1

I'm following this blog post. But I'm getting 403 error in AEM 6.1. I do not want to change in 'Apache Sling Referrer Filter'. I think this error is coming because of CSRF token which I can get by calling /libs/granite/csrf/token.json

But how can I add this CSRF token in this form header? Or is there any other way to make it work?

Sumanta Pakira
  • 123
  • 6
  • Check out https://stackoverflow.com/questions/39201101/aem-403-forbidden-occurs-when-call-a-post-servlet/39490339#39490339 – Raghavendra N Jan 11 '18 at 07:12

2 Answers2

1

you can add the csrf token with the standalone tag

<cq:includeClientLib categories="granite.csrf.standalone" />

you can add this on every page you use a form, or maybe you have a masterpage witch inherits to every page

the csrf token is a hidden field, before the formular is sent. it looks like

<input type="hidden" name=":cq_csrf_token" value="4a6sd4f6as4df6as.a5s4df6a4sdf674asd96f"></input>
Try it
  • 315
  • 3
  • 17
  • clientLibs I cannot use, because this html file is outside of AEM, its just a something.html file. – Sumanta Pakira Apr 12 '16 at 10:00
  • I even added hidden type in html form but result is same. – Sumanta Pakira Apr 12 '16 at 10:01
  • if you are outsite of aem I dont know how to do. I just know that you can get a token from "/libs/granite/csrf/token.json". And then you have to add id to the request Header, maybe you have to add it as ":cq_csrf_token", but im not sure. – Try it Apr 12 '16 at 11:36
0

As your page is outside AEM, one way to handle this globally would be to include the granite csrf JS in your application and modify it to point to your AEM token.json url. This script takes care of form posts, AJAX calls at a global level.

Secondly, this script does some checks related server url hosts and context paths. So you will have to disable those as well. It's a fairly simple JS to modify. I know this is not an ethical approach but using AEM in this manner is also not a normal usecase :)

Abhishek
  • 1,130
  • 1
  • 12
  • 25
  • Sling has the functionality to use POST servlet in this way, so it is ethical way :) and i resolved this by calling HTTP POST through java code with proper header. – Sumanta Pakira Apr 18 '16 at 03:20
  • Can you pls elaborate your solution and add as an answer to help others. Originally I thought you were trying to post from an html page. – Abhishek Apr 18 '16 at 04:54