During development in the AEM author instance, you would like to test your servlet using an HTTP Rest Client such as Postman. When making a POST request on the Rest Client, you will experience 2 errors. An authentication error, and a 403 forbidden error.
What’s Happening?
Firstly, a typical development approach, you will be working on your author developers instance. Your Rest Client is making a POST request on the author instance, http://localhost:4502. You will get an authentication error.
Secondly, your POST request is being filtered and restricted by the “Apache Sling Referrer Filter” and “Adobe Granite CSRF Filter”. By default, the Apache Sling Referrer Filter blocks any incoming POST requests, and the Adobe Granite CSRF Filter blocks any incoming POST requests without the CSRF-Token token in the header.
How to solve this?
We can solve this issue by including basic auth type in Postman, then allowing incoming POST request in the Apache Sling Referrer Filter OSGI configurations, and remove the requirement of the CSRF-Token in the Adobe Granite CSRF Filter OSGI configurations.
Resource – Simple Servlet – https://gist.github.com/sourcedcode/bd1a2c150fabfc4b37857be0f389ac8a#file-simplepostservlet-java
Step 1 : Configure Basic Auth in Postman
Launch Postman, then navigate to the Authentication tab. Ensure type is set to “Basic Auth”, and username and password are set to “admin”; this is the default username and password for the administrator user while developing on the author instance.
Step 2 : Configure Apache Sling Referrer Filter
- Enable allow empty
- Remove the POST method from filters
In OSGI configurations (http://localhost:4502/system/console/configMgr), locate “Apache Sling Referrer Filter”. Enable the allow empty property, and remove the post method from filters property.
Step 3 : Configure Adobe Granite CSRF Filter
- Remove the POST method from filters
In OSGI configurations (http://localhost:4502/system/console/configMgr), locate “Adobe Granite CSRF Filter”. Remove the post method from filters property.
Final Notes
After making configurations to the two OSGI configurations, you should be able to make a POST request from your HTTP REST Client to your AEM instance.
For production, set Apache Sling Referrer Filter and Adobe Granite CSRF Filter settings back to default. Unless if you are giving access to other servers to make POST requests to your AEM application.
Thank you, this article is great!
Just what I was looking for, thank you.
Hi Briankasingli,
I tried to resolve the authentication error by removing POST in the csrf configuration, however i have been told this is not the correct way, and some different solution should be proposed other than changing anything in the configuration file. If you have came across the same situation please help.
Yup that’s right, during development using POSTMAN on local, you would need to configure the Apache Sling Referrer Filter. But in production, your website would be calling itself, so no need for Apache Sling Referrer Filter.