Getting CSRF token as invalid on POST servlet call. | Community
Skip to main content
A
AMHarish
New Participant
April 23, 2018
Solved

Getting CSRF token as invalid on POST servlet call.

  • April 23, 2018
  • 6 replies
  • 14107 views

Hi All,

Facing CSRF token issue on accessing a Servlet from Dispatcher URL.

Version: AEM 6.3

The Servlet is working as expected in Publish Instance.

On accessing the same through Dispatcher, getting the below errors on Publish error logs:

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter isValidRequest: empty CSRF token - rejecting

18.04.2018 04:02:44.014 *INFO* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.adobe.granite.csrf.impl.CSRFFilter doFilter: the provided CSRF token is invalid

18.04.2018 04:02:44.015 *WARN* [10.226.233.136 [1524038564013] POST /bin/project-name/favoriteservlet HTTP/1.1] com.day.cq.wcm.core.impl.components.ComponentCacheImpl Requested Path /bin/project-name/favoriteservlet.servlet is not in available search paths

Please note that below clientlibs are available in the page:

granite.csrf.standalone

cq.jquery

Could anyone please help me out.

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
Best answer by AMHarish

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

6 replies

A
AMHarishAuthorAccepted solution
New Participant
May 15, 2018

Thanks Jorg Hoh.

It worked after including the "CSRF-Token" under clientheaders.

Thanks everyone for your valuable time and suggestions.

    L
    lokesh426
    New Participant
    September 15, 2021

    How did you include it in the header? Curious to know the steps.

     

    -Lokesh

      Y
      yonit_david
      New Participant
      August 25, 2022

      does anyone have further info on this?

      smacdonald2008
      smacdonald2008
      New Participant
      May 1, 2018

      When ever it works on PUB and not when Dispatcher been setup - make sure you configure Dispatcher so that these requests are allowed to be used.

      joerghoh
      joerghoh
      Employee
      May 1, 2018

      Can you check that a CSRF token is actually sent to the dispatcher? Can you enable debug logging on dispatcher and see if that header is transferred to the publish? The header name is "CSRF-Token".

      kind regards,

      Jörg

      kautuk_sahni
      kautuk_sahni
      Employee
      May 1, 2018

      Jörg Hoh​ any help here?

      Kautuk Sahni
      V
      VijayShankarV
      New Participant
      April 26, 2018

      Thanks for the response, Peter.

      I have verified the Dispatcher settings.

      Below are the statements for reference:

      Under >>filter

      /0032 { /type "allow" /glob "* /libs/granite/csrf/token.json *"   }

      Under >>Cache >>rules

      /0999 { /glob "/libs/granite/csrf/token.json" /type "deny" }

      However, the servlet works when excluding the servlet path from CSRF Filter.

      Under System Config >> Adobe Granite CSRF Filter >> Added the servlets to the Excluded Paths ("filter.excluded.paths").

      Looking for a permanent solution in this regard.

      Peter_Puzanovs
      Peter_Puzanovs
      New Participant
      April 23, 2018

      Dear Mohamed,

      Sounds like Dispatcher config issue.

      Please ensure that you allow path /libs/granite/csrf/token.json and do not cache the value in Dispatcher.

      Through your dispatcher and that you have following entry in your dispatcher:

      /1234 { /type "allow" /url "/libs/granite/csrf/token.json" }

      Make sure you don't cache it also by setting following rule

      /4321

        {

        /glob "/libs/granite/csrf/token.json"

        /type "deny"

        }

      Regards,

      Peter

      Terms & ConditionsAccessibility statement

      Loading footer...