0
露天分享v5.2.d(r134641-B15,Aikau 1.0.101.3,春冲浪 5.2.d,春天WebScripts 6.13,Freemarker的2.3.20-露天打补丁,犀牛1.7R4,露天打补丁,衣2.9.0-露天-20141223)
露天社区V5.2.0(r134428-B13)架构10005
我想使用工作流管理控制台。控制台可以通过链接:http://....:8080/alfresco/s/admin/admin-workflowconsole
我希望能够看到所有的流程定义,删除过程的定义等
例如:
show definitions all
undeploy definition ...
use definition ...
etc
访问后控制台我尝试执行任何命令,但得到这个异常(从屏幕拷贝):
HTTP Status 500 - Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
type Exception report
message Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
description The server encountered an internal error that prevented it from fulfilling this request.
exception
javax.servlet.ServletException: Possible CSRF attack noted when comparing token in session and request parameter. Request: POST /alfresco/s/admin/admin-workflowconsole
org.springframework.extensions.webscripts.servlet.CSRFFilter$AssertTokenAction.run(CSRFFilter.java:845)
org.springframework.extensions.webscripts.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
org.alfresco.web.app.servlet.GlobalLocalizationFilter.doFilter(GlobalLocalizationFilter.java:68)
如何配置工作流管理控制台?
什么,我试图做的事:
至于写Axel Faust,
的网络客户端的安全-config.xml中先后为 CSRFPolicy段默认配置,并且可以通过重写在露天/扩展路径 网页脚本 - 配置 - custom.xml文件。
因此,我创建的文件web-scripts-config-custom.xml,然后添加到它缺少规则,并把它放在路径/opt/alfresco-community/tomcat/shared/classes/alfresco/extension下:
<alfrescoco-config>
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter>
<rule>
<request>
<method>GET</method>
<path>/service/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
</filter>
</config>
</alfresco-config>
它不工作...
我加满配置:
<alfresco-config>
<!--
CSRF filter config to mitigate CSRF/Seasurfing/XSRF attacks
To disable the CSRF filter override the <filter> to not contain any values, for example:
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter/>
</config>
@since 5.2
-->
<config evaluator="string-compare" condition="CSRFPolicy">
<!--
Force creation of a Session when the filter matches a path - this should only be used when you are
confident the filtered part of the web application is using an authentication mechanism that will avoid
protected pages being accessed until the user is authenticated. Otherwise this would be a route to
a Session fixation attack.
-->
<session>true</session>
<!--
Properties that may be used inside the rest of the CSRFPolicy config to avoid repetition but
also making it possible to provide different values in different environments.
I.e. Different "Referer" & "Origin" properties for test & production etc.
Reference a property using "{propertyName}".
-->
<properties>
<!-- There is normally no need to override this property -->
<token>alf-csrftoken</token>
<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Referer header.
-->
<referer></referer>
<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Origin header.
-->
<origin></origin>
</properties>
<!--
Will be used and exposed to the client side code in Admin.CSRF
Use the Admin.CSRF.getHeader() or Admin.CSRF.getParameter() with Admin.CSRF.getToken()
to set the token in custom 3rd party code.
-->
<client>
<cookie>{token}</cookie>
<header>{token}</header>
<parameter>{token}</parameter>
</client>
<!-- The first rule with a matching request will get its action invoked, the remaining rules will be ignored. -->
<filter>
<!-- Refresh token on each new page visit -->
<rule>
<request>
<method>GET</method>
<path>/service/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/service/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<rule>
<request>
<method>GET</method>
<path>/s/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<!--
Verify multipart requests contain the token as a parameter
and also correct referer & origin header if available
-->
<rule>
<request>
<method>POST</method>
<header name="Content-Type">multipart/.+</header>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="parameter">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
<!--
Verify that all remaining state changing requests contain a token in the header and correct referer & origin headers
if available. We "catch" all content types since just setting it to "application/json.*" since a webscript that doesn't
require a json request body otherwise would be successfully executed using i.e."text/plain".
-->
<rule>
<request>
<method>POST|PUT|DELETE</method>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="header">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
</filter>
</config>
</alfresco-config>
它不工作...
如上所述here,我加入到web.xml如下:
<filter-mapping>
<filter-name>CSRF Token Filter</filter-name>
<url-pattern>/service/admin/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CSRF Token Filter</filter-name>
<url-pattern>/s/admin/*</url-pattern>
</filter-mapping>
它不工作...
我试图通过以下方法来禁用CSRF过滤:
<alfresco-config>
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter/>
</config>
</alfresco-config>
它不工作...
如何配置工作流管理控制台?
我将非常感激这些信息。谢谢大家。
请参阅该社区链接https://community.alfresco.com/thread/228162-hitting-csrf-when-trying-to-use-the-workflow -admin-console – vikash
非常感谢您的评论,Axel Faust已经在该帖子中指出。我已经阅读过它,但我没有在我的配置中找到文件“web-scripts-config-custom.xml”。相反,我使用了'web-client-security-config.xml'并在其中添加了缺少的规则。 –
我从'/ opt/alfresco-community/tomcat/webapps/alfresco/WEB-INF/classes/alfresco'中复制了这个文件,并将它(通过添加的规则)放到'/ opt/alfresco-community/tomcat/shared/classes/alfresco/extension',然后重新部署,但旧文件'web-client-security-config.xml'保留在'/ webapps /'中。然后,我将'web-client-security-config.xml'添加到'/ opt/alfresco-community/tomcat/shared/classes/alfresco /'中,但它没有帮助。我应该使用什么配置以及它放在哪里?.. –