AEM 6.1 Server Access Issue (Authenticated vs Anonymous) | Community
Skip to main content
T
Thomas-1977
Level 3
February 8, 2016
Solved

AEM 6.1 Server Access Issue (Authenticated vs Anonymous)

  • February 8, 2016
  • 6 replies
  • 2598 views

We're in the process of upgrading from CQ 5.5 to AEM 6.1 and we're working with existing code that we have.

We've recently run into an issue on some of our upgraded servers (can't duplicate this locally on a fresh AEM 6.1) where servlets that we have configured are accessible just fine via an anonymous connection but when a user is authenticated (even on Publish which we require) then the same code acts like the Servlet doesn't exist when calling it.

I wasn't aware of any changes in AEM 6.1 that required additional changes to the code or at the OSGi Console level with regards to how a Servlet is accessed.

Here is an example of what our servlet code looks like with names removed.

@Service
@SlingServlet(paths = "/bin/abc/abc123", methods = { "POST" }, metatype = true, label = "Description of the Servlet")
public class ClassName extends SlingAllMethodsServlet {

Here is part of the jQuery Ajax request we've been using:

                $.ajax({
                    async: false,
                    type: "POST",
                    url: "/bin/abc/abc123",
                    data: { query: q},
                     dataType: "text"
                 })

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by Kunal_Gaba_

You need to submit the CSRF token with your AJAX requests either in the request body or the header. The token is available here - http://localhost:4502/libs/granite/csrf/token.json. The token once requested times out after 10 minutes so make sure to get the token just before submitting the request. 

  1. headers: {
  2. 'CSRF-Token': token
  3. },

6 replies

smacdonald2008
smacdonald2008
Level 10
February 8, 2016

I cannot duplicate this - i can still use AJAX to hit servlets on 6.1.

Lokesh_Shivalingaiah
Lokesh_Shivalingaiah
Level 10
February 8, 2016

As this is POST request, see if you are seeing any CSRF related errors in the log. If you are seeing any errors in the log, please post the same 

T
Thomas-1977Author
Level 3
February 8, 2016

bsloki wrote...

As this is POST request, see if you are seeing any CSRF related errors in the log. If you are seeing any errors in the log, please post the same 

 

Thanks just got a similar response from another source as well, seems this was added to AEM 6.x and our Adobe Contract folks didn't bother to tell us :)

Do you have any experience with implementing this with existing ajax calls?

Kunal_Gaba_
Kunal_Gaba_Accepted solution
February 8, 2016

You need to submit the CSRF token with your AJAX requests either in the request body or the header. The token is available here - http://localhost:4502/libs/granite/csrf/token.json. The token once requested times out after 10 minutes so make sure to get the token just before submitting the request. 

  1. headers: {
  2. 'CSRF-Token': token
  3. },
Jitendra_S_Toma
Jitendra_S_Toma
Level 10
February 9, 2016

You also have to make changes at dispatcher level. For more details, go through below docs.

Configure Dispatcher to prevent CSRF Attacks

AEM provides a framework aimed at preventing Cross-Site Request Forgery attacks. In order to properly make use of this framework, you need to whitelist CSRF token support in the dispatcher. You can do this by:

  1. Creating a filter to allow the /libs/granite/csrf/token.json path;
  2. Creating a filter to allow the CSRF-Token header.

https://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.html

https://docs.adobe.com/docs/en/dispatcher/security-checklist.html

Jitendra

sreenu539
sreenu539
Level 7
December 3, 2017

@Thomas_PNC @kunal123 how to get the csrf token and send while making an ajax call?

one of ajax post call is failing with "unable to read csrf meta information" and trying to get the code working.

appreciate any help. some pesudocode here:

getFundData: function(resortId, requestData) {

        var fundPromise = $.Deferred();

        $.ajax({

            type: 'POST',

            url: serviceUrl,

            data: JSON.stringify(requestData),

            dataType: 'json',

            contentType : 'application/json',

            success: function(response) {

                fundPromise.resolve(response);

            },

            error : function(errorMsg) {

                fundPromise.reject(errorMsg);

            }

        });

        return fundPromise;

    }

Terms & ConditionsAccessibility statement

Loading footer...