Disable CSRF on AEM 6.3

Avatar

Avatar
Boost 3
Level 2
mehmetsezgin
Level 2

Likes

3 likes

Total Posts

3 posts

Correct reply

0 solutions
Top badges earned
Boost 3
Boost 1
Applaud 5
View profile

Avatar
Boost 3
Level 2
mehmetsezgin
Level 2

Likes

3 likes

Total Posts

3 posts

Correct reply

0 solutions
Top badges earned
Boost 3
Boost 1
Applaud 5
View profile
mehmetsezgin
Level 2

20-08-2019

Hi Community,

Our customer web site doesn't have any authenticated user. All users are anonymous.

Components have granite.jquery dependency so csrf protection is enabled automatically.

Dispatcher and publisher instance receiving too many unnecessary csrf token requests.

Is there any way to disable csrf protection on AEM 6.3?

Thanks in advance.

Mehmet

Replies

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,318 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,318 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

20-08-2019

Avatar

Avatar
Boost 3
Level 2
mehmetsezgin
Level 2

Likes

3 likes

Total Posts

3 posts

Correct reply

0 solutions
Top badges earned
Boost 3
Boost 1
Applaud 5
View profile

Avatar
Boost 3
Level 2
mehmetsezgin
Level 2

Likes

3 likes

Total Posts

3 posts

Correct reply

0 solutions
Top badges earned
Boost 3
Boost 1
Applaud 5
View profile
mehmetsezgin
Level 2

20-08-2019

Thanks Arun.

Publisher responds with empty token to csrf requests. Since users are not authenticated.

I think excluded path is used bypass csrf token check for certain destinations.

https://taylor.callsen.me/security-and-java-servlets-in-aem-6-1/

Our goal is stop browser's csrf token requests so dispatcher will not have to handle them.

Avatar

Avatar
Coach
Employee
jbrar
Employee

Likes

389 likes

Total Posts

869 posts

Correct reply

283 solutions
Top badges earned
Coach
Establish
Give Back 50
Give Back 5
Give Back 3
View profile

Avatar
Coach
Employee
jbrar
Employee

Likes

389 likes

Total Posts

869 posts

Correct reply

283 solutions
Top badges earned
Coach
Establish
Give Back 50
Give Back 5
Give Back 3
View profile
jbrar
Employee

20-08-2019

It is not a recommendation to remove the token.json call as this token.json call is used to prevent CSRF attacks and removing this would lead to a major security risk. Please refer to the documentation at [1].

If you still want to remove the call, you need to remove all dependencies to "granite.jquery" in the code.

[1] https://helpx.adobe.com/ca/experience-manager/6-3/sites/developing/using/csrf-protection.html

[2] https://helpx.adobe.com/experience-manager/6-5/forms/using/admin-help/preventing-csrf-attacks.html

[3] https://docs.adobe.com/content/help/en/experience-manager-dispatcher/using/configuring/configuring-d...

Avatar

Avatar
Boost 3
Level 2
mehmetsezgin
Level 2

Likes

3 likes

Total Posts

3 posts

Correct reply

0 solutions
Top badges earned
Boost 3
Boost 1
Applaud 5
View profile

Avatar
Boost 3
Level 2
mehmetsezgin
Level 2

Likes

3 likes

Total Posts

3 posts

Correct reply

0 solutions
Top badges earned
Boost 3
Boost 1
Applaud 5
View profile
mehmetsezgin
Level 2

20-08-2019

Thanks JaideepBrar​.

As i mentioned CSRF framework is sending empty token to browser. For our case should we still keep token.json calls?

Avatar

Avatar
Coach
Employee
jbrar
Employee

Likes

389 likes

Total Posts

869 posts

Correct reply

283 solutions
Top badges earned
Coach
Establish
Give Back 50
Give Back 5
Give Back 3
View profile

Avatar
Coach
Employee
jbrar
Employee

Likes

389 likes

Total Posts

869 posts

Correct reply

283 solutions
Top badges earned
Coach
Establish
Give Back 50
Give Back 5
Give Back 3
View profile
jbrar
Employee

20-08-2019

The CSRF filter/token mechanism only supports authenticated users. So, If you are hosting a static site without any login functionality, you can remove the token call.

Note that the Sling Referrer Filter offers a second layer of CSRF protection which works in all cases, authenticated or not. See Sling Referrer Filter section of security checklist [0] for reference

[0] https://helpx.adobe.com/experience-manager/6-3/sites/administering/using/security-checklist.html

Avatar

Avatar
Boost 1
Level 1
himanshuj749478
Level 1

Like

1 like

Total Posts

1 post

Correct reply

0 solutions
Top badges earned
Boost 1
View profile

Avatar
Boost 1
Level 1
himanshuj749478
Level 1

Like

1 like

Total Posts

1 post

Correct reply

0 solutions
Top badges earned
Boost 1
View profile
himanshuj749478
Level 1

16-09-2019

Hi arunpatidar26JaideepBrar

How do I "remove the token call" for static publish environment? Like mentioned in the past - "excluding" it via filter is not same as removing the call.

Thanks

Himanshu

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,318 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,318 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

16-09-2019

You can write a redirect at apache server to return response of empty file when token.json is requested.

e.g.

RewriteEngine  on
RewriteRule   "^/libs/granite/csrf/token\.json$"  "/emptyfile.json" [PT]

Avatar

Avatar
Contributor
Level 3
Mayukh007
Level 3

Likes

15 likes

Total Posts

88 posts

Correct reply

2 solutions
Top badges earned
Contributor
Validate 1
Shape 1
Ignite 1
Give Back 5
View profile

Avatar
Contributor
Level 3
Mayukh007
Level 3

Likes

15 likes

Total Posts

88 posts

Correct reply

2 solutions
Top badges earned
Contributor
Validate 1
Shape 1
Ignite 1
Give Back 5
View profile
Mayukh007
Level 3

11-02-2021

Hi Arun and Team,

@Arun_Patidar 

We have similar situation with token.json. our sites are mostly public and we dont need calls for token.json hit publisher. So we used your above solution to redirect call to a dummy json.

 

but now we have CUG pages in the site and we were validating if we need to bring back token.json for CUG pages.

 

Questions:

1. Even if now token.json returns dummy value, AEM still works in CUG pages...Shouldn't AEM stop accessing CUG page when my token.json value is wrong and does not match value in publisher (I assume token.json value gets checked in server side for CSRF prevention)

 

2. Can we completely get rid of token.json by removing Granite dependency for our CUG pages..? Does it really have any impact in terms of security..?

 

3. Also we are seeing granite.js getting loaded in publisher which we should not need in publisher...Can we stop granite.js to be loaded in publisher but still use token.json..?

Avatar

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,318 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile

Avatar
Coach
MVP
Arun_Patidar
MVP

Likes

1,442 likes

Total Posts

3,318 posts

Correct reply

941 solutions
Top badges earned
Coach
Contributor 2
Ignite 10
Give Back 700
Boost 1000
View profile
Arun_Patidar
MVP

12-02-2021

Hi,

We are using CUG and stick with token.json for 2 reasons -

1. CSRF preventions

2. Checking login status and based on token.josn response handling login/logout redirections.

 

you can update your condition and based on login-token cookie presents in the request header you can allow token.json 

e.g.

RewriteCond %{HTTP:Cookie} (^|;\ *)jforumUserId=([^;\ ]+)
RewriteCond %2 !=-1
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R]