inteligr8/alfresco-community-repo
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-community-repo.git synced 2025-08-07 17:49:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merged 5.2.N (5.2.1) to HEAD (5.2)

Browse Source 
131485 kroast: Merged 5.2-DEV (5.2.0) to 5.2.N (5.2.N)
      131352 kroast: ACE-4881 - [Pentest 121015] Multiple admin CSRF
         - Added CSRF filter config to protect the Alfresco Admin Console pages


git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@132265 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
2016-11-03 13:52:23 +00:00
parent 47ae44e500
commit 01156b23b5
3 changed files with 159 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
config/alfresco/web-client-security-config.xml Normal file
View File

@@ -0,0 +1,118 @@
<alfresco-config>
<!--
CSRF filter config to mitigate CSRF/Seasurfing/XSRF attacks
To disable the CSRF filter override the <filter> to not contain any values, for example:
<config evaluator="string-compare" condition="CSRFPolicy" replace="true">
<filter/>
</config>
@since 5.2
-->
<config evaluator="string-compare" condition="CSRFPolicy">
<!--
Force creation of a Session when the filter matches a path - this should only be used when you are
confident the filtered part of the web application is using an authentication mechanism that will avoid
protected pages being accessed until the user is authenticated. Otherwise this would be a route to
a Session fixation attack.
-->
<session>true</session>
<!--
Properties that may be used inside the rest of the CSRFPolicy config to avoid repetition but
also making it possible to provide different values in different environments.
I.e. Different "Referer" & "Origin" properties for test & production etc.
Reference a property using "{propertyName}".
-->
<properties>
<!-- There is normally no need to override this property -->
<token>alf-csrftoken</token>
<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Referer header.
-->
<referer></referer>
<!--
Override and set this property with a regexp that if you have placed Alfresco behind a proxy that
does not rewrite the Origin header.
-->
<origin></origin>
</properties>
<!--
Will be used and exposed to the client side code in Admin.CSRF
Use the Admin.CSRF.getHeader() or Admin.CSRF.getParameter() with Admin.CSRF.getToken()
to set the token in custom 3rd party code.
-->
<client>
<cookie>{token}</cookie>
<header>{token}</header>
<parameter>{token}</parameter>
</client>
<!-- The first rule with a matching request will get its action invoked, the remaining rules will be ignored. -->
<filter>
<!-- Refresh token on each new page visit -->
<rule>
<request>
<method>GET</method>
<path>/service/enterprise/admin/.*</path>
</request>
<action name="generateToken">
<param name="session">{token}</param>
<param name="cookie">{token}</param>
</action>
</rule>
<!--
Verify multipart requests contain the token as a parameter
and also correct referer & origin header if available
-->
<rule>
<request>
<method>POST</method>
<header name="Content-Type">multipart/.+</header>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="parameter">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
<!--
Verify that all remaining state changing requests contain a token in the header and correct referer & origin headers
if available. We "catch" all content types since just setting it to "application/json.*" since a webscript that doesn't
require a json request body otherwise would be successfully executed using i.e."text/plain".
-->
<rule>
<request>
<method>POST|PUT|DELETE</method>
</request>
<action name="assertToken">
<param name="session">{token}</param>
<param name="header">{token}</param>
</action>
<action name="assertReferer">
<param name="referer">{referer}</param>
</action>
<action name="assertOrigin">
<param name="origin">{origin}</param>
</action>
</rule>
</filter>
</config>
</alfresco-config>

17
source/web/WEB-INF/web-application-context.xml
View File

@@ -10,4 +10,21 @@
last (note: custom-web-context.xml isn't part of the source tree itself).
-->
<import resource="classpath*:alfresco/extension/custom-web-context.xml" />
<!-- Apply web-client-security-config.xml to web/webscript config sources -->
<bean id="webscripts.configsource" class="org.springframework.extensions.config.source.UrlConfigSource">
<constructor-arg>
<list>
<value>classpath:alfresco/web-scripts-config.xml</value>
<value>classpath:alfresco/web-client-security-config.xml</value>
<value>classpath:alfresco/extension/web-scripts-config-custom.xml</value>
</list>
</constructor-arg>
</bean>
<bean id="web.config" class="org.springframework.extensions.config.xml.XMLConfigService" init-method="init">
<constructor-arg>
<ref bean="webscripts.configsource" />
</constructor-arg>
</bean>
</beans>

16
source/web/WEB-INF/web.xml
View File

@@ -98,6 +98,12 @@
-->
</filter>
<filter>
<description>CSRF Token filter. Checks for a session based CSRF token in request headers (or form parameters) based on config.</description>
<filter-name>CSRF Token Filter</filter-name>
<filter-class>org.springframework.extensions.webscripts.servlet.CSRFFilter</filter-class>
</filter>
<!-- AOSM filter placeholder -->
<!-- CORS Filter Begin -->
@@ -232,6 +238,16 @@
<url-pattern>/wcs/api/solr/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CSRF Token Filter</filter-name>
<url-pattern>/service/enterprise/admin/*</url-pattern>
</filter-mapping>
<filter-mapping>
<filter-name>CSRF Token Filter</filter-name>
<url-pattern>/s/enterprise/admin/*</url-pattern>
</filter-mapping>
<!-- AOSM filter-mapping placeholder -->
<!-- Enterprise filter-mapping placeholder -->