Handle CSRF filter in Alfresco

Alfresco share is collaboration platform built using spring surf on top of Alfresco repository. For communication with Alfresco repository it use datawebscripts. So, all those artifacts of repository needs to be exposed as a webscript to make it consumable by Alfresco share.

Now it could create security concern because as all of your contents and other information is exposed as webscripts it create high security concern because any intruder could manipulate data which is stored in repository using few tricks. Alfresco has introced CSRF filter to prevent that.

What is CSRF?

As per wikipedia definition Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. CSRF attacks specifically target state-changing requests, not theft of data, since the attacker has no way to see the response to the forged request.

How does Alfresco handle that?

To prevent CSRF attack alfresco use token mechanism. Each valid user of Alfresco will be provided with token when they logged in through alfresco share. That token(Alfresco-CSRF-Token) will then be passed for all subsequent calls of repository webscripts.Token will be renewed when user goes to new page.

How to handle it in your code?

If you are calling repository webscripts in your alfresco share client side script then you need to take care of following points in order to pass CSRF filter.

Try to use standard Alfresco.util.Ajaxalfresco/core/CoreXhr or Alfresco.forms.Form while sending request.

If you are not using any of above then you need to put extra checks related to CSRF tokens as follow.

if (Alfresco.util.CSRFPolicy && Alfresco.util.CSRFPolicy.isFilterEnabled())
   xhrHeadersObject[Alfresco.util.CSRFPolicy.getHeader()] = Alfresco.util.CSRFPolicy.getToken();

In case of YUI datasource.

if (Alfresco.util.CSRFPolicy && Alfresco.util.CSRFPolicy.isFilterEnabled())
   yuiDataSource.connMgr.initHeader(Alfresco.util.CSRFPolicy.getHeader(), Alfresco.util.CSRFPolicy.getToken(), false);

By using above methods you can get rid of CSRF attack related errors in your code. I have tried to keep it simple and brief in this post if you want to get more details related to CSRF poilcy in alfresco you can refer following blog post by Erik. It contains all you need to know about CSRF filter in alfresco.




Looking for quality Alfresco Web Hosting? Look no further than Arvixe Web Hosting!

Tags: , , , | Posted under Alfresco | RSS 2.0

Author Spotlight


I love opensource technologies working with those technologies from the time I have stepped in to the Software Industry. Alfresco CMS is my area of expertise. I have worked on various complex implementations which involved integration of Alfresco with other technologies, extensively worked with JBPM workflows and Webscripts.

Leave a Reply

Your email address will not be published. Required fields are marked *