Hi masters!
I'm trying to use the 'Form Container', from core components (core/wcm/components/form/container/v2/container), to send emails, configuring the 'Action Type' to 'Mail'.
But when the form is sent to the thank you page, a 403 message is shown, and I can see this in the error.log:
17.06.2019 10:30:23.629 *INFO* [0:0:0:0:0:0:0:1 [1560760223623] POST /content/hesperiaweb/language-masters/es/contacto.html HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting
17.06.2019 10:30:23.629 *INFO* [0:0:0:0:0:0:0:1 [1560760223623] POST /content/hesperiaweb/language-masters/es/contacto.html HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid
I've done this in previous versions of AEM with the former 'foundation/components/form/start' component, and this component added the :cq_csrf_token field to the request. But it seems the new core component doesn't, or I miss something...
Could you help me?
Kind regards,
Views
Replies
Total Likes
You need to check that the CSRF-Token is passed in the /clientheaders section in Dispatcher.
Views
Replies
Total Likes
Hi aem_marc.
I'm using only an AEM 6.5 author instance (no publish instance, no dispatcher). With admin user!
Thank you anyway!
Kind regards,
Views
Replies
Total Likes
Hi Julio, have you solved this problem? I face a similar problem after trying to configure an external URL as a thank you page.
Views
Replies
Total Likes
Hi @Julio_Baixauli,
I'm coming in very late to this question, but since this post comes up in searches for ":cq_csrf_token" it may help someone.
It appears that in AEM versions before 6.1 :cq_csrf_token was used passed in request headers.
After that, as @aemmarc says, CSRF-Token is passed in the request headers.
For example I'm working on legacy code which checks for :cq_csrf_token.
String csrf = request.getParameter(":cq_csrf_token"); if (StringUtils.isBlank(csrf)) { ...
Since we're switching to use AEM's CSRF Protection Framework, this doesn't work for us.
Changing to
String csrf = request.getParameter("CSRF-Token"); if (StringUtils.isBlank(csrf)) { ...
works.
Views
Replies
Total Likes
Hello @Julio_Baixauli . The post is an old one, and I'm not sure whether the problem is actual now or not, but below you can find the solution for your case. Hope it will help others too.
The reason behind is, AEM will decline every POST, PUT, DELETE requests if the CSRF token is missing on author instance (authentication exists). For the publish instance or an anonymous, the CSRF token is empty, and that's fine, because there is no authnetication. The com.adobe.granite.csrf.impl.CSRFFilter checks and validates the scenarios described above.
For Core form container you can do the following: (Applicable for author instance)
You can also send the token from Front-End using HTTP header - CSRF-Token.
Hope this helps !
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies