Level 3

CSRF Import Issue for AEM Maven Project

Forum|Forum|11 months ago
March 4, 2025
3 replies
1136 views

Hi,

I am trying to implement CSRF token for the form servlet, however I am getting error of "The import com.adobe.granite.csrf cannot be resolvedJava(268435846)" in the servlet.

I have added the dependency to the main pom.xml file:

<groupId>com.adobe.granite</groupId>

<artifactId>com.adobe.granite.csrf</artifactId>

<scope>provided</scope>

</dependency>

As well as added in the pom.xml file for core:

<groupId>org.apache.felix</groupId>

<artifactId>maven-bundle-plugin</artifactId>

<Import-Package>

com.adobe.granite.csrf*;resolution:=optional,

org.apache.sling.xss*;version="[2.0,3)",

org.apache.sling.api*,

org.osgi.service.component.annotations*,

*

</Import-Package>

</instructions>

</configuration>

</plugin>

Upon checking on bundles the bundle for the com.adobe.granite.csrf also seems active.

konstantyn_diachenko

Community Advisor

Hi @binaryalchemy11,

Unfortunately, this com.adobe.granite.csrf package is not exported by any OSGi bundle. You can check it in via /system/console/depfinder and package or class name.

In the provided screenshot you can see that this bundle doesn't export desired package. That's why you can't import it in your bundle.

I'd suggest to create own implementation of CSRF service.

Best regards,

Kostiantyn Diachenko.

Kostiantyn Diachenko, Community Advisor, Certified Senior AEM Developer, creator of free AEM VLT Tool, maintainer of AEM Tools plugin.

BinaryAlchemy11Author

Level 3

This is what I have in depfinder:

Do you have a sample example on creating own implementation of CSRF service?

Or the best practice to validate forms post request in servlet for CSRF attacks?

konstantyn_diachenko

Community Advisor

As far as I know CSRF protection is enabled for forms by default.

Read this documentation:

- https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/developing/advanced/csrf-protection

- https://experienceleague.adobe.com/en/docs/experience-manager-65/content/implementing/developing/introduction/csrf-protection

- https://experienceleague.adobe.com/en/docs/experience-manager-dispatcher/using/configuring/configuring-dispatcher-to-prevent-csrf?lang=en

In addition, you can check the following OSGi configurations that manage CSRF token:
- Adobe Granite CSRF Servlet

- Adobe Granite CSRF Filter

Best regards,

Kostiantyn Diachenko.

Kostiantyn Diachenko, Community Advisor, Certified Senior AEM Developer, creator of free AEM VLT Tool, maintainer of AEM Tools plugin.

Tethich

Community Advisor

Hi @binaryalchemy11

If you go in your local AEM server folder, in the /luanchpad/felix folder, then lookup for bundleXYZ, where XYZ is the ID of the bundle, which in you case is 245, you will find a bundle.jar file. If you look inside the jar, you will see 3 classes:

If these are what you are looking for ? I don't see any com.adobe.granite.csrf.CSRFService.

BinaryAlchemy11Author

Level 3

Oh okay that makes sense. Do you have an example of how you might have used CSRF validation for the form servlet?

kautuk_sahni

Community Manager

@binaryalchemy11 Did you find the suggestion helpful? Please let us know if you need more information. If a response worked, kindly mark it as correct for posterity; alternatively, if you found a solution yourself, we’d appreciate it if you could share it with the community. Thank you!

Kautuk Sahni

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded