Adobe Experience Manager Sites & More

hari_krishnac22 · 7/22/20

HI Team,

version : 6.4

service pack : 6.4.4.0

In fact author and publisher post servlets are failing .

Sling post servlet failing with 403 error. From logs this is the information com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty csrf token - rejecting

Request URL:
https://diapctherurl :10500/services/content
Request Method:
POST
Status Code:
403 Forbidden

Followed the below steps :

Step 1:

Navigated to /system/console/configMgr .
Search for 'Apache Sling Referrer Filter' .
Removed the POST method from the filter.

Step 2:

Navigated to /system/console/configMgr .
Search for ‘Adobe Granite CSRF Filter’.
Removed the POST method from the filters property.

After removed these 2 working fine. But client is saying since last week the post Servlet was worked fine, In fact no changes are made in dispatcher, Thanks in advacne.

Thanks,

Hari Chandana

VeenaVikraman · 7/22/20

Hi @hari_krishnac22

Since you have mentioned that everything was working fine till last week and nothing has changed I am not sure what is going wrong. But normally this error happens when the AEM doesn't sent the CSRF token along wiht the request. Jorg has answered a similar question here . Check if this helps

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/getting-csrf-token-as-inva...

Thanks

Veena

View solution in original post

VeenaVikraman · 7/22/20

Hi @hari_krishnac22

Since you have mentioned that everything was working fine till last week and nothing has changed I am not sure what is going wrong. But normally this error happens when the AEM doesn't sent the CSRF token along wiht the request. Jorg has answered a similar question here . Check if this helps

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/getting-csrf-token-as-inva...

Thanks

Veena

vanegi · 7/22/20

Hi @hari_krishnac22,

Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token". If it is not there, include the "CSRF-Token" under clientheaders in dispatcher config file.

Thanks!!

Shashi_Mulugu · 7/23/20

@hari_krishnac22 Can you also check if you are using any of the two clientlibs before but removed recently?

granite.jquery or granite.csrf.standalone.

https://docs.adobe.com/content/help/en/experience-manager-64/developing/introduction/csrf-protection...

aemmarc · 7/23/20

Step 2 is not recommended.

The CSRF Filter essentially has 5 bits of logic it will filter on

1 - request.getAuthType() != null <-- this one is super common for organizations that have their own custom servlets that omit setting the authType on the request

2 - this.isFilteredMethod(request) <-- this one is based on the OSGI Config for the CSRF framework, eg what methods POST / GET / DELETE etc (this is what you deleted in Step2 -- not recommended)

3 - doFilterBasedOnUserAgent(request) <-- checks the user agent whitelist

4 - !isExcludedPath(request)) <-- checks if this path is to be excluded from CSRF OSGI config.

5 - !this.isValidRequest(request)) <-- checks for the CSRF-Token header in the request.

Hope that helps.

hari_krishnac22 · 7/23/20

Got the solution from community. Thanks folks.

Adobe Experience Manager Sites & More

Sling Post servlet forbidden error .

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe