Hi All,
Facing CSRF token issue on accessing a Servlet from Dispatcher URL.
Version: AEM 6.3
The Servlet is working as expected in Publish Instance.
On accessing the same through Dispatcher, getting the below errors on Publish error logs:
18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting
18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid
18.04.2018 04:02:44.015 *WARN* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.day.cq.wcm.core.impl.components.ComponentCacheImpl Requested Path /bin/project-name/favoriteservlet.servlet is not in available search paths
Please note that below clientlibs are available in the page:
granite.csrf.standalone
cq.jquery
Could anyone please help me out.
Solved! Go to Solution.
Views
Replies
Total Likes
Thanks Jorg Hoh.
It worked after including the "CSRF-Token" under clientheaders.
Thanks everyone for your valuable time and suggestions.
Dear Mohamed,
Sounds like Dispatcher config issue.
Please ensure that you allow path /libs/granite/csrf/token.json and do not cache the value in Dispatcher.
Through your dispatcher and that you have following entry in your dispatcher:
/1234 { /type "allow" /url "/libs/granite/csrf/token.json" }
Make sure you don't cache it also by setting following rule
/4321
{
/glob "/libs/granite/csrf/token.json"
/type "deny"
}
Regards,
Peter
Views
Replies
Total Likes
Thanks for the response, Peter.
I have verified the Dispatcher settings.
Below are the statements for reference:
Under >>filter
/0032 { /type "allow" /glob "* /libs/granite/csrf/token.json *" }
Under >>Cache >>rules
/0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }
However, the servlet works when excluding the servlet path from CSRF Filter.
Under System Config >> Adobe Granite CSRF Filter >> Added the servlets to the Excluded Paths ("filter.excluded.paths").
Looking for a permanent solution in this regard.
Views
Replies
Total Likes
Jörg Hoh any help here?
Views
Replies
Total Likes
Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token".
kind regards,
Jörg
Views
Replies
Total Likes
When ever it works on PUB and not when Dispatcher been setup - make sure you configure Dispatcher so that these requests are allowed to be used.
Views
Replies
Total Likes
Thanks Jorg Hoh.
It worked after including the "CSRF-Token" under clientheaders.
Thanks everyone for your valuable time and suggestions.
How did you include it in the header? Curious to know the steps.
-Lokesh
does anyone have further info on this?
Views
Replies
Total Likes
Hi @Yonit & @lokesh426
It should be the clientheaders file located under the projects dispatcher module
dispatcher/src/conf.dispatcher.d/clientheaders/default_clientheaders.any
Please check if this file has "CSRF-Token" included in the list. Hope this helps.
Views
Replies
Total Likes
Views
Likes
Replies
Views
Likes
Replies