Adobe Experience Manager Sites & More

BinaryAlchemy11 · 04/03/2025

Hi,

I am trying to implement CSRF token for the form servlet, however I am getting error of "The import com.adobe.granite.csrf cannot be resolvedJava(268435846)" in the servlet.

I have added the dependency to the main pom.xml file:

<groupId>com.adobe.granite</groupId>

<artifactId>com.adobe.granite.csrf</artifactId>

<scope>provided</scope>

</dependency>

As well as added in the pom.xml file for core:

<groupId>org.apache.felix</groupId>

<artifactId>maven-bundle-plugin</artifactId>

<Import-Package>

com.adobe.granite.csrf*;resolution:=optional,

org.apache.sling.xss*;version="[2.0,3)",

org.apache.sling.api*,

org.osgi.service.component.annotations*,

*

</Import-Package>

</instructions>

</configuration>

</plugin>

Upon checking on bundles the bundle for the com.adobe.granite.csrf also seems active.

konstantyn_diachenko · 04/03/2025

Hi @BinaryAlchemy11,

Unfortunately, this com.adobe.granite.csrf package is not exported by any OSGi bundle. You can check it in via /system/console/depfinder and package or class name.

In the provided screenshot you can see that this bundle doesn't export desired package. That's why you can't import it in your bundle.

I'd suggest to create own implementation of CSRF service.

Best regards,

Kostiantyn Diachenko.

BinaryAlchemy11 · 04/03/2025

This is what I have in depfinder:

Do you have a sample example on creating own implementation of CSRF service?

Or the best practice to validate forms post request in servlet for CSRF attacks?

konstantyn_diachenko · 04/03/2025

As far as I know CSRF protection is enabled for forms by default.

Read this documentation:

- https://experienceleague.adobe.com/en/docs/experience-manager-learn/cloud-service/developing/advance...

- https://experienceleague.adobe.com/en/docs/experience-manager-65/content/implementing/developing/int...

- https://experienceleague.adobe.com/en/docs/experience-manager-dispatcher/using/configuring/configuri...

In addition, you can check the following OSGi configurations that manage CSRF token:
- Adobe Granite CSRF Servlet

- Adobe Granite CSRF Filter

Best regards,

Kostiantyn Diachenko.

BinaryAlchemy11 · 10/03/2025

Thanks for the info. Do you have adobe documentation link where it mentions that AEM Forms uses CSRF Validation already?

Tethich · 05/03/2025

Hi @BinaryAlchemy11

If you go in your local AEM server folder, in the /luanchpad/felix folder, then lookup for bundleXYZ, where XYZ is the ID of the bundle, which in you case is 245, you will find a bundle.jar file. If you look inside the jar, you will see 3 classes:

If these are what you are looking for ? I don't see any com.adobe.granite.csrf.CSRFService.

BinaryAlchemy11 · 10/03/2025

Oh okay that makes sense. Do you have an example of how you might have used CSRF validation for the form servlet?

kautuk_sahni · 05/03/2025

@BinaryAlchemy11 Did you find the suggestion helpful? Please let us know if you need more information. If a response worked, kindly mark it as correct for posterity; alternatively, if you found a solution yourself, we’d appreciate it if you could share it with the community. Thank you!

Adobe Experience Manager Sites & More

CSRF Import Issue for AEM Maven Project

Kautuk Sahni

Aprender

Documentação

Comunidade

Suporte

Recursos

Conta de Adobe

Adobe