Expand my Community achievements bar.

SOLVED

Sling Post servlet forbidden error .

Avatar

Level 2

HI Team,

version : 6.4

service pack : 6.4.4.0 

In fact author and publisher post servlets are failing . 

Sling post servlet failing with 403 error. From logs this is the information  com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty csrf token - rejecting

  1. Request URL:
    https://diapctherurl :10500/services/content
  2. Request Method:
    POST
  3. Status Code:
    403 Forbidden

Followed the below steps : 

Step 1:

  • Navigated to /system/console/configMgr .
  • Search for 'Apache Sling Referrer Filter' .
  • Removed the  POST method from the filter.

Step 2:

  • Navigated to /system/console/configMgr .
  • Search for ‘Adobe Granite CSRF Filter’.
  • Removed the  POST method from the filters property.

After removed these 2 working fine. But client is  saying  since last week the post Servlet was worked fine, In fact no changes are  made in dispatcher, Thanks  in advacne. 

 

Thanks, 

Hari Chandana

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hi @hari_krishnac22 

 

   Since you have mentioned that everything was working fine till last week and nothing has changed I am not sure what is going wrong. But normally this error happens when the AEM doesn't sent the CSRF token along wiht the request. Jorg has answered a similar question here . Check if this helps

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/getting-csrf-token-as-inva...

 

Thanks

Veena

 

 

View solution in original post

5 Replies

Avatar

Correct answer by
Community Advisor

Hi @hari_krishnac22 

 

   Since you have mentioned that everything was working fine till last week and nothing has changed I am not sure what is going wrong. But normally this error happens when the AEM doesn't sent the CSRF token along wiht the request. Jorg has answered a similar question here . Check if this helps

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/getting-csrf-token-as-inva...

 

Thanks

Veena

 

 

Avatar

Employee

Hi @hari_krishnac22,

Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token". If it is not there, include the "CSRF-Token" under clientheaders in dispatcher config file.

 

Thanks!!

Avatar

Community Advisor

@hari_krishnac22 Can you also check if you are using any of the two clientlibs before but removed recently?

granite.jquery or granite.csrf.standalone.

 

https://docs.adobe.com/content/help/en/experience-manager-64/developing/introduction/csrf-protection...

 

Avatar

Employee

Step 2 is not recommended.

 

The CSRF Filter essentially has 5 bits of logic it will filter on
 
1 - request.getAuthType() != null <-- this one is super common for organizations that have their own custom servlets that omit setting the authType on the request 
2 - this.isFilteredMethod(request) <-- this one is based on the OSGI Config for the CSRF framework, eg what methods POST / GET / DELETE etc  (this is what you deleted in Step2 -- not recommended)
3 - doFilterBasedOnUserAgent(request) <-- checks the user agent whitelist
4 - !isExcludedPath(request)) <-- checks if this path is to be excluded from CSRF OSGI config.
5 - !this.isValidRequest(request)) <-- checks for the CSRF-Token header in the request.
 
Hope that helps.

Avatar

Level 2

Got the solution from community. Thanks folks.