Expand my Community achievements bar.

Enhance your AEM Assets & Boost Your Development: [AEM Gems | June 19, 2024] Improving the Developer Experience with New APIs and Events
SOLVED

Getting CSRF token as invalid on POST servlet call.

Avatar

Level 1

Hi All,

Facing CSRF token issue on accessing a Servlet from Dispatcher URL.

Version: AEM 6.3

The Servlet is working as expected in Publish Instance.

On accessing the same through Dispatcher, getting the below errors on Publish error logs:

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid

18.04.2018 04:02:44.015 *WARN* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.day.cq.wcm.core.impl.components.ComponentCacheImpl Requested Path /bin/project-name/favoriteservlet.servlet is not in available search paths

Please note that below clientlibs are available in the page:

granite.csrf.standalone

cq.jquery

Could anyone please help me out.

1 Accepted Solution

Avatar

Correct answer by
Level 1

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

View solution in original post

9 Replies

Avatar

Community Advisor

Dear Mohamed,

Sounds like Dispatcher config issue.

Please ensure that you allow path /libs/granite/csrf/token.json and do not cache the value in Dispatcher.

Through your dispatcher and that you have following entry in your dispatcher:

/1234 { /type "allow" /url "/libs/granite/csrf/token.json" }

Make sure you don't cache it also by setting following rule

/4321

  {

  /glob "/libs/granite/csrf/token.json"

  /type "deny"

  }

Regards,

Peter

Avatar

Level 1

Thanks for the response, Peter.

I have verified the Dispatcher settings.

Below are the statements for reference:

Under >>filter

/0032 { /type "allow" /glob "* /libs/granite/csrf/token.json *"   }

Under >>Cache >>rules

/0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }

However, the servlet works when excluding the servlet path from CSRF Filter.

Under System Config >> Adobe Granite CSRF Filter >> Added the servlets to the Excluded Paths ("filter.excluded.paths").

Looking for a permanent solution in this regard.

Avatar

Employee Advisor

Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token".

kind regards,

Jörg

Avatar

Level 10

When ever it works on PUB and not when Dispatcher been setup - make sure you configure Dispatcher so that these requests are allowed to be used.

Avatar

Correct answer by
Level 1

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

Avatar

Level 2

How did you include it in the header? Curious to know the steps.

 

-Lokesh

Avatar

Level 3

Hi @Yonit & @lokesh426 

 

It should be the clientheaders file located under the projects dispatcher module

 

dispatcher/src/conf.dispatcher.d/clientheaders/default_clientheaders.any

 

Please check if this file has "CSRF-Token" included in the list. Hope this helps.