Adobe Experience Manager Sites & More

mohamed_harish · 4/23/18

Hi All,

Facing CSRF token issue on accessing a Servlet from Dispatcher URL.

Version: AEM 6.3

The Servlet is working as expected in Publish Instance.

On accessing the same through Dispatcher, getting the below errors on Publish error logs:

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid

18.04.2018 04:02:44.015 *WARN* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.day.cq.wcm.core.impl.components.ComponentCacheImpl Requested Path /bin/project-name/favoriteservlet.servlet is not in available search paths

Please note that below clientlibs are available in the page:

granite.csrf.standalone

cq.jquery

Could anyone please help me out.

mohamed_harish · 5/15/18

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

View solution in original post

Peter_Puzanovs · 4/23/18

Dear Mohamed,

Sounds like Dispatcher config issue.

Please ensure that you allow path /libs/granite/csrf/token.json and do not cache the value in Dispatcher.

Through your dispatcher and that you have following entry in your dispatcher:

/1234 { /type "allow" /url "/libs/granite/csrf/token.json" }

Make sure you don't cache it also by setting following rule

/4321

{

/glob "/libs/granite/csrf/token.json"

/type "deny"

}

Regards,

Peter

VijayShankarV · 4/26/18

Thanks for the response, Peter.

I have verified the Dispatcher settings.

Below are the statements for reference:

Under >>filter

/0032 { /type "allow" /glob "* /libs/granite/csrf/token.json *" }

Under >>Cache >>rules

/0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }

However, the servlet works when excluding the servlet path from CSRF Filter.

Under System Config >> Adobe Granite CSRF Filter >> Added the servlets to the Excluded Paths ("filter.excluded.paths").

Looking for a permanent solution in this regard.

kautuk_sahni · 5/1/18

Jörg Hoh any help here?

Kautuk Sahni

Jörg_Hoh · 5/1/18

Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token".

kind regards,

Jörg

smacdonald2008 · 5/1/18

When ever it works on PUB and not when Dispatcher been setup - make sure you configure Dispatcher so that these requests are allowed to be used.

mohamed_harish · 5/15/18

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

lokesh426 · 9/15/21

How did you include it in the header? Curious to know the steps.

-Lokesh

Yonit · 8/25/22

does anyone have further info on this?

rk_pandian · 10/4/23

Hi @Yonit & @lokesh426

It should be the clientheaders file located under the projects dispatcher module

dispatcher/src/conf.dispatcher.d/clientheaders/default_clientheaders.any

Please check if this file has "CSRF-Token" included in the list. Hope this helps.

Adobe Experience Manager Sites & More

Getting CSRF token as invalid on POST servlet call.

Kautuk Sahni

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe