Comments (3)
AFaust
commented on July 26, 2024
Default Alfresco images' handling of CSRF is annoyingly trivial. One of many reasons I typically do not use Alfresco's images for anything other than community projects.
- For your sub-optimal solution you can also choose to include a share-config-custom-dev.xml file in the Docker image which only has to contain a CSRF config override with an effectively disabled state, and thus avoiding the override of all the other config.
- Using an empty value for origin / referer is not the same as effectively disabling CSRF. Without a configured value, there is an internal fallback using localhost / Tomcat server name for validation. In order to effectively disable CSRF guards, it would be best to set a wildcard pattern for the origin / referrer, e.g.
https?://[^:/]+(:\d+)?/.* - The nginx config is extremely simplistic and would cause issues with AOS-based WebDAV connections to the Alfresco Repository.
- The
/etc/hostsentries are only relevant for the client access and do not have any impact on the Docker-internal routing. - Access to load-balanced Share relies on session state. Either nginx must be set to use session-sticky routing or aldica-provided session replication must be enabled for the Share web application.
from aldica.
andreaskring
commented on July 26, 2024
@AFaust Thanks for the feedback. A few comments to your bullets:
- Good idea - I have implemented this.
- I tried to do this with the CSRF environment variables discussed earlier, but with no success, so I will go with the solution in 1)
- Browsing the URLs below
/alfresco/aosis working fine, but we can tweek the LB if this is needed for more advanced use cases. - Yes, I agree. I find it convenient, however, to perform this configuration on my local host, since it makes is easier to "simulate" an environment with real DNS entries. E.g. I found that in some situations when working with Keycloak and Docker-compose everyone must agree on the names.
- That makes sense - this was the missing peice. I will go for the low hanging fruits for now and have simply added this to the LB configuration. We can do some more sophisticated aldica/Share configurations later on.
I will make a PR with the changes soon.
from aldica.
AFaust
commented on July 26, 2024
Concerning bullet no. 3: I am referring to the need to support forwarding an OPTIONS request on /, and requests for vti_bin/vti_inf to the Repository container.
from aldica.
Related Issues (20)
- Rework Tomcat Getting Started documentation
- Investigate possibility of triggering pro-active data region memory cleanup HOT 1
- Alfresco transactional caches not stabilising in concurrent access patterns HOT 1
- Binary Serialiser: variable length primitives in raw serial form HOT 3
- Binary Serialiser: specialised raw serial form for content URLs HOT 1
- Binary Serialiser: optimisation of secondary key / entity types
- Ignite binary configuration validation throws false-positive errors due to map handling bug
- Update Docker / Kubernetes documentation and examples / chart patch to include companion application HOT 1
- Reconsider unit test classification default vs. full
- Startup error on Alfresco 5.2.g with enabled serial optimisations HOT 3
- Asteric value of property cors.allowed.origins causes Ignite error HOT 6
- Binary serialization error HOT 3
- Share cannot start if initial members not set HOT 5
- GridAffinityAssignmentCache warning HOT 2
- Share Companion Application
- Alfresco uses AclEntity as cache key
- Initialisation hang during Share startup in private/public address mapping test HOT 3
- Alfresco 7 support HOT 1
- Cache clear on invalidating cache does not clear cache on remote nodes
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aldica.