Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
Bedrock Mission!

Learn more

View all

Sign in to view all badges

SOLVED

Getting CSRF token as invalid on POST servlet call.

mohamed_harish
Level 1
Level 1

Hi All,

Facing CSRF token issue on accessing a Servlet from Dispatcher URL.

Version: AEM 6.3

The Servlet is working as expected in Publish Instance.

On accessing the same through Dispatcher, getting the below errors on Publish error logs:

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid

18.04.2018 04:02:44.015 *WARN* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.day.cq.wcm.core.impl.components.ComponentCacheImpl Requested Path /bin/project-name/favoriteservlet.servlet is not in available search paths

Please note that below clientlibs are available in the page:

granite.csrf.standalone

cq.jquery

Could anyone please help me out.

1 Accepted Solution
mohamed_harish
Correct answer by
Level 1
Level 1

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

View solution in original post

7 Replies
Peter_Puzanovs
Community Advisor
Community Advisor

Dear Mohamed,

Sounds like Dispatcher config issue.

Please ensure that you allow path /libs/granite/csrf/token.json and do not cache the value in Dispatcher.

Through your dispatcher and that you have following entry in your dispatcher:

/1234 { /type "allow" /url "/libs/granite/csrf/token.json" }

Make sure you don't cache it also by setting following rule

/4321

  {

  /glob "/libs/granite/csrf/token.json"

  /type "deny"

  }

Regards,

Peter

VijayShankarV
Level 1
Level 1

Thanks for the response, Peter.

I have verified the Dispatcher settings.

Below are the statements for reference:

Under >>filter

/0032 { /type "allow" /glob "* /libs/granite/csrf/token.json *"   }

Under >>Cache >>rules

/0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }

However, the servlet works when excluding the servlet path from CSRF Filter.

Under System Config >> Adobe Granite CSRF Filter >> Added the servlets to the Excluded Paths ("filter.excluded.paths").

Looking for a permanent solution in this regard.

Jörg_Hoh
Employee
Employee

Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token".

kind regards,

Jörg

smacdonald2008
Level 10
Level 10

When ever it works on PUB and not when Dispatcher been setup - make sure you configure Dispatcher so that these requests are allowed to be used.

mohamed_harish
Correct answer by
Level 1
Level 1

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

View solution in original post

lokesh426
Level 2
Level 2

How did you include it in the header? Curious to know the steps.

 

-Lokesh