Expand my Community achievements bar.

ajax service call not triggered while on dispatcher

Avatar

Level 7

Hi All,

I am seeing "unable to read csrf meta information" on IE edge (11) and chrome is working fine. Page keeps on loading and never completed loading.

If I access the publish urls without dispatcher IE11 pages loading fine. (all ajax calls triggered fine)

If I access the publish servers through dispatcher urls, IE11 pages not loading completely. ( some ajax service calls not triggered )

Why does the certain ajax calls are not triggered while on dispatcher ? ( every ajax request is going through same aem servlet ).

Thanks,

Sree

8 Replies

Avatar

Administrator

From AEM 6.1, it introduced crf and for any post request it should have valid token.   Verify your dispatcher.any & in filter allow for the same. Details at The Dispatcher Security Checklist

Just make sure, your http/https call is allowed at dispatcher level. As you know, most of the time, all JSON calls are denied at the dispatcher. So, let that filter be as it is and adds another filter to allow your call (token.json)

Source:- csrf url redirection



Kautuk Sahni

Avatar

Level 7

kautuksahni​ : thank you for the replyl.

Just to give the background, application is migrated from AEM 6.1 to AEM 6.3 ( Environment : Windows 7 OS, IE11 browser).

On AEM 6.1, application does not have any issues through dispatcher url.

On AEM 6.3, when application accessed through dispatcher url:

AEM 6.3 not sending some of the ajax POST webservice requests to the backend server. ( all webservice requests are channeled through an AEM Servlet)

In dispatcher.any file, I do have the /libs/ .../csrf/* as allow in the filter section.

if I access, publish url directly, all ajax service calls are going through and I see the pages loading properly.

Do I need to add "CSRF-TOKEN" in clientheaders section of dispatcher.any file?

Do I need to have "CSRF-TOKEN" defined in application as some meta tag?

Could you please shed some light on this behavior ?

Avatar

Level 7

Issue is happening with or without dispatcher. I am able to reproduce the issue on publisher instance.

how to get the csrf token and send while making an ajax call?

one of ajax post call is failing with "unable to read csrf meta information" and trying to get the code working.

appreciate any help. some pesudocode here:

getFundData: function(resortId, requestData) {

        var fundPromise = $.Deferred();

        $.ajax({

            type: 'POST',

            url: serviceUrl,

            data: JSON.stringify(requestData),

            dataType: 'json',

            contentType : 'application/json',

            success: function(response) {

                fundPromise.resolve(response);

            },

            error : function(errorMsg) {

                fundPromise.reject(errorMsg);

            }

        });

        return fundPromise;

    }

Avatar

Level 7

This issue is happening due to csrf.js located in libs/grantie/jquery/granite path

In the following code for POST requests "this._csrf" value set to true and the following code goes to fail function which results in aborting ajax post calls.

could anyone from adobe staff can help ?

XMLHttpRequest.prototype.send = function(method) {

        if (!this._csrf) {

            send.apply(this, arguments);

            return;

        }

        if (globalToken) {

            this.setRequestHeader(HEADER_NAME, globalToken);

            send.apply(this, arguments);

            return;

        }

        var self = this;

        var args = Array.prototype.slice.call(arguments);

        promise.then(function(token) {

self.setRequestHeader(HEADER_NAME, token);

send.apply(self, args);

        }, function() {

            if (window.console) {

                console.error('Unable to read CSRF meta information');

            }

send.apply(self, args);

        });

    };

Avatar

Administrator

You need to allow /libs/granite/csrf/token.json as well as the CSRF-Token header in the dispatcher (The Dispatcher Security Checklist ).

For the CSRF token, if you are dependant on the granite.jquery clientlib, then it should be available by default. Else, you need to add granite.csrf.standalone dependency in your client library so as to enable the CSRF framework. More about this can be found here.

See The CSRF Protection Framework



Kautuk Sahni

Avatar

Level 7

/csrf/token.json is allowed at dispatcher.any level

contexthub cart.json ajax post call is failing in the csrf.js.

For now , disabled contexthub, so there will bo no invalidstateerror and application ajax calls are executing.

Avatar

Level 9

sreenu539​,

Go to publish OSGI console and make sure you have referrer (Apache referrer) configuration domain. it should be added here. Basically it needs domain name where you are POST request is coming. Try without any protocol e.g google.com, your-hostname.com

Just try and let me know.

Regards,

Jitendra