diff --git a/config/alfresco/web-client-security-config.xml b/config/alfresco/web-client-security-config.xml new file mode 100644 index 0000000000..bb620d3668 --- /dev/null +++ b/config/alfresco/web-client-security-config.xml @@ -0,0 +1,118 @@ + + + + + + + true + + + + + + alf-csrftoken + + + + + + + + + + + {token} +
{token}
+ {token} + + + + + + + + + GET + /service/enterprise/admin/.* + + + {token} + {token} + + + + + + + POST +
multipart/.+
+ + + {token} + {token} + + + {referer} + + + {origin} + + + + + + + POST|PUT|DELETE + + + {token} + {token} + + + {referer} + + + {origin} + + + + + + + \ No newline at end of file diff --git a/source/web/WEB-INF/web-application-context.xml b/source/web/WEB-INF/web-application-context.xml index b5d44df9bc..4928a19dee 100644 --- a/source/web/WEB-INF/web-application-context.xml +++ b/source/web/WEB-INF/web-application-context.xml @@ -2,12 +2,29 @@ - - - - - + + + + + + + + + + + classpath:alfresco/web-scripts-config.xml + classpath:alfresco/web-client-security-config.xml + classpath:alfresco/extension/web-scripts-config-custom.xml + + + + + + + + + \ No newline at end of file diff --git a/source/web/WEB-INF/web.xml b/source/web/WEB-INF/web.xml index 6b84d1f14e..3c89e4fa47 100644 --- a/source/web/WEB-INF/web.xml +++ b/source/web/WEB-INF/web.xml @@ -98,6 +98,12 @@ --> + + CSRF Token filter. Checks for a session based CSRF token in request headers (or form parameters) based on config. + CSRF Token Filter + org.springframework.extensions.webscripts.servlet.CSRFFilter + + @@ -232,6 +238,16 @@ /wcs/api/solr/* + + CSRF Token Filter + /service/enterprise/admin/* + + + + CSRF Token Filter + /s/enterprise/admin/* + +