Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

Adobe Summit 2023 [19th to 23rd March, Las Vegas and Virtual] | Complete AEM Session & Lab list
SOLVED

Getting CSRF token as invalid on POST servlet call.

Avatar

Level 1

Hi All,

Facing CSRF token issue on accessing a Servlet from Dispatcher URL.

Version: AEM 6.3

The Servlet is working as expected in Publish Instance.

On accessing the same through Dispatcher, getting the below errors on Publish error logs:

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid

18.04.2018 04:02:44.015 *WARN* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.day.cq.wcm.core.impl.components.ComponentCacheImpl Requested Path /bin/project-name/favoriteservlet.servlet is not in available search paths

Please note that below clientlibs are available in the page:

granite.csrf.standalone

cq.jquery

Could anyone please help me out.

1 Accepted Solution

Avatar

Correct answer by
Level 1

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

View solution in original post

0 Replies

Avatar

Community Advisor

Dear Mohamed,

Sounds like Dispatcher config issue.

Please ensure that you allow path /libs/granite/csrf/token.json and do not cache the value in Dispatcher.

Through your dispatcher and that you have following entry in your dispatcher:

/1234 { /type "allow" /url "/libs/granite/csrf/token.json" }

Make sure you don't cache it also by setting following rule

/4321

  {

  /glob "/libs/granite/csrf/token.json"

  /type "deny"

  }

Regards,

Peter

Avatar

Level 1

Thanks for the response, Peter.

I have verified the Dispatcher settings.

Below are the statements for reference:

Under >>filter

/0032 { /type "allow" /glob "* /libs/granite/csrf/token.json *"   }

Under >>Cache >>rules

/0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }

However, the servlet works when excluding the servlet path from CSRF Filter.

Under System Config >> Adobe Granite CSRF Filter >> Added the servlets to the Excluded Paths ("filter.excluded.paths").

Looking for a permanent solution in this regard.

Avatar

Employee Advisor

Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token".

kind regards,

Jörg

Avatar

Level 10

When ever it works on PUB and not when Dispatcher been setup - make sure you configure Dispatcher so that these requests are allowed to be used.

Avatar

Correct answer by
Level 1

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

Avatar

Level 2

How did you include it in the header? Curious to know the steps.

 

-Lokesh

Avatar

Level 3

does anyone have further info on this?