Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

AEM 6.1 Server Access Issue (Authenticated vs Anonymous)

Avatar

Level 3
Level 3
2/8/16 8:56:16 AM

We're in the process of upgrading from CQ 5.5 to AEM 6.1 and we're working with existing code that we have.

We've recently run into an issue on some of our upgraded servers (can't duplicate this locally on a fresh AEM 6.1) where servlets that we have configured are accessible just fine via an anonymous connection but when a user is authenticated (even on Publish which we require) then the same code acts like the Servlet doesn't exist when calling it.

I wasn't aware of any changes in AEM 6.1 that required additional changes to the code or at the OSGi Console level with regards to how a Servlet is accessed.

Here is an example of what our servlet code looks like with names removed.

@Service
@SlingServlet(paths = "/bin/abc/abc123", methods = { "POST" }, metatype = true, label = "Description of the Servlet")
public class ClassName extends SlingAllMethodsServlet {

Here is part of the jQuery Ajax request we've been using:

                $.ajax({
                    async: false,
                    type: "POST",
                    url: "/bin/abc/abc123",
                    data: { query: q},
                     dataType: "text"
                 })

Views

2.1K

Replies

6
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Employee Advisor
Employee Advisor
2/8/16 11:05:05 AM

You need to submit the CSRF token with your AJAX requests either in the request body or the header. The token is available here - http://localhost:4502/libs/granite/csrf/token.json. The token once requested times out after 10 minutes so make sure to get the token just before submitting the request. 

  1. headers: {
  2. 'CSRF-Token': token
  3. },

View solution in original post

Views

1.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
6 Replies

Avatar

Level 10
Level 10
2/8/16 10:08:26 AM

I cannot duplicate this - i can still use AJAX to hit servlets on 6.1.

Views

1.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 10
Level 10
2/8/16 10:31:12 AM

As this is POST request, see if you are seeing any CSRF related errors in the log. If you are seeing any errors in the log, please post the same 

Views

1.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 3
Level 3
2/8/16 10:40:06 AM

bsloki wrote...

As this is POST request, see if you are seeing any CSRF related errors in the log. If you are seeing any errors in the log, please post the same 

 

Thanks just got a similar response from another source as well, seems this was added to AEM 6.x and our Adobe Contract folks didn't bother to tell us :)

Do you have any experience with implementing this with existing ajax calls?

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Employee Advisor
Employee Advisor
2/8/16 11:05:05 AM

You need to submit the CSRF token with your AJAX requests either in the request body or the header. The token is available here - http://localhost:4502/libs/granite/csrf/token.json. The token once requested times out after 10 minutes so make sure to get the token just before submitting the request. 

  1. headers: {
  2. 'CSRF-Token': token
  3. },

Views

1.1K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 9
Level 9
2/8/16 8:27:19 PM

You also have to make changes at dispatcher level. For more details, go through below docs.

Configure Dispatcher to prevent CSRF Attacks

AEM provides a framework aimed at preventing Cross-Site Request Forgery attacks. In order to properly make use of this framework, you need to whitelist CSRF token support in the dispatcher. You can do this by:

  1. Creating a filter to allow the /libs/granite/csrf/token.json path;
  2. Creating a filter to allow the CSRF-Token header.

https://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.html

https://docs.adobe.com/docs/en/dispatcher/security-checklist.html

Jitendra

Views

1.0K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 7
Level 7
12/3/17 1:14:47 PM

@Thomas_PNC @kunal123 how to get the csrf token and send while making an ajax call?

one of ajax post call is failing with "unable to read csrf meta information" and trying to get the code working.

appreciate any help. some pesudocode here:

getFundData: function(resortId, requestData) {

        var fundPromise = $.Deferred();

        $.ajax({

            type: 'POST',

            url: serviceUrl,

            data: JSON.stringify(requestData),

            dataType: 'json',

            contentType : 'application/json',

            success: function(response) {

                fundPromise.resolve(response);

            },

            error : function(errorMsg) {

                fundPromise.reject(errorMsg);

            }

        });

        return fundPromise;

    }

Views

1.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
HTL issue

Views

64

Likes

0

Replies

3
AEM - Search by content from text based document question

Views

54

Likes

0

Replies

2
Jwt vs Oauth : Search Query Builder API

Views

80

Likes

0

Replies

3
Best Practice for automating AEM Bundles Deployment (On Prem)

Views

115

Likes

0

Replies

3
issues with new certification portal

Views

56

Likes

0

Replies

1