Getting CSRF token as invalid on POST servlet call. | Community
Skip to main content
A
AMHarish
April 23, 2018
Solved

Getting CSRF token as invalid on POST servlet call.

  • April 23, 2018
  • 6 replies
  • 14107 views

Hi All,

Facing CSRF token issue on accessing a Servlet from Dispatcher URL.

Version: AEM 6.3

The Servlet is working as expected in Publish Instance.

On accessing the same through Dispatcher, getting the below errors on Publish error logs:

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid

18.04.2018 04:02:44.015 *WARN* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.day.cq.wcm.core.impl.components.ComponentCacheImpl Requested Path /bin/project-name/favoriteservlet.servlet is not in available search paths

Please note that below clientlibs are available in the page:

granite.csrf.standalone

cq.jquery

Could anyone please help me out.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by AMHarish

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

6 replies

Peter_Puzanovs
Community Advisor
Peter_PuzanovsCommunity Advisor
Community Advisor
April 23, 2018

Dear Mohamed,

Sounds like Dispatcher config issue.

Please ensure that you allow path /libs/granite/csrf/token.json and do not cache the value in Dispatcher.

Through your dispatcher and that you have following entry in your dispatcher:

/1234 { /type "allow" /url "/libs/granite/csrf/token.json" }

Make sure you don't cache it also by setting following rule

/4321

  {

  /glob "/libs/granite/csrf/token.json"

  /type "deny"

  }

Regards,

Peter

V
VijayShankarV
April 26, 2018

Thanks for the response, Peter.

I have verified the Dispatcher settings.

Below are the statements for reference:

Under >>filter

/0032 { /type "allow" /glob "* /libs/granite/csrf/token.json *"   }

Under >>Cache >>rules

/0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }

However, the servlet works when excluding the servlet path from CSRF Filter.

Under System Config >> Adobe Granite CSRF Filter >> Added the servlets to the Excluded Paths ("filter.excluded.paths").

Looking for a permanent solution in this regard.

kautuk_sahni
Community Manager
kautuk_sahniCommunity Manager
Community Manager
May 1, 2018

Jörg Hoh​ any help here?

Kautuk Sahni
joerghoh
Adobe Employee
joerghohAdobe Employee
Adobe Employee
May 1, 2018

Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token".

kind regards,

Jörg

smacdonald2008
smacdonald2008
Level 10
May 1, 2018

When ever it works on PUB and not when Dispatcher been setup - make sure you configure Dispatcher so that these requests are allowed to be used.

A
AMHarishAuthorAccepted solution
May 15, 2018

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

    L
    lokesh426
    Level 2
    September 15, 2021

    How did you include it in the header? Curious to know the steps.

     

    -Lokesh

      Y
      yonit_david
      Level 3
      August 25, 2022

      does anyone have further info on this?

      Terms & ConditionsAccessibility statement

      Loading footer...