Weird CSFR Error on /libs/granite/csrf/token.json | Community
Skip to main content
G
Giancarlo__Sapi
Level 2
December 2, 2017

Weird CSFR Error on /libs/granite/csrf/token.json

  • December 2, 2017
  • 2 replies
  • 8967 views

I have the following scenario (Author Instance):

  • Install a clean AEM 6.2 or 6.3 instance (error happens on both versions)
  • Upload/install a custom (and simple) ui.app package
  • All works fine, no errors, I can create/delete pages and also access /system/console/bundles
  • Stop AEM, then restart AEM
  • Now I constantly get the error (can't create/delete pages, can't access /system/console/bundles):

02.12.2017 10:32:37.131 *ERROR* [0:0:0:0:0:0:0:1 [1512239557128] GET /libs/granite/csrf/token.json HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Uncaught Throwable

java.lang.NoSuchMethodError: org.json.JSONWriter.<init>(Ljava/io/Writer;)V

.....

If I uninstall the package, all works fine again.

This is happening in AEM 6.2 (with or without AEM updates) AND AEM 6.3.

I am indeed using a GET servlet to retrieve content in the JSON format. And I am using jQuery for content tables on the Web pages.

A couple of interesting findings:

  • This error happens all over the place. E.g. when I load the Felix console (/system/console) the list of bundles doesn't show. Instead I get the same error message.
  • There is no cross-reference access in the whole custom package. And my servlet is a GET servlet.
  • If I enter http://localhost:4502/libs/granite/csrf/token.json I get the same error...

org.json.JSONWriter.<init>(Ljava/io/Writer;)V

Cannot serve request to /libs/granite/csrf/token.json in com.adobe.granite.csrf.impl.CSRFServlet

Exception:

java.lang.NoSuchMethodError: org.json.JSONWriter.<init>(Ljava/io/Writer;)V

at com.adobe.granite.csrf.impl.CSRFServlet.doGet(CSRFServlet.java:119)

at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:270)

at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:346)

at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:378)

at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:552)

To summarize:

  • After installing a custom package all works fine. But after restarting AEM, things go bologna.
  • If I uninstall the custom package (even with no restart) all works fine again and I don't get the error.
  • It's a CSRF error (cross-site...), but there are no cross site requests in the custom package.
  • If I repeat http://localhost:4502/libs/granite/csrf/token.json  after removing the custom package I get the following response.

{

token: "eyJleHAiOjE1MTIyNDE4MzUsImlhdCI6MTUxMjI0MTIzNX0.FRUNuXsR51Od_Xnhsxu7APGBKptUmJ9bha5o58-gZUA"

}

Is it possible that

  • I am missing a configuration setting somewhere? This is happening in AEM 6.2 and AEM 6.3 and I can't assume it's an "undetected bug".
  • Can't the token be generated? Or is it generated but can't be returned?

Since this is happening in both versions of AEM, 6.2 and 6.3 and since I assume I am not the only one using a GET servlet to generate a JSON response, I am quite sure I am missing some sort of configuration or setting.

Any idea what this could be?

Thanks!

The error as it appears in the error.log

02.12.2017 10:32:37.131 *ERROR* [0:0:0:0:0:0:0:1 [1512239557128] GET /libs/granite/csrf/token.json HTTP/1.1] org.apache.sling.engine.impl.SlingRequestProcessorImpl service: Uncaught Throwable

java.lang.NoSuchMethodError: org.json.JSONWriter.<init>(Ljava/io/Writer;)V

at com.adobe.granite.csrf.impl.CSRFServlet.doGet(CSRFServlet.java:119)

at org.apache.sling.api.servlets.SlingSafeMethodsServlet.mayService(SlingSafeMethodsServlet.java:270)

at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:346)

at org.apache.sling.api.servlets.SlingSafeMethodsServlet.service(SlingSafeMethodsServlet.java:378)

at org.apache.sling.engine.impl.request.RequestData.service(RequestData.java:552)

at org.apache.sling.engine.impl.filter.SlingComponentFilterChain.render(SlingComponentFilterChain.java:44)

at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:77)

at com.day.cq.wcm.core.impl.WCMDebugFilter.doFilter(WCMDebugFilter.java:156)

at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:68)

at com.day.cq.wcm.core.impl.WCMComponentFilter.filterRootInclude(WCMComponentFilter.java:375)

at com.day.cq.wcm.core.impl.WCMComponentFilter.doFilter(WCMComponentFilter.java:190)

at org.apache.sling.engine.impl.filter.AbstractSlingFilterChain.doFilter(AbstractSlingFilterChain.java:68)

at com.day.cq.personalization.impl.TargetComponentFilter.doFilter(TargetComponentFilter.java:96)

.....

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

    2 replies

    smacdonald2008
    smacdonald2008
    Level 10
    December 2, 2017

    What code are you using in the custom package.

    Also - how did you create the custom package? Are you using Maven Archetype project?

    Can you do a test? Remove the app logic that encodes data as JSON and return as text - then see if the same error occurs. THis will narrow down causes.

    G
    Giancarlo__SapiAuthor
    Level 2
    December 3, 2017

    I tested with another simple task, an OSGi bundle. I can upload the bundle plus a content and a dam-content package. All is fine. Then I stop AEM and restart. Now I get the same error.

    What's interesting: I just uploaded an OSGi bundle. It was not used, except for the activate part. But after restarting AEM the token.json error is back

    G
    Giancarlo__SapiAuthor
    Level 2
    December 3, 2017

    In the OSGi bundle I replaced org.json with GSON. After removing JSON and replacing it by GSON, and then restarting AEM 6.3, the error did not appear anymore!

    In the POM I removed this dependency:

    <dependency>

      <groupId>org.json</groupId>

      <artifactId>json</artifactId>

      <version>20170516</version>

    </dependency>

    What surprises me is that a JSON dependency can break the issuing of authentication tokens and with that the behavior of AEM. If I put the dependency back, http://localhost:4502/libs/granite/csrf/token.json will throw an error, which is appearing also when loading /system/console. If I remove that dependency and reload the OSGi bundle, http://localhost:4502/libs/granite/csrf/token.json will return a token correctly.

    IMHO Adobe will want to take a closer look at the CSRF servlet and encapsulate the classes, making them independent of libraries used by custom implementations.

    I will do more testing and add more findings.

    smacdonald2008
    smacdonald2008
    Level 10
    December 3, 2017

    I will check this with the support team to see if this is a known issue.

    G
    Giancarlo__SapiAuthor
    Level 2
    December 3, 2017

    Thanks, Scott and once I have their answer, we can either recommend not to use org.json or do a write-up how to use org.json properly.

    smacdonald2008
    smacdonald2008
    Level 10
    December 3, 2017

    This is good action plan - I will check with them tomorrow.

    Terms & ConditionsAccessibility statement

    Loading footer...