How to make a simple HTTP POST request to AEM with a HTTP Rest Client, Postman

During development in the AEM author instance, you would like to test your servlet using an HTTP Rest Client such as Postman. When making a POST request on the Rest Client, you will experience 2 errors. An authentication error, and a 403 forbidden error.

What’s Happening?

Firstly, a typical development approach, you will be working on your author developers instance. Your Rest Client is making a POST request on the author instance, http://localhost:4502. You will get an authentication error.

Secondly, your POST request is being filtered and restricted by the “Apache Sling Referrer Filter” and “Adobe Granite CSRF Filter”. By default, the Apache Sling Referrer Filter blocks any incoming POST requests, and the Adobe Granite CSRF Filter blocks any incoming POST requests without the CSRF-Token token in the header.


How to solve this?

We can solve this issue by including basic auth type in Postman, then allowing incoming POST request in the Apache Sling Referrer Filter OSGI configurations, and remove the requirement of the CSRF-Token in the Adobe Granite CSRF Filter OSGI configurations.


Resource – Simple Servlet – https://gist.github.com/sourcedcode/bd1a2c150fabfc4b37857be0f389ac8a#file-simplepostservlet-java

Step 1 : Configure Basic Auth in Postman

Launch Postman, then navigate to the Authentication tab. Ensure type is set to “Basic Auth”, and username and password are set to “admin”; this is the default username and password for the administrator user while developing on the author instance.

Step 2 : Configure Apache Sling Referrer Filter

  1. Enable allow empty
  2. Remove the POST method from filters

In OSGI configurations (http://localhost:4502/system/console/configMgr), locate “Apache Sling Referrer Filter”. Enable the allow empty property, and remove the post method from filters property.


Step 3 : Configure Adobe Granite CSRF Filter

  1. Remove the POST method from filters

In OSGI configurations (http://localhost:4502/system/console/configMgr), locate “Adobe Granite CSRF Filter”. Remove the post method from filters property.



Final Notes

After making configurations to the two OSGI configurations, you should be able to make a POST request from your HTTP REST Client to your AEM instance.

For production, set Apache Sling Referrer Filter and Adobe Granite CSRF Filter settings back to default. Unless if you are giving access to other servers to make POST requests to your AEM application.

Read more about Apache Sling Referrer Filter.

Certified AEM Developer who has been working on AEM software developer for the past 5 years.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top