Skip to Content
author's profile photo Former Member
Former Member

JSON & CSRFToken using POST problems

Hi,

I have this action in my controller:

 @RequestMapping(value = "/returnRequest", method = RequestMethod.POST)
     public String createReturnRequest(@RequestBody final PuntRomaReturnRequestForm bodyParameterMap, final Model model,
             final BindingResult bindingErrors)
     {
         return null
     }

And I had to use this ugly Javascript code to make possible to parse the JSON object to my Data Object

 $.ajax({
   type : 'POST',
   url : "https://localhost:9002/ES/es/my-account/returnRequest?CSRFToken=" + ACC.config.CSRFToken,
   contentType : "application/json",
   data : JSON.stringify({
     code: "00018001",
 })
  });

Plus, automagically the CSRFToken is also added to my JSON object.

What is the standard way in hybris to make post of JSON objects without the necessity of add as param the CSRFToken? Also, how can I avoid CSRFToken to be inserted in the data object?

Thanks!

Add a comment
10|10000 characters needed characters exceeded

Related questions

3 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Jul 22, 2015 at 02:15 PM

    You can set a property "csrf.allowed.url.patterns" to local.properties that excludes url patterns from this mechanism.

    https://wiki.hybris.com/display/accdoc/Spring+Security#SpringSecurity-Interceptor

    If you want to exclude certain URLs from checking the CSRF token, there is a property in the Accelerator that can be modified: csrf.allowed.url.patterns. This property can contain a comma-separated list of regular expressions to match URLs that should not be checked for the CSRF token.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jul 13, 2016 at 10:32 AM

    Just a note: if you would like to include the CSRF-Token in your request, you can do it the following way:

    Define the URL used in the form:

     <spring:url value="/example" var="exampleURL">
         <spring:param name="CSRFToken" value="${CSRFToken}"/>
     </spring:url>
    

    Define the form:

     <form:form method="post" commandName="..." action="${exampleURL}" >
     ...
     </form:form>
    
    

    In your AJAX-request:

                 $.ajax({
                     var form = ...
                     type: form.attr('method'),
                     url: form.attr('action'),
                     data: ...
                 });
    
    
    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on Oct 07, 2016 at 07:48 PM

    I understand that the "csrf.allowed.url.patterns" exclude the CSRF token verification. But what adds the token to Ajax POST requests originally? I would like to take the token out of certain Ajax POST requests with Json, because the external server can't deserialize the Json with the token.

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.