ACS commons Publish Dispatcher Flush CSRF error | Community
Skip to main content
K
Kavin742
Level 2
May 30, 2023
Solved

ACS commons Publish Dispatcher Flush CSRF error

  • May 30, 2023
  • 3 replies
  • 1664 views

Hi ,

I have been trying to upgrade ACS commons version from 5.3.4 to 6.0.8. After successfully upgrading the version, the dispatcher flush in author is working fine and as expected.  But in Publisher flush Error 403 is thrown saying that CSRF token is not present and its invalid. This case is same for the ACS versions 6.0.0 to 6.0.8 where the new UI was introduced. But from version 5.7.0 (previous one of 6.0.0) is working fine without any error. I tried to look into bundle versions while updating, rules of dispatcher and everything looks fine. What can cause this CSRF error for new UI ? 

 

It will be helpful if any perspective is suggested by anyone.

 

 

Edit (31/05/2023):  I was able to see a null pointer exception while loading dispatcher flush page while is displayed.

 

[2023-05-31 11:26:13,724][INFO][qtp337051247-2268][log.request] 31/May/2023:11:26:13 +0530 [1262] -> GET /etc/acs-commons/dispatcher-flush/dispatcher-flush.html HTTP/1.1
[2023-05-31 11:26:13,735][ERROR][[0:0:0:0:0:0:0:1] [1685512573724] GET /etc/acs-commons/dispatcher-flush/dispatcher-flush.html HTTP/1.1][org.apache.sling.scripting.sightly.render.ObjectModel] Cannot access method results on object com.adobe.acs.commons.replication.dispatcher.impl.DispatcherFlushModelImpl@1f03504a
java.lang.reflect.InvocationTargetException: null
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)

 

Caused by: java.lang.NullPointerException: null
at java.base/java.util.Objects.requireNonNull(Objects.java:221)
at java.base/java.util.Arrays$ArrayList.<init>(Arrays.java:4323)
at java.base/java.util.Arrays.asList(Arrays.java:4310)
at com.adobe.acs.commons.replication.dispatcher.impl.DispatcherFlushModelImpl.getResults(DispatcherFlushModelImpl.java:82)

 

The getResults function is:

 

@Self
private SlingHttpServletRequest request;

 

@9944223
public List<String> getResults() {
    return Arrays.asList(StringUtils.split(request.getRequestPathInfo().getSuffix(), "/"));
}

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Kavin742

Hi everyone,

 

After spending more time on analyzing this issue we found that the Null pointer exception caused the whole issue preventing the code from generating CSRF token which resulted in 403 Error (only in publish ). We have raised issue in official GitHub of ACS commons regarding this and not upgrading the 6.x.x as the issue is same in all 6.x.x versions.

3 replies

aanchal-sikka
Community Advisor
aanchal-sikkaCommunity Advisor
Community Advisor
May 30, 2023

Hello @kavin742 

 

If you have separate configs for author and publish, there might be a config thats missing. Please assure that clientheaders, filters and cache are configured for both the farms.

https://experienceleague.adobe.com/docs/experience-manager-dispatcher/using/configuring/configuring-dispatcher-to-prevent-csrf.html?lang=en

Aanchal Sikka
    K
    Kavin742Author
    Level 2
    May 30, 2023

    Hello @aanchal-sikka ,

    I was able to encountered following error in logs:.

     

     

     

    [2023-05-30 14:43:47,327][INFO][qtp844391689-3752][log.request] 30/May/2023:14:43:47 +0530 [1874] -> POST /etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html HTTP/1.1
    [2023-05-30 14:43:47,329][INFO][[0:0:0:0:0:0:0:1] [1685438027327] POST /etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html HTTP/1.1][com.adobe.granite.csrf.impl.CSRFFilter] isValidRequest: empty CSRF token - rejecting
    [2023-05-30 14:43:47,329][INFO][[0:0:0:0:0:0:0:1] [1685438027327] POST /etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html HTTP/1.1][com.adobe.granite.csrf.impl.CSRFFilter] doFilter: the provided CSRF token is invalid
    [2023-05-30 14:43:47,332][ERROR][[0:0:0:0:0:0:0:1] [1685438027327] POST /etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html HTTP/1.1][org.apache.sling.servlets.resolver.internal.SlingServletResolver] Calling the error handler resulted in an error

     

    The request is failing in AEM itself and request is not reaching the dispatcher (in order to check with respect to farm files for config). 

     

    But for ACS version 5.3.4 the POST request reaches dispatcher and flush is done as expected

     

      aanchal-sikka
      Community Advisor
      aanchal-sikkaCommunity Advisor
      Community Advisor
      May 30, 2023

      Hello @kavin742 

       

      Can you please try configuring "Apache Sling Referrer Filter" to disable CSRF validation for " /etc/acs-commons/dispatcher-flush/dispatcher-flush/_jcr_content/configuration.flush.html"

      https://experienceleague.adobe.com/docs/experience-manager-65/administering/security/security-checklist.html?lang=en 

      Aanchal Sikka
        Fanindra_Surat
        Community Advisor
        Fanindra_SuratCommunity Advisor
        Community Advisor
        May 30, 2023

        Hi @kavin742 ,

         

        Can you verify if the "Adobe Granite CSRF Filter" configuration is accurate? Additionally, you can update the "Excluded Paths" section with the dispatcher flush path to skip the CSRF check altogether on the flush request.

         

        Thanks,

        Fani

          K
          Kavin742Author
          Level 2
          May 31, 2023

          Hi @fanindra_surat ,

           

          Yes, the CSRF configuration is same as author. The dispatcher flush in author is working fine while in publish error is thrown. I tried to add the POST requested path to Excluded paths.Still the CSRF error is thrown.

            K
            Kavin742AuthorAccepted solution
            Level 2
            June 1, 2023

            Hi everyone,

             

            After spending more time on analyzing this issue we found that the Null pointer exception caused the whole issue preventing the code from generating CSRF token which resulted in 403 Error (only in publish ). We have raised issue in official GitHub of ACS commons regarding this and not upgrading the 6.x.x as the issue is same in all 6.x.x versions.

            Terms & ConditionsAccessibility statement

            Loading footer...