cancel
Showing results for 
Search instead for 
Did you mean: 

JSON & CSRFToken using POST problems

Former Member
0 Kudos

Hi,

I have this action in my controller:

 @RequestMapping(value = "/returnRequest", method = RequestMethod.POST)
     public String createReturnRequest(@RequestBody final PuntRomaReturnRequestForm bodyParameterMap, final Model model,
             final BindingResult bindingErrors)
     {
         return null
     }

And I had to use this ugly Javascript code to make possible to parse the JSON object to my Data Object

 $.ajax({
   type : 'POST',
   url : "https://localhost:9002/ES/es/my-account/returnRequest?CSRFToken=" + ACC.config.CSRFToken,
   contentType : "application/json",
   data : JSON.stringify({
     code: "00018001",
 })
  });

Plus, automagically the CSRFToken is also added to my JSON object.

What is the standard way in hybris to make post of JSON objects without the necessity of add as param the CSRFToken? Also, how can I avoid CSRFToken to be inserted in the data object?

Thanks!

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
0 Kudos

I understand that the "csrf.allowed.url.patterns" exclude the CSRF token verification. But what adds the token to Ajax POST requests originally? I would like to take the token out of certain Ajax POST requests with Json, because the external server can't deserialize the Json with the token.

legozajozsef
Explorer
0 Kudos

Just a note: if you would like to include the CSRF-Token in your request, you can do it the following way:

Define the URL used in the form:

 <spring:url value="/example" var="exampleURL">
     <spring:param name="CSRFToken" value="${CSRFToken}"/>
 </spring:url>

Define the form:

 <form:form method="post" commandName="..." action="${exampleURL}" >
 ...
 </form:form>

In your AJAX-request:

             $.ajax({
                 var form = ...
                 type: form.attr('method'),
                 url: form.attr('action'),
                 data: ...
             });

Former Member
0 Kudos

You can set a property "csrf.allowed.url.patterns" to local.properties that excludes url patterns from this mechanism.

https://wiki.hybris.com/display/accdoc/Spring+Security#SpringSecurity-Interceptor

If you want to exclude certain URLs from checking the CSRF token, there is a property in the Accelerator that can be modified: csrf.allowed.url.patterns. This property can contain a comma-separated list of regular expressions to match URLs that should not be checked for the CSRF token.