Expand my Community achievements bar.

Learn about Edge Delivery Services in upcoming GEM session
SOLVED

ACS commons Publish Dispatcher Flush CSRF error

Avatar

Level 2

Hi ,

I have been trying to upgrade ACS commons version from 5.3.4 to 6.0.8. After successfully upgrading the version, the dispatcher flush in author is working fine and as expected.  But in Publisher flush Error 403 is thrown saying that CSRF token is not present and its invalid. This case is same for the ACS versions 6.0.0 to 6.0.8 where the new UI was introduced. But from version 5.7.0 (previous one of 6.0.0) is working fine without any error. I tried to look into bundle versions while updating, rules of dispatcher and everything looks fine. What can cause this CSRF error for new UI ? 

 

It will be helpful if any perspective is suggested by anyone.

 

 

Edit (31/05/2023):  I was able to see a null pointer exception while loading dispatcher flush page while is displayed.

 

[2023-05-31 11:26:13,724][INFO][qtp337051247-2268][log.request] 31/May/2023:11:26:13 +0530 [1262] -> GET /etc/acs-commons/dispatcher-flush/dispatcher-flush.html HTTP/1.1
[2023-05-31 11:26:13,735][ERROR][[0:0:0:0:0:0:0:1] [1685512573724] GET /etc/acs-commons/dispatcher-flush/dispatcher-flush.html HTTP/1.1][org.apache.sling.scripting.sightly.render.ObjectModel] Cannot access method results on object com.adobe.acs.commons.replication.dispatcher.impl.DispatcherFlushModelImpl@1f03504a
java.lang.reflect.InvocationTargetException: null
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)

 

Caused by: java.lang.NullPointerException: null
at java.base/java.util.Objects.requireNonNull(Objects.java:221)
at java.base/java.util.Arrays$ArrayList.<init>(Arrays.java:4323)
at java.base/java.util.Arrays.asList(Arrays.java:4310)
at com.adobe.acs.commons.replication.dispatcher.impl.DispatcherFlushModelImpl.getResults(DispatcherFlushModelImpl.java:82)

 

The getResults function is:

 

@Self
private SlingHttpServletRequest request;

 

@Override
public List<String> getResults() {
    return Arrays.asList(StringUtils.split(request.getRequestPathInfo().getSuffix(), "/"));
}

1 Accepted Solution

Avatar

Correct answer by
Level 2

Hi everyone,

 

After spending more time on analyzing this issue we found that the Null pointer exception caused the whole issue preventing the code from generating CSRF token which resulted in 403 Error (only in publish ). We have raised issue in official GitHub of ACS commons regarding this and not upgrading the 6.x.x as the issue is same in all 6.x.x versions.

View solution in original post

7 Replies

Avatar

Community Advisor

Hello @Kavin742 

 

If you have separate configs for author and publish, there might be a config thats missing. Please assure that clientheaders, filters and cache are configured for both the farms.

https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/configuring-...


Aanchal Sikka

Avatar

Level 2

Hello @aanchal-sikka ,

I was able to encountered following error in logs:.

 

 

 

[2023-05-30 14:43:47,327][INFO][qtp844391689-3752][log.request] 30/May/2023:14:43:47 +0530 [1874] -> POST /etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html HTTP/1.1
[2023-05-30 14:43:47,329][INFO][[0:0:0:0:0:0:0:1] [1685438027327] POST /etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html HTTP/1.1][com.adobe.granite.csrf.impl.CSRFFilter] isValidRequest: empty CSRF token - rejecting
[2023-05-30 14:43:47,329][INFO][[0:0:0:0:0:0:0:1] [1685438027327] POST /etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html HTTP/1.1][com.adobe.granite.csrf.impl.CSRFFilter] doFilter: the provided CSRF token is invalid
[2023-05-30 14:43:47,332][ERROR][[0:0:0:0:0:0:0:1] [1685438027327] POST /etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html HTTP/1.1][org.apache.sling.servlets.resolver.internal.SlingServletResolver] Calling the error handler resulted in an error

 

The request is failing in AEM itself and request is not reaching the dispatcher (in order to check with respect to farm files for config). 

 

But for ACS version 5.3.4 the POST request reaches dispatcher and flush is done as expected

 

Avatar

Community Advisor

Hello @Kavin742 

 

Can you please try configuring "Apache Sling Referrer Filter" to disable CSRF validation for " /etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html"

https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security-checkl... 


Aanchal Sikka

Avatar

Level 2

Hi @aanchal-sikka ,

I tried allowing "allow empty" for empty or missing referrer and added "/etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html" to Exclude Regexp User Agent. Still the error is logged as same.

Avatar

Community Advisor

Hi @Kavin742 ,

 

Can you verify if the "Adobe Granite CSRF Filter" configuration is accurate? Additionally, you can update the "Excluded Paths" section with the dispatcher flush path to skip the CSRF check altogether on the flush request.

 

Thanks,

Fani

Avatar

Level 2

Hi @Fanindra_Surat ,

 

Yes, the CSRF configuration is same as author. The dispatcher flush in author is working fine while in publish error is thrown. I tried to add the POST requested path to Excluded paths.Still the CSRF error is thrown.

Avatar

Correct answer by
Level 2

Hi everyone,

 

After spending more time on analyzing this issue we found that the Null pointer exception caused the whole issue preventing the code from generating CSRF token which resulted in 403 Error (only in publish ). We have raised issue in official GitHub of ACS commons regarding this and not upgrading the 6.x.x as the issue is same in all 6.x.x versions.