How to get CRSF Token value in AEM Publisher | Community
Skip to main content
K
kbitra1998
Level 4
May 25, 2021
Solved

How to get CRSF Token value in AEM Publisher

  • May 25, 2021
  • 2 replies
  • 5527 views

Hi,

we are calling an API using servlet, Our AEM Instance in 6.5.5, we are successfully able to call the servlet and send the CRSF Token in the author instance. However, In the Publisher instance, we are getting an empty response from the /libs/granite/csrf/token.json, how can we validate or authenticate the POST request to get the CRSF token value in AEM Publisher.

 

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Asutosh_Jena_

Hi @kbitra1998 

 

CSRF protection is only available for authenticated user. So in author it will be passed while making any servlet call as you will be logged in.

But on Publish instance, if you are making any anonymous call, CSRF token will be empty as there will not be any authentication.

"The basic idea: Server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore/log it. Your CSRF token should ideally only be passed to the client upon authentication."

 

"There are no tokens on the publish instances for anonymous users."

 

Access http://localhost:4503/libs/granite/csrf/token.json while logged in as an user, you will get value.

Access http://localhost:4503/libs/granite/csrf/token.json as anonymous user, you will get empty {}.

 

Please refer the below link for more info:

https://experienceleague.adobe.com/docs/experience-manager-65/developing/introduction/csrf-protection.html?lang=en

 

Thanks!

2 replies

Umesh_Thakur
Community Advisor
Umesh_ThakurCommunity Advisor
Community Advisor
May 25, 2021

@kbitra1998,

It seems like the permission issue for the anonymous user publish, So handle it you should be having one system user and provide the permission to the node.

It should work as expected.

https://experiencemanaged.com/posts/send-a-csrf-token-to-an-aem-61-servlet-without-using-jquery-or-granitecsrfstandalone-clientlib.html

 

Hope this will help

Umesh Thakur 

    Asutosh_Jena_
    Community Advisor
    Asutosh_Jena_Community AdvisorAccepted solution
    Community Advisor
    May 25, 2021

    Hi @kbitra1998 

     

    CSRF protection is only available for authenticated user. So in author it will be passed while making any servlet call as you will be logged in.

    But on Publish instance, if you are making any anonymous call, CSRF token will be empty as there will not be any authentication.

    "The basic idea: Server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore/log it. Your CSRF token should ideally only be passed to the client upon authentication."

     

    "There are no tokens on the publish instances for anonymous users."

     

    Access http://localhost:4503/libs/granite/csrf/token.json while logged in as an user, you will get value.

    Access http://localhost:4503/libs/granite/csrf/token.json as anonymous user, you will get empty {}.

     

    Please refer the below link for more info:

    https://experienceleague.adobe.com/docs/experience-manager-65/developing/introduction/csrf-protection.html?lang=en

     

    Thanks!

      K
      kbitra1998Author
      Level 4
      May 26, 2021

      Thanks @asutosh_jena_ ,

      The issue got resolved. From the dispatcher filter, we are rejecting the servlet path so we are getting 301 status code and redirects to 404 pages.

      rk_pandian
      rk_pandian
      Level 4
      October 6, 2023

      Hi @kbitra1998 were you able to get CSRF token in the publish instance? because I have the same scenario now and not sure if I can use CSRF in publish or go with any other approach.

       

      Update: http://localhost:4503/libs/granite/csrf/token.json doesn't create a token when logged out, so this cannot be used in Publish.

      Terms & ConditionsAccessibility statement

      Loading footer...