Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Getting CSRF token as invalid on POST servlet call.

Avatar

Level 1

Hi All,

Facing CSRF token issue on accessing a Servlet from Dispatcher URL.

Version: AEM 6.3

The Servlet is working as expected in Publish Instance.

On accessing the same through Dispatcher, getting the below errors on Publish error logs:

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid

18.04.2018 04:02:44.015 *WARN* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.day.cq.wcm.core.impl.components.ComponentCacheImpl Requested Path /bin/project-name/favoriteservlet.servlet is not in available search paths

Please note that below clientlibs are available in the page:

granite.csrf.standalone

cq.jquery

Could anyone please help me out.

1 Accepted Solution

Avatar

Correct answer by
Level 1

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

View solution in original post

9 Replies

Avatar

Community Advisor

Dear Mohamed,

Sounds like Dispatcher config issue.

Please ensure that you allow path /libs/granite/csrf/token.json and do not cache the value in Dispatcher.

Through your dispatcher and that you have following entry in your dispatcher:

/1234 { /type "allow" /url "/libs/granite/csrf/token.json" }

Make sure you don't cache it also by setting following rule

/4321

  {

  /glob "/libs/granite/csrf/token.json"

  /type "deny"

  }

Regards,

Peter

Avatar

Level 1

Thanks for the response, Peter.

I have verified the Dispatcher settings.

Below are the statements for reference:

Under >>filter

/0032 { /type "allow" /glob "* /libs/granite/csrf/token.json *"   }

Under >>Cache >>rules

/0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }

However, the servlet works when excluding the servlet path from CSRF Filter.

Under System Config >> Adobe Granite CSRF Filter >> Added the servlets to the Excluded Paths ("filter.excluded.paths").

Looking for a permanent solution in this regard.

Avatar

Employee Advisor

Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token".

kind regards,

Jörg

Avatar

Level 10

When ever it works on PUB and not when Dispatcher been setup - make sure you configure Dispatcher so that these requests are allowed to be used.

Avatar

Correct answer by
Level 1

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

Avatar

Level 2

How did you include it in the header? Curious to know the steps.

 

-Lokesh

Avatar

Level 4

Hi @Yonit & @lokesh426 

 

It should be the clientheaders file located under the projects dispatcher module

 

dispatcher/src/conf.dispatcher.d/clientheaders/default_clientheaders.any

 

Please check if this file has "CSRF-Token" included in the list. Hope this helps.