Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Issue AEM-6.1 Sling POST Servlet- Upload an image to AEM DAM

Avatar

Level 10

Hey Guys,

I am trying to use the OOTB Post servlet in 6.1 referring to the below blog. It works fine in 5.6.1, but in 6.1, i believe there is a bug which does not let me POST successfully, i keep getting 403, forbidden error.  Can someone point out any necessary configuration missing here?

http://blogs.adobe.com/experiencedelivers/experience-management/how_to_upload_animageviaslingpostser...

1 Accepted Solution

Avatar

Correct answer by
Administrator

Hi 

As mentioned by Opkar Gill, if the error is CSRF, then configure the referrer filter.

Issues with Cross-Site Request Forgery

This is a security issue from the CRX Security Checklist, that is also appropriate to CQ.

To address known security issues with Cross-Site Request Forgery (CSRF) in CRX WebDAV and Apache Sling you need to configure the Referrer filter.

The referrer filter service is an OSGi service that allows you to configure:

  • which http methods should be filtered
  • whether an empty referrer header is allowed
  • and a white list of servers to be allowed in addition to the server host.

By default, all variations of localhost and the current host names the server is bound to are in the white list.

To configure the referrer filter service:

  • Open the Apache Felix console (Configurations) at:
       http://<server>:<port_number>/system/console/configMgr

  • Login as admin.

  • In the Configurations menu, select:

        Apache Sling Referrer Filter
     

  • In the Allow Hosts field, enter all hosts that are allowed as a referrer. Each entry needs to be of the form
       <protocol>://<server>:<port> 
    For example:

    • http://allowed.server:80 allows all requests from this server with the given port.
    • If you also want to allow https requests, you have to enter a second line.
    • If you allow all ports from that server you can use 0 as the port number.
       
  • Check the Allow Empty field, if you want to allow empty/missing referrer headers.

  • Edit the methods this filter should use for checks with the Filter Methods field.
     

  • Click Save to save your changes.

    Link: https://docs.adobe.com/docs/en/aem/6-1/administer/security/security-checklist.html#Protect against Cross-Site Request Forgery

     

    I hope this would help you.

    Thanks and Regards

    Kautuk Sahni



    Kautuk Sahni

    View solution in original post

    12 Replies

    Avatar

    Level 10

    See this blog that talks about uploading DAM assets using a custom sling servlet and Asset manager API

    http://scottsdigitalcommunity.blogspot.ca/2013/07/uploading-files-to-adobe-experience.html

    The benefit of a custom servlet is you have more control what happens when the image is posted to the server. 

    Avatar

    Employee

    Hi,

    can you post the error? Is it a CSRF exception?

    "com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting"

    Regards,

    Opkar

    Avatar

    Level 10

    Opkar Gill wrote...

    Hi,

    can you post the error? Is it a CSRF exception?

    "com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting"

    Regards,

    Opkar

     

    Yes i do see this, as an Info log level -  empty CSRF token - rejecting

    I have attached the error log in the txt file.

    On form submit, in the Firebug console, i see a 403 Forbidden, according to me, it looks like it just does not create the non existing path and thus does not upload an asset , which used to work just fine in 5.6.1

    I have also tried to add a path , /content/dam/ to the configuration, "Apache Sling Servlet/Script Resolver and Error Handler"  but in vain.

    Avatar

    Level 10

    smacdonald2008 wrote...

    See this blog that talks about uploading DAM assets using a custom sling servlet and Asset manager API

    http://scottsdigitalcommunity.blogspot.ca/2013/07/uploading-files-to-adobe-experience.html

    The benefit of a custom servlet is you have more control what happens when the image is posted to the server. 

     

    Hey Scott,

    I totally agree. but this was the approach chosen over the servlet for the time-being, for a simple form post with conditions using apache sling POST. But since this was working in 5.6.1, unsure what configuration might be missing to make this actually work.

    Avatar

    Correct answer by
    Administrator

    Hi 

    As mentioned by Opkar Gill, if the error is CSRF, then configure the referrer filter.

    Issues with Cross-Site Request Forgery

    This is a security issue from the CRX Security Checklist, that is also appropriate to CQ.

    To address known security issues with Cross-Site Request Forgery (CSRF) in CRX WebDAV and Apache Sling you need to configure the Referrer filter.

    The referrer filter service is an OSGi service that allows you to configure:

    • which http methods should be filtered
    • whether an empty referrer header is allowed
    • and a white list of servers to be allowed in addition to the server host.

    By default, all variations of localhost and the current host names the server is bound to are in the white list.

    To configure the referrer filter service:

    • Open the Apache Felix console (Configurations) at:
         http://<server>:<port_number>/system/console/configMgr

    • Login as admin.

    • In the Configurations menu, select:

          Apache Sling Referrer Filter
       

    • In the Allow Hosts field, enter all hosts that are allowed as a referrer. Each entry needs to be of the form
         <protocol>://<server>:<port> 
      For example:

      • http://allowed.server:80 allows all requests from this server with the given port.
      • If you also want to allow https requests, you have to enter a second line.
      • If you allow all ports from that server you can use 0 as the port number.
         
    • Check the Allow Empty field, if you want to allow empty/missing referrer headers.

    • Edit the methods this filter should use for checks with the Filter Methods field.
       

    • Click Save to save your changes.

      Link: https://docs.adobe.com/docs/en/aem/6-1/administer/security/security-checklist.html#Protect against Cross-Site Request Forgery

       

      I hope this would help you.

      Thanks and Regards

      Kautuk Sahni



      Kautuk Sahni

      Avatar

      Level 10

      kautuksahni wrote...

      Hi 

      As mentioned by Opkar Gill, if the error is CSRF, then configure the referrer filter.

      Issues with Cross-Site Request Forgery

      This is a security issue from the CRX Security Checklist, that is also appropriate to CQ.

      To address known security issues with Cross-Site Request Forgery (CSRF) in CRX WebDAV and Apache Sling you need to configure the Referrer filter.

      The referrer filter service is an OSGi service that allows you to configure:

      • which http methods should be filtered
      • whether an empty referrer header is allowed
      • and a white list of servers to be allowed in addition to the server host.

      By default, all variations of localhost and the current host names the server is bound to are in the white list.

      To configure the referrer filter service:

      • Open the Apache Felix console (Configurations) at:
           http://<server>:<port_number>/system/console/configMgr

      • Login as admin.

      • In the Configurations menu, select:

            Apache Sling Referrer Filter
         

      • In the Allow Hosts field, enter all hosts that are allowed as a referrer. Each entry needs to be of the form
           <protocol>://<server>:<port> 
        For example:

        • http://allowed.server:80 allows all requests from this server with the given port.
        • If you also want to allow https requests, you have to enter a second line.
        • If you allow all ports from that server you can use 0 as the port number.
           
      • Check the Allow Empty field, if you want to allow empty/missing referrer headers.

      • Edit the methods this filter should use for checks with the Filter Methods field.
         

      • Click Save to save your changes.

        Link: https://docs.adobe.com/docs/en/aem/6-1/administer/security/security-checklist.html#Protect against Cross-Site Request Forgery

         

        I hope this would help you.

        Thanks and Regards

        Kautuk Sahni

         

         

         

        I gave it a shot, but looks like it did not help, can you please try it from your end as well? I still see the "com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting" which is not an error , but an INFO log level.

        On the page , on submit, i see the error attached

        Here is the link to the blog

        http://blogs.adobe.com/experiencedelivers/experience-management/how_to_upload_animageviaslingpostser...

        Avatar

        Level 10

        NitroHazeDev wrote...

        kautuksahni wrote...

        Hi 

        As mentioned by Opkar Gill, if the error is CSRF, then configure the referrer filter.

        Issues with Cross-Site Request Forgery

        This is a security issue from the CRX Security Checklist, that is also appropriate to CQ.

        To address known security issues with Cross-Site Request Forgery (CSRF) in CRX WebDAV and Apache Sling you need to configure the Referrer filter.

        The referrer filter service is an OSGi service that allows you to configure:

        • which http methods should be filtered
        • whether an empty referrer header is allowed
        • and a white list of servers to be allowed in addition to the server host.

        By default, all variations of localhost and the current host names the server is bound to are in the white list.

        To configure the referrer filter service:

        • Open the Apache Felix console (Configurations) at:
             http://<server>:<port_number>/system/console/configMgr

        • Login as admin.

        • In the Configurations menu, select:

              Apache Sling Referrer Filter
           

        • In the Allow Hosts field, enter all hosts that are allowed as a referrer. Each entry needs to be of the form
             <protocol>://<server>:<port> 
          For example:

          • http://allowed.server:80 allows all requests from this server with the given port.
          • If you also want to allow https requests, you have to enter a second line.
          • If you allow all ports from that server you can use 0 as the port number.
             
        • Check the Allow Empty field, if you want to allow empty/missing referrer headers.

        • Edit the methods this filter should use for checks with the Filter Methods field.
           

        • Click Save to save your changes.

          Link: https://docs.adobe.com/docs/en/aem/6-1/administer/security/security-checklist.html#Protect against Cross-Site Request Forgery

           

          I hope this would help you.

          Thanks and Regards

          Kautuk Sahni

           

           

           

          I gave it a shot, but looks like it did not help, can you please try it from your end as well? I still see the "com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting" which is not an error , but an INFO log level.

          On the page , on submit, i see the error attached

          Here is the link to the blog

          http://blogs.adobe.com/experiencedelivers/experience-management/how_to_upload_animageviaslingpostser...

           

          Attaching the log

          Avatar

          Level 10

          Hey, Did you try writing your own POST Servlet instead of using the SlingPostServlet ?

          Avatar

          Level 10

          For anyone facing similar issues, please find the workaround, if you do not want to write a servlet but would like to use the OOTB post servlet

          Just  dump in the html into a component, an html component is what i have used. Do remember to upload multiple assets at a path, just like the aem dam, you could have the form action similar to "/content/dam.createasset.html"

          Avatar

          Level 3

          I may already be late in responding.

          We were facing the same issue with that nagging CSRF error. We included a dependency(granite.csrf.standalone) to our component's client lib.to solve the issue

          It's documented here 

          Avatar

          Level 10

          kautuksahni wrote...

          Hi 

          As mentioned by Opkar Gill, if the error is CSRF, then configure the referrer filter.

          Issues with Cross-Site Request Forgery

          This is a security issue from the CRX Security Checklist, that is also appropriate to CQ.

          To address known security issues with Cross-Site Request Forgery (CSRF) in CRX WebDAV and Apache Sling you need to configure the Referrer filter.

          The referrer filter service is an OSGi service that allows you to configure:

          • which http methods should be filtered
          • whether an empty referrer header is allowed
          • and a white list of servers to be allowed in addition to the server host.

          By default, all variations of localhost and the current host names the server is bound to are in the white list.

          To configure the referrer filter service:

          • Open the Apache Felix console (Configurations) at:
               http://<server>:<port_number>/system/console/configMgr

          • Login as admin.

          • In the Configurations menu, select:

                Apache Sling Referrer Filter
             

          • In the Allow Hosts field, enter all hosts that are allowed as a referrer. Each entry needs to be of the form
               <protocol>://<server>:<port> 
            For example:

            • http://allowed.server:80 allows all requests from this server with the given port.
            • If you also want to allow https requests, you have to enter a second line.
            • If you allow all ports from that server you can use 0 as the port number.
               
          • Check the Allow Empty field, if you want to allow empty/missing referrer headers.

          • Edit the methods this filter should use for checks with the Filter Methods field.
             

          • Click Save to save your changes.

            Link: https://docs.adobe.com/docs/en/aem/6-1/administer/security/security-checklist.html#Protect against Cross-Site Request Forgery

             

            I hope this would help you.

            Thanks and Regards

            Kautuk Sahni

             

             

             

            Hello Kautak,

            This suggestion was implemented but did not help. An Adobe consultant recommended we make this a component and that is how this issue got resolved.