Sling Post servlet forbidden error .

Avatar

Avatar

hari_krishnac22

Avatar

hari_krishnac22

hari_krishnac22

22-07-2020

HI Team,

version : 6.4

service pack : 6.4.4.0 

In fact author and publisher post servlets are failing . 

Sling post servlet failing with 403 error. From logs this is the information  com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty csrf token - rejecting

  1. Request URL:
    https://diapctherurl :10500/services/content
  2. Request Method:
    POST
  3. Status Code:
    403 Forbidden

Followed the below steps : 

Step 1:

  • Navigated to /system/console/configMgr .
  • Search for 'Apache Sling Referrer Filter' .
  • Removed the  POST method from the filter.

Step 2:

  • Navigated to /system/console/configMgr .
  • Search for ‘Adobe Granite CSRF Filter’.
  • Removed the  POST method from the filters property.

After removed these 2 working fine. But client is  saying  since last week the post Servlet was worked fine, In fact no changes are  made in dispatcher, Thanks  in advacne. 

 

Thanks, 

Hari Chandana

View Entire Topic

Avatar

Avatar

aemmarc

Employee

Avatar

aemmarc

Employee

aemmarc
Employee

23-07-2020

Step 2 is not recommended.

 

The CSRF Filter essentially has 5 bits of logic it will filter on
 
1 - request.getAuthType() != null <-- this one is super common for organizations that have their own custom servlets that omit setting the authType on the request 
2 - this.isFilteredMethod(request) <-- this one is based on the OSGI Config for the CSRF framework, eg what methods POST / GET / DELETE etc  (this is what you deleted in Step2 -- not recommended)
3 - doFilterBasedOnUserAgent(request) <-- checks the user agent whitelist
4 - !isExcludedPath(request)) <-- checks if this path is to be excluded from CSRF OSGI config.
5 - !this.isValidRequest(request)) <-- checks for the CSRF-Token header in the request.
 
Hope that helps.