additionally, in the Application_Start call it with the following instruction
PreSendRequestHeaders += Application_PreSendRequestHeaders;
To remove X-AspNet-Version, in the web.config find/create and add:
<system.web>
<httpRuntime enableVersionHeader="false" />
...
</system.web>
To remove X-AspNetMvc-Version, go to Global.asax, find/create the Application_Start event and add a line as follows:
protected void Application_Start() {
MvcHandler.DisableMvcResponseHeader = true;
}
To remove X-Powered-By, in the web.config find/create and add:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
You should be able to force all requests to go through your managed code by adding this to your webconfig:
<modules runAllManagedModulesForAllRequests="true">
Even static files and not-found resources should obey your header rules.
References:
http://www.troyhunt.com/2012/02/shhh-dont-let-your-response-headers.html
http://consultingblogs.emc.com/howardvanrooijen/archive/2009/08/25/cloaking-your-asp-net-mvc-web-application-on-iis-7.aspx
Don't use code to remove response headers. It is unstable according Microsoft
Use the Web.config custom Headers section instead as defined here:
<system.webServer>
<httpProtocol>
<!-- Security Hardening of HTTP response headers -->
<customHeaders>
<!--Sending the new X-Content-Type-Options response header with the value 'nosniff' will prevent
Internet Explorer from MIME-sniffing a response away from the declared content-type. -->
<add name="X-Content-Type-Options" value="nosniff" />
<!-- X-Frame-Options tells the browser whether you want to allow your site to be framed or not.
By preventing a browser from framing your site you can defend against attacks like clickjacking.
Recommended value "x-frame-options: SAMEORIGIN" -->
<add name="X-Frame-Options" value="SAMEORIGIN" />
<!-- Setting X-Permitted-Cross-Domain-Policies header to “master-only” will instruct Flash and PDF files that
they should only read the master crossdomain.xml file from the root of the website.
https://www.adobe.com/devnet/articles/crossdomain_policy_file_spec.html -->
<add name="X-Permitted-Cross-Domain-Policies" value="master-only" />
<!-- X-XSS-Protection sets the configuration for the cross-site scripting filter built into most browsers.
Recommended value "X-XSS-Protection: 1; mode=block". -->
<add name="X-Xss-Protection" value="1; mode=block" />
<!-- Referrer-Policy allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
If you have sensitive information in your URLs, you don't want to forward to other domains
https://scotthelme.co.uk/a-new-security-header-referrer-policy/ -->
<add name="Referrer-Policy" value="no-referrer-when-downgrade" />
<!-- Remove x-powered-by in the response header, required by OWASP A5:2017 - Do not disclose web server configuration -->
<remove name="X-Powered-By" />
<!-- Set the cache-control per your Security settings (will affect performance) -->
<add name="Cache-Control" value="No-cache" />
</customHeaders>
</httpProtocol>
<!-- Prerequisite for the <rewrite> section
Install the URL Rewrite Module on the Web Server https://www.iis.net/downloads/microsoft/url-rewrite -->
<rewrite>
<!-- Remove Server response headers (OWASP Security Measure) -->
<outboundRules rewriteBeforeCache="true">
<rule name="Remove Server header">
<match serverVariable="RESPONSE_Server" pattern=".+" />
<!-- Use custom value for the Server info -->
<action type="Rewrite" value="Your Custom Value Here." />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
In our system (closed system, java web application in tomcat 6 as server, java fat clients) our clients show occasionally "400 - Bad Request" responses. I would like to debug this on the server side, but since the requests seem to be invalid, I don't see them anywhere. I configured the AccessLogValve for the complete tomcat host, but the requests don't appear there. I don't even see anything in catalina.out.
I would love to get these requests logged and even better would be to dump requests based on certain criteria.
Any ideas?
My server.xml looks like this:
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<Listener className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener"
rmiServerPortPlatform="9098"
rmiRegistryPortPlatform="9099"
useLocalPorts="true" />
<Service name="Catalina">
<Connector port="8020" protocol="HTTP/1.1" redirectPort="8010" connectionTimeout="20000" />
<Engine name="Catalina" defaultHost="localhost" jvmRoute="cc1">
<Host name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false"
deployOnStartup="true" xmlValidation="false" xmlNamespaceAware="false">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="access_log."
suffix=".txt" pattern="combined" resolveHosts="false" />
</Host>
</Engine>
</Service>
</Server>
long time ago - but anyway: Tomcat has different Valves that may help to achieve that: http://tomcat.apache.org/tomcat-6.0-doc/config/valve.html#Request_Dumper_Valve
Another option would be tcpdump since it is HTTP and a response code it seems possible to filter the raw requests that cause this.
I have a very simple OutBound UrlRewriter rule that rewrites url's it finds in the body of the http response stream:
<rewrite>
<outboundRules>
<rule name="Scripted"
preCondition="IsHtml"
patternSyntax="ECMAScript"
stopProcessing="false">
<match filterByTags="None" pattern="http://someurl.com" />
<action type="Rewrite" value="http://anotherurl.com" />
</rule>
<preConditions>
<preCondition name="IsHtml" patternSyntax="Wildcard">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
The problem is that as soon as I turn on the preCondition no rewriting takes place.
I need to be able to use a pre-condition because the page is an ASP.NET page and uses ASP.NET script resources e.g. <script src="ScriptResource.axd?d=...." type="text/javascript" />.
By default script resources are gzip compressed and I want to keep them that way. Without the content type precondition the URL rewriter RewriteModule throws a 500.52 error - "Outbound rewrite rules cannot be applied when the content of the HTTP response is encoded ("gzip")."
Using Fiddler I can see that Content-Type: text/html; charset=utf-8 is being sent in the response header but UrlRwriter seems unable to match this.
Why is this happening?
This is because the Server Variable HTTP_ACCEPT_ENCODING is not added to the allowed server variables list. Add it there (you can google how to in IIS).