Expand my Community achievements bar.

Don’t miss the AEM Skill Exchange in SF on Nov 14—hear from industry leaders, learn best practices, and enhance your AEM strategy with practical tips.
SOLVED

Needed Help on CSRF Functionality

Avatar

Community Advisor

Hi All,

can we get more info on how to use CSRF(Cross-Site Request Forgery) in AEM 6.1 as we are migrating to 6.1 we want use this new feature in all our post and get requests .

I verified the documentation but needed some example how can implement this ?

Thanks,

Mani Kumar K 

1 Accepted Solution

Avatar

Correct answer by
Employee Advisor

I am not sure why you want to protect the GET requests for CSRF. In AEM 6.1 CSRF framework has been introduced for protecting mainly the form submission requests. You need to include the following client library on the page wherever you have forms - granite.csrf.standalone. The javascript code once included will automatically detect the form on the page and will request a CSRF token from the backend servlet. The servlet returns the token in the JWT JSON format. The JS then will bind a submission handler of the form in which it adds a hidden field in the form which has the value of the same token returned by the servlet. 

When the form is submitted the CSRF request filter in the backend checks the request for the CSRF token. If the token is not found or is expired or invalid then it simply rejects the request with 403 error. You can configure the filter for the HTTP method names which you want to protect as well as the user agents [1]. Keep in mind that the token has default expiration time of 10 minutes which can be configured in the OSGI configuration of CSRF servlet [2]. Also, you will have to unblock the token servlet URL - /libs/granite/csrf/token.json in your dispatcher configuration. 

For more information see the following documentation - https://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.htmlhttps://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.html

[1] - http://localhost:4502/system/console/configMgr/com.adobe.granite.csrf.impl.CSRFFilter

[2] - http://localhost:4502/system/console/configMgr/com.adobe.granite.csrf.impl.CSRFServlet

View solution in original post

2 Replies

Avatar

Correct answer by
Employee Advisor

I am not sure why you want to protect the GET requests for CSRF. In AEM 6.1 CSRF framework has been introduced for protecting mainly the form submission requests. You need to include the following client library on the page wherever you have forms - granite.csrf.standalone. The javascript code once included will automatically detect the form on the page and will request a CSRF token from the backend servlet. The servlet returns the token in the JWT JSON format. The JS then will bind a submission handler of the form in which it adds a hidden field in the form which has the value of the same token returned by the servlet. 

When the form is submitted the CSRF request filter in the backend checks the request for the CSRF token. If the token is not found or is expired or invalid then it simply rejects the request with 403 error. You can configure the filter for the HTTP method names which you want to protect as well as the user agents [1]. Keep in mind that the token has default expiration time of 10 minutes which can be configured in the OSGI configuration of CSRF servlet [2]. Also, you will have to unblock the token servlet URL - /libs/granite/csrf/token.json in your dispatcher configuration. 

For more information see the following documentation - https://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.htmlhttps://docs.adobe.com/docs/en/aem/6-1/develop/security/csrf-protection.html

[1] - http://localhost:4502/system/console/configMgr/com.adobe.granite.csrf.impl.CSRFFilter

[2] - http://localhost:4502/system/console/configMgr/com.adobe.granite.csrf.impl.CSRFServlet

Avatar

Community Advisor

Thanks for the reply kunal. so if we are using cq.jquery library in our application AEM by default look after the CSRF protection ??