Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn More

View all

Sign in to view all badges

Sling Post servlet forbidden error .

Avatar

Avatar
Give Back
Level 1
hari_krishnac22
Level 1

Like

1 like

Total Posts

5 posts

Correct Reply

0 solutions
Top badges earned
Give Back
Ignite 1
Validate 1
Boost 1
View profile

Avatar
Give Back
Level 1
hari_krishnac22
Level 1

Like

1 like

Total Posts

5 posts

Correct Reply

0 solutions
Top badges earned
Give Back
Ignite 1
Validate 1
Boost 1
View profile
hari_krishnac22
Level 1

22-07-2020

HI Team,

version : 6.4

service pack : 6.4.4.0 

In fact author and publisher post servlets are failing . 

Sling post servlet failing with 403 error. From logs this is the information  com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty csrf token - rejecting

  1. Request URL:
    https://diapctherurl :10500/services/content
  2. Request Method:
    POST
  3. Status Code:
    403 Forbidden

Followed the below steps : 

Step 1:

  • Navigated to /system/console/configMgr .
  • Search for 'Apache Sling Referrer Filter' .
  • Removed the  POST method from the filter.

Step 2:

  • Navigated to /system/console/configMgr .
  • Search for ‘Adobe Granite CSRF Filter’.
  • Removed the  POST method from the filters property.

After removed these 2 working fine. But client is  saying  since last week the post Servlet was worked fine, In fact no changes are  made in dispatcher, Thanks  in advacne. 

 

Thanks, 

Hari Chandana

Accepted Solutions (1)

Accepted Solutions (1)

Avatar

Avatar
Establish
MVP
Veena_Vikram
MVP

Likes

484 likes

Total Posts

1,048 posts

Correct Reply

121 solutions
Top badges earned
Establish
Coach
Contributor 2
Seeker
Ignite 5
View profile

Avatar
Establish
MVP
Veena_Vikram
MVP

Likes

484 likes

Total Posts

1,048 posts

Correct Reply

121 solutions
Top badges earned
Establish
Coach
Contributor 2
Seeker
Ignite 5
View profile
Veena_Vikram
MVP

22-07-2020

Hi @hari_krishnac22 

 

   Since you have mentioned that everything was working fine till last week and nothing has changed I am not sure what is going wrong. But normally this error happens when the AEM doesn't sent the CSRF token along wiht the request. Jorg has answered a similar question here . Check if this helps

 

https://experienceleaguecommunities.adobe.com/t5/adobe-experience-manager/getting-csrf-token-as-inva...

 

Thanks

Veena

 

 

Answers (4)

Answers (4)

Avatar

Avatar
Give Back
Level 1
hari_krishnac22
Level 1

Like

1 like

Total Posts

5 posts

Correct Reply

0 solutions
Top badges earned
Give Back
Ignite 1
Validate 1
Boost 1
View profile

Avatar
Give Back
Level 1
hari_krishnac22
Level 1

Like

1 like

Total Posts

5 posts

Correct Reply

0 solutions
Top badges earned
Give Back
Ignite 1
Validate 1
Boost 1
View profile
hari_krishnac22
Level 1

23-07-2020

Got the solution from community. Thanks folks.

Avatar

Avatar
Ignite 1
Employee
aemmarc
Employee

Likes

184 likes

Total Posts

243 posts

Correct Reply

92 solutions
Top badges earned
Ignite 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile

Avatar
Ignite 1
Employee
aemmarc
Employee

Likes

184 likes

Total Posts

243 posts

Correct Reply

92 solutions
Top badges earned
Ignite 1
Give Back 50
Give Back 5
Give Back 3
Give Back 25
View profile
aemmarc
Employee

23-07-2020

Step 2 is not recommended.

 

The CSRF Filter essentially has 5 bits of logic it will filter on
 
1 - request.getAuthType() != null <-- this one is super common for organizations that have their own custom servlets that omit setting the authType on the request 
2 - this.isFilteredMethod(request) <-- this one is based on the OSGI Config for the CSRF framework, eg what methods POST / GET / DELETE etc  (this is what you deleted in Step2 -- not recommended)
3 - doFilterBasedOnUserAgent(request) <-- checks the user agent whitelist
4 - !isExcludedPath(request)) <-- checks if this path is to be excluded from CSRF OSGI config.
5 - !this.isValidRequest(request)) <-- checks for the CSRF-Token header in the request.
 
Hope that helps.

Avatar

Avatar
Springboard
MVP
Shashi_Mulugu
MVP

Likes

232 likes

Total Posts

294 posts

Correct Reply

67 solutions
Top badges earned
Springboard
Bedrock
Validate 1
Applaud 100
Establish
View profile

Avatar
Springboard
MVP
Shashi_Mulugu
MVP

Likes

232 likes

Total Posts

294 posts

Correct Reply

67 solutions
Top badges earned
Springboard
Bedrock
Validate 1
Applaud 100
Establish
View profile
Shashi_Mulugu
MVP

23-07-2020

@hari_krishnac22 Can you also check if you are using any of the two clientlibs before but removed recently?

granite.jquery or granite.csrf.standalone.

 

https://docs.adobe.com/content/help/en/experience-manager-64/developing/introduction/csrf-protection...

 

Avatar

Avatar
Give Back 5
Employee
vanegi
Employee

Likes

392 likes

Total Posts

378 posts

Correct Reply

148 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile

Avatar
Give Back 5
Employee
vanegi
Employee

Likes

392 likes

Total Posts

378 posts

Correct Reply

148 solutions
Top badges earned
Give Back 5
Give Back 3
Give Back 10
Give Back
Boost 50
View profile
vanegi
Employee

22-07-2020

Hi @hari_krishnac22,

Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token". If it is not there, include the "CSRF-Token" under clientheaders in dispatcher config file.

 

Thanks!!