如何在Alfresco 5中正确实现POST webscript而不引起CSRF异常？

我创建了一个模块扩展，用于Alfresco 5社区版。一切都很好，我有我的。得到照顾的方法，他们显示正确

在页面上，我有一个按钮，它返回到服务器以显示结果（现在测试时它是空的）。单击该按钮时，出现服务器错误：

javax.servlet.ServletException: Possible CSRF attack noted when comparing token in session and request header. Request: POST /share/service/components/console/reset-dashboards
    at org.alfresco.web.site.servlet.CSRFFilter$AssertTokenAction.run(CSRFFilter.java:827)
    at org.alfresco.web.site.servlet.CSRFFilter.doFilter(CSRFFilter.java:312)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
    at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
    at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.doRun(AprEndpoint.java:2466)
    at org.apache.tomcat.util.net.AprEndpoint$SocketProcessor.run(AprEndpoint.java:2455)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Unknown Source)

在

http://localhost:8080/share/page/index/uri/components/console/reset-仪表板

我可以看到所有内容都已正确注册

Reset Dashboards
GET /share/page/components/console/reset-dashboards
Description:    Dashboard Tools - Reset All Dashboards To Default
Authentication: none
Transaction:    none
Format Style:   any
Default Format: html
Id: com/company/components/console/dashboard-tools/reset-dashboards.get
Description:    classpath:alfresco/site-webscripts/com/company/components/console/dashboard-tools/reset-dashboards.get.desc.xml

Reset Dashboards POST
POST /share/page/components/console/reset-dashboards
Description:    Dashboard Tools - Reset All Dashboards To Default POST
Authentication: user
Transaction:    required
Format Style:   any
Default Format: json
Id: com/company/components/console/dashboard-tools/reset-dashboards.post
Description:    classpath:alfresco/site-webscripts/com/company/components/console/dashboard-tools/reset-dashboards.post.desc.xml

以下是GET webscript的信息：

Script Properties
Id: com/company/components/console/dashboard-tools/reset-dashboards.get
Short Name: Reset Dashboards
Description:    Dashboard Tools - Reset All Dashboards To Default
Authentication: none
Transaction:    none
Method: GET
URL Template:   /components/console/reset-dashboards
Format Style:   any
Default Format: html
Negotiated Formats: [undefined]
Implementation: class org.springframework.extensions.webscripts.DeclarativeWebScript
Extensions: [undefined]

Store: classpath:alfresco/site-webscripts

File: com/company/components/console/dashboard-tools/reset-dashboards.get.desc.xml

<webscript>
    <shortname>Reset Dashboards</shortname>
    <description>Dashboard Tools - Reset All Dashboards To Default</description>
    <url>/components/console/reset-dashboards</url>
    <family>admin-console</family>
</webscript>

File: com/company/components/console/dashboard-tools/reset-dashboards.get.html.ftl

<@markup id="css" >
<#-- CSS Dependencies -->
    <@link href="${url.context}/res/components/console/application.css" group="console"/>
</@>

<@markup id="js">
<#-- JavaScript Dependencies -->
    <@script src="${url.context}/res/components/console/consoletool.js" group="console"/>
    <#--<@script src="${url.context}/res/components/console/application.js" group="console"/>-->
</@>

<@markup id="widgets">
    <@createWidgets group="console"/>
</@>

<@markup id="html">
    <#assign el=args.htmlid?html>
    <form id="${el}-options-form" action="${url.context}/service/components/console/reset-dashboards" method="post">
        <div class="buttons">
            <button id="${el}-apply-button" name="apply">${msg("button.reset")}</button>
        </div>
    </form>
</@>

File: com/company/components/console/dashboard-tools/reset-dashboards.get.js

function main()
{
}

main();

Store: classpath:surf/webscripts

[No implementation files]

Store: classpath:webscripts

[No implementation files]

Script Properties
Id: com/company/components/console/dashboard-tools/reset-dashboards.post
Short Name: Reset Dashboards POST
Description:    Dashboard Tools - Reset All Dashboards To Default POST
Authentication: user
Transaction:    required
Method: POST
URL Template:   /components/console/reset-dashboards
Format Style:   any
Default Format: json
Negotiated Formats: [undefined]
Implementation: class org.springframework.extensions.webscripts.DeclarativeWebScript
Extensions: [undefined]

Store: classpath:alfresco/site-webscripts

File: com/company/components/console/dashboard-tools/reset-dashboards.post.desc.xml

<webscript>
    <shortname>Reset Dashboards POST</shortname>
    <description>Dashboard Tools - Reset All Dashboards To Default POST</description>
    <format default="json" />
    <url>/components/console/reset-dashboards</url>
    <authentication>user</authentication>
</webscript>

File: com/company/components/console/dashboard-tools/reset-dashboards.post.json.ftl

{
    "success": ${success?string},
    "message": "<#if errormsg??>${errormsg}</#if>"
}

File: com/company/components/console/dashboard-tools/reset-dashboards.post.json.js

function main()
{
    model.success = true;
}

main();

Store: classpath:surf/webscripts

[No implementation files]

Store: classpath:webscripts

[No implementation files]

脚本属性
Id:com/company/components/console/dashboard tools/reset-dashboards.get
短名称：重置仪表板
说明：仪表板工具-将所有仪表板重置为默认值
身份验证：无
交易：无
方法：获取
URL模板：/components/console/reset仪表板
格式样式：任意
默认格式：html
协商格式：[未定义]
实现：类org.springframework.extensions.webscripts.DeclarativeWebScript
扩展：[未定义]
存储：类路径：alfresco/站点WebScript
文件：com/company/components/console/dashboard tools/reset-dashboards.get.desc.xml
重置仪表盘
仪表板工具-将所有仪表板重置为默认值
/组件/控制台/重置仪表板
管理控制台
文件：com/company/components/console/dashboard tools/reset-dashboards.get.html.ftl
${msg（“button.reset”）}
文件：com/company/components/console/dashboard tools/reset-dashboards.get.js
函数main（）
{
}
main（）；
存储：类路径：surf/webscripts
[无实施文件]
存储：类路径：webscripts
[无实施文件]

以下是POST webscript的信息：

Script Properties
Id: com/company/components/console/dashboard-tools/reset-dashboards.get
Short Name: Reset Dashboards
Description:    Dashboard Tools - Reset All Dashboards To Default
Authentication: none
Transaction:    none
Method: GET
URL Template:   /components/console/reset-dashboards
Format Style:   any
Default Format: html
Negotiated Formats: [undefined]
Implementation: class org.springframework.extensions.webscripts.DeclarativeWebScript
Extensions: [undefined]

Store: classpath:alfresco/site-webscripts

File: com/company/components/console/dashboard-tools/reset-dashboards.get.desc.xml

<webscript>
    <shortname>Reset Dashboards</shortname>
    <description>Dashboard Tools - Reset All Dashboards To Default</description>
    <url>/components/console/reset-dashboards</url>
    <family>admin-console</family>
</webscript>

File: com/company/components/console/dashboard-tools/reset-dashboards.get.html.ftl

<@markup id="css" >
<#-- CSS Dependencies -->
    <@link href="${url.context}/res/components/console/application.css" group="console"/>
</@>

<@markup id="js">
<#-- JavaScript Dependencies -->
    <@script src="${url.context}/res/components/console/consoletool.js" group="console"/>
    <#--<@script src="${url.context}/res/components/console/application.js" group="console"/>-->
</@>

<@markup id="widgets">
    <@createWidgets group="console"/>
</@>

<@markup id="html">
    <#assign el=args.htmlid?html>
    <form id="${el}-options-form" action="${url.context}/service/components/console/reset-dashboards" method="post">
        <div class="buttons">
            <button id="${el}-apply-button" name="apply">${msg("button.reset")}</button>
        </div>
    </form>
</@>

File: com/company/components/console/dashboard-tools/reset-dashboards.get.js

function main()
{
}

main();

Store: classpath:surf/webscripts

[No implementation files]

Store: classpath:webscripts

[No implementation files]

Script Properties
Id: com/company/components/console/dashboard-tools/reset-dashboards.post
Short Name: Reset Dashboards POST
Description:    Dashboard Tools - Reset All Dashboards To Default POST
Authentication: user
Transaction:    required
Method: POST
URL Template:   /components/console/reset-dashboards
Format Style:   any
Default Format: json
Negotiated Formats: [undefined]
Implementation: class org.springframework.extensions.webscripts.DeclarativeWebScript
Extensions: [undefined]

Store: classpath:alfresco/site-webscripts

File: com/company/components/console/dashboard-tools/reset-dashboards.post.desc.xml

<webscript>
    <shortname>Reset Dashboards POST</shortname>
    <description>Dashboard Tools - Reset All Dashboards To Default POST</description>
    <format default="json" />
    <url>/components/console/reset-dashboards</url>
    <authentication>user</authentication>
</webscript>

File: com/company/components/console/dashboard-tools/reset-dashboards.post.json.ftl

{
    "success": ${success?string},
    "message": "<#if errormsg??>${errormsg}</#if>"
}

File: com/company/components/console/dashboard-tools/reset-dashboards.post.json.js

function main()
{
    model.success = true;
}

main();

Store: classpath:surf/webscripts

[No implementation files]

Store: classpath:webscripts

[No implementation files]

脚本属性
Id:com/company/components/console/dashboards tools/reset-dashboards.post
短名称：重置仪表板柱
描述：仪表板工具-将所有仪表板重置为默认状态
身份验证：用户
交易记录：必填
方法：邮寄
URL模板：/components/console/reset仪表板
格式样式：任意
默认格式：json
协商格式：[未定义]
实现：类org.springframework.extensions.webscripts.DeclarativeWebScript
扩展：[未定义]
存储：类路径：alfresco/站点WebScript
文件：com/company/components/console/dashboard tools/reset-dashboards.post.desc.xml
重置仪表板柱
仪表板工具-将所有仪表板重置为默认状态
/组件/控制台/重置仪表板
用户
文件：com/company/components/console/dashboard tools/reset-dashboards.post.json.ftl
{
“success”：${success？string}，
消息“${errormsg}”
}
文件：com/company/components/console/dashboard tools/reset-dashboards.post.json.js
函数main（）
{
model.success=true；
}
main（）；
存储：类路径：surf/webscripts
[无实施文件]
存储：类路径：webscripts
[无实施文件]

同样，当我单击页面上的按钮发布到webscript时，它会给我一个

可能的CSRF攻击

异常。我如何纠正这个问题？是否可以在模块扩展名

jar

文件中执行此操作

更新

---

我确实注意到，作为Alfresco的一部分发布的所有其他脚本都包含

Alfresco CSRFToken

头和同名cookie。我的脚本仅包含作为cookie的

Alfresco CSRFToken

，缺少作为标头的脚本。但我不知道如何确保它作为标题存在。

如果您在alfresco share客户端脚本中调用存储库WebScript，则需要注意以下几点才能通过CSRF筛选

发送请求时尝试使用标准的Alfresco.util.Ajax、Alfresco/core/CoreXhr或Alfresco.forms.Form

如果您没有使用上述任何一项，那么您需要进行与CSRF令牌相关的额外检查，如下所示

if (Alfresco.util.CSRFPolicy && Alfresco.util.CSRFPolicy.isFilterEnabled())
{
   xhrHeadersObject[Alfresco.util.CSRFPolicy.getHeader()] = Alfresco.util.CSRFPolicy.getToken();
}

对于YUI数据源

   if (Alfresco.util.CSRFPolicy && Alfresco.util.CSRFPolicy.isFilterEnabled())
{
   yuiDataSource.connMgr.initHeader(Alfresco.util.CSRFPolicy.getHeader(), Alfresco.util.CSRFPolicy.getToken(), false);
}

---

通过使用上述方法，您可以消除代码中与CSRF攻击相关的错误

我已经看到了这一点，每个人都说“很简单，只需添加这个javascript片段”。。。那么，您在哪里添加javascript片段呢？我已经自己解决了这个问题，需要深入挖掘Alfresco代码来确定发生了什么，它需要创建一个客户端小部件javascript文件，在加载时连接表单以正确提交。是的，您需要从调用webscript的位置创建客户端javascript，因此此代码将进入其中。