Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
Read More & Register today!
SOLVED

How to get CRSF Token value in AEM Publisher

Avatar

Level 4
Level 4
5/25/21 4:24:35 AM

Hi,

we are calling an API using servlet, Our AEM Instance in 6.5.5, we are successfully able to call the servlet and send the CRSF Token in the author instance. However, In the Publisher instance, we are getting an empty response from the /libs/granite/csrf/token.json, how can we validate or authenticate the POST request to get the CRSF token value in AEM Publisher.

 

Views

4.3K

Replies

10
Sign in to like this content

Total Likes

Translate
Translate
1 Accepted Solution

Avatar

Correct answer by
Community Advisor
Community Advisor
5/25/21 6:35:30 AM

Hi @kbitra1998 

 

CSRF protection is only available for authenticated user. So in author it will be passed while making any servlet call as you will be logged in.

But on Publish instance, if you are making any anonymous call, CSRF token will be empty as there will not be any authentication.

"The basic idea: Server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore/log it. Your CSRF token should ideally only be passed to the client upon authentication."

 

"There are no tokens on the publish instances for anonymous users."

 

Access http://localhost:4503/libs/granite/csrf/token.json while logged in as an user, you will get value.

Access http://localhost:4503/libs/granite/csrf/token.json as anonymous user, you will get empty {}.

 

Please refer the below link for more info:

https://experienceleague.adobe.com/docs/experience-manager-65/developing/introduction/csrf-protectio...

 

Thanks!

View solution in original post

Views

4.3K

Replies

8
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply
10 Replies

Avatar

Community Advisor
Community Advisor
5/25/21 5:22:32 AM

@kbitra1998,

It seems like the permission issue for the anonymous user publish, So handle it you should be having one system user and provide the permission to the node.

It should work as expected.

https://experiencemanaged.com/posts/send-a-csrf-token-to-an-aem-61-servlet-without-using-jquery-or-g...

 

Hope this will help

Umesh Thakur 

Views

4.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Correct answer by
Community Advisor
Community Advisor
5/25/21 6:35:30 AM

Hi @kbitra1998 

 

CSRF protection is only available for authenticated user. So in author it will be passed while making any servlet call as you will be logged in.

But on Publish instance, if you are making any anonymous call, CSRF token will be empty as there will not be any authentication.

"The basic idea: Server provides a CSRF token to the client for all authenticated sessions. The client should pass the same CSRF token to the server with each subsequent request. So if a request came without the token, the server should ignore/log it. Your CSRF token should ideally only be passed to the client upon authentication."

 

"There are no tokens on the publish instances for anonymous users."

 

Access http://localhost:4503/libs/granite/csrf/token.json while logged in as an user, you will get value.

Access http://localhost:4503/libs/granite/csrf/token.json as anonymous user, you will get empty {}.

 

Please refer the below link for more info:

https://experienceleague.adobe.com/docs/experience-manager-65/developing/introduction/csrf-protectio...

 

Thanks!

Views

4.3K

Replies

8
Sign in to like this content

Total Likes

Translate
Translate
Jump to reply

Avatar

Level 4
Level 4
5/25/21 7:00:36 AM
In response to Asutosh_Jena_

Thanks @Asutosh_Jena_ ,

Is there a way to get csrf token value for anonymous users on publish instance?

Like Whitelist the origin or site without authentication.

Views

4.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
5/25/21 7:07:46 AM
In response to Asutosh_Jena_

Hi @kbitra1998 

CSRF token is not required for anonymous user. Why you need it on publish instance for anonymous user? What is the use case?

Views

4.3K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 1
Level 1
4/8/22 6:06:11 AM
In response to Asutosh_Jena_

Hi @Asutosh_Jena_ ,

 

But this seems like a fair ask to have CSRF token for anonymous user (end user of the website) for the case where they submit a form (POST request most probably). This will avoid non-authenticated request for form submissions like maybe from any postman app by any hacker.

Views

3.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
5/25/21 7:43:52 AM
In response to Asutosh_Jena_

Hi @Asutosh_Jena_ ,

 

The use case is to submit the POST request details to the API. In order to send securely, we have created a servlet '/bin/project_name/project_path' 

 CSRF Token in the author instance will be passed while making any servlet call as you will be logged in. 

I logged into Publish Instance with admin credentials and I successfully call the servlet and also get the CSRF token. However, using the domain, we do not authenticate the users, so we are making anonymous calls to the servlet. so it is getting a 301 status code.

so, is there a way to get a CSRF token value without authenticate?

Views

4.3K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Community Advisor
Community Advisor
5/25/21 9:17:12 AM
In response to Asutosh_Jena_

Hi @kbitra1998 

 

If you are getting 301 response, it will not be because of the CSRF token.

As you mentioned you are getting 301 only when you submit from the domain which I believe because of any redirect. To find the exact root cause, please submit the same request from publish directly without logging in as any user.

i.e. submit the same form from publish instance using anonymous user and see if you are able to submit.

If you are able to submit, the issue is with the dispatcher and there must be a 301 redirect in place which is causing the issue and you need to disable it.

If you are not able to submit, please look at the error log and request.log in publish instance and check what is the error you are noticing.

 

Also when you say you are getting 301 when you submit from website, do you see the request logged in request.log of publish instance?

Views

4.2K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
5/25/21 9:46:18 PM
In response to Asutosh_Jena_

Thanks @Asutosh_Jena_ ,

The issue got resolved. From the dispatcher filter, we are rejecting the servlet path so we are getting 301 status code and redirects to 404 pages.

Views

4.2K

Replies

1
Sign in to like this content

Total Likes

Translate
Translate

Avatar

Level 4
Level 4
10/6/23 9:04:26 AM
In response to kbitra1998

Hi @kbitra1998 were you able to get CSRF token in the publish instance? because I have the same scenario now and not sure if I can use CSRF in publish or go with any other approach.

 

Update: http://localhost:4503/libs/granite/csrf/token.json doesn't create a token when logged out, so this cannot be used in Publish.

Views

1.6K

Replies

0
Sign in to like this content

Total Likes

Translate
Translate
Related Conversations
I want to disable the delete copy move and all the other options for the child components Solved

Views

115

Likes

0

Replies

5
How to propagate template code changes to sites using that template

Views

9

Likes

0

Replies

0
how to implement nonce for Content-Security-Policy script-src directive in dispatcher

Views

52

Likes

0

Replies

1
Sharing common data to multiple features in Tab component

Views

110

Likes

0

Replies

9
Ability to preview or thumbnail to preview for XF

Views

64

Likes

0

Replies

2