AEM Forms - CSRF Token Verification

Avatar

Avatar
Boost 50
Level 5
James_R_Green
Level 5

Likes

52 likes

Total Posts

191 posts

Correct reply

47 solutions
Top badges earned
Boost 50
Validate 25
Validate 10
Validate 1
Boost 5
View profile

Avatar
Boost 50
Level 5
James_R_Green
Level 5

Likes

52 likes

Total Posts

191 posts

Correct reply

47 solutions
Top badges earned
Boost 50
Validate 25
Validate 10
Validate 1
Boost 5
View profile
James_R_Green
Level 5

24-10-2018

Hi,

I am interested in how the CSRF protection works in AEM Forms when submitting to a REST endpoint (custom sling servlet deployed to AEM).

I see that there is a ":cq_csrf_token" inserted when my form is submitted and I can see it is passed in the request.

1) Is this token automatically verified by AEM when POSTing to a rest endpoint - if so, how does it achieve this?

2) If this is not automatically verified what code would be needed within my rest endpoint in order to validate the csrf token is legitimate?

I have searched for this information but cannot find all of the details, can someone  point me in the right direction?

Thanks,

Jim

Replies

Avatar

Avatar
Boost 50
Level 5
James_R_Green
Level 5

Likes

52 likes

Total Posts

191 posts

Correct reply

47 solutions
Top badges earned
Boost 50
Validate 25
Validate 10
Validate 1
Boost 5
View profile

Avatar
Boost 50
Level 5
James_R_Green
Level 5

Likes

52 likes

Total Posts

191 posts

Correct reply

47 solutions
Top badges earned
Boost 50
Validate 25
Validate 10
Validate 1
Boost 5
View profile
James_R_Green
Level 5

25-10-2018

Hi,

If I tamper with the CSRF token in the browser inspector, I get an error which suggests the token is verified automatically (option 1 in my original post). I can see from the error this happens here:

guideContainer.af.internalsubmit.jsp HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid

guideContainer.af.internalsubmit.jsp HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: not well formed CSRF token - rejecting

Where is the code for internalsubmit.jsp? I cannot find it anywhere!

Thanks,

Jim

Avatar

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,409 likes

Total Posts

12,671 posts

Correct reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile

Avatar
Validate 25
Level 10
smacdonald2008
Level 10

Likes

1,409 likes

Total Posts

12,671 posts

Correct reply

2,278 solutions
Top badges earned
Validate 25
Validate 10
Validate 1
Give back 900
Give back 600
View profile
smacdonald2008
Level 10

26-10-2018

James - we asked the Forms team to respond to this question.

I know in Sites AEM - when you want to invoke a Sling Servlet - you use the AEM JQuery version. It includes a CSRF token.

Avatar

Avatar
Boost 50
Level 5
James_R_Green
Level 5

Likes

52 likes

Total Posts

191 posts

Correct reply

47 solutions
Top badges earned
Boost 50
Validate 25
Validate 10
Validate 1
Boost 5
View profile

Avatar
Boost 50
Level 5
James_R_Green
Level 5

Likes

52 likes

Total Posts

191 posts

Correct reply

47 solutions
Top badges earned
Boost 50
Validate 25
Validate 10
Validate 1
Boost 5
View profile
James_R_Green
Level 5

27-10-2018

Avatar

Avatar
Boost 50
Level 5
James_R_Green
Level 5

Likes

52 likes

Total Posts

191 posts

Correct reply

47 solutions
Top badges earned
Boost 50
Validate 25
Validate 10
Validate 1
Boost 5
View profile

Avatar
Boost 50
Level 5
James_R_Green
Level 5

Likes

52 likes

Total Posts

191 posts

Correct reply

47 solutions
Top badges earned
Boost 50
Validate 25
Validate 10
Validate 1
Boost 5
View profile
James_R_Green
Level 5

07-11-2018

Hey smacdonald2008​ - did the forms team get back to you on this?

Avatar

Avatar
Boost 5
Level 2
sudhanshu_singh
Level 2

Likes

8 likes

Total Posts

15 posts

Correct reply

4 solutions
Top badges earned
Boost 5
Boost 3
Boost 1
Affirm 3
Affirm 1
View profile

Avatar
Boost 5
Level 2
sudhanshu_singh
Level 2

Likes

8 likes

Total Posts

15 posts

Correct reply

4 solutions
Top badges earned
Boost 5
Boost 3
Boost 1
Affirm 3
Affirm 1
View profile
sudhanshu_singh
Level 2

19-11-2018

Hi James,

The CSRF handling for Forms is quite similar, and the CSRF clientLib part of the forms runtime is responsible for passing the required token on submission. This token is validated as part of the CSRFFilter which you are seeing in the logs you shared.

Thanks & Regards,

-Sudhanshu