500 XSRF token mismatch (null). Session may be expired.

[sneha@anvayin.com]

Hi,

I am trying to call the rest API for creating a cart with /api/v1/cart on POST method. I tried with and without customer id. But still facing the error. Is there to be configured?? Any help would be great.

Below is the stackrace

<title>Error 500 XSRF token mismatch (null). Session may be expired.</title>
</head>
<body><h2>HTTP ERROR 500</h2>
<p>Problem accessing /api/v1/cart. Reason:
<pre> XSRF token mismatch (null). Session may be expired.</pre></p><h3>Caused by:</h3><pre>org.broadleafcommerce.common.exception.ServiceException: XSRF token mismatch (null). Session may be expired.
at org.broadleafcommerce.common.security.service.ExploitProtectionServiceImpl.compareToken(ExploitProtectionServiceImpl.java:122)
at org.broadleafcommerce.common.security.handler.CsrfFilter.doFilter(CsrfFilter.java:79)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:105)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.access.channel.ChannelProcessingFilter.doFilter(ChannelProcessingFilter.java:144)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
at org.broadleafcommerce.common.web.filter.EstablishSessionFilter.doFilter(EstablishSessionFilter.java:43)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.orm.jpa.support.OpenEntityManagerInViewFilter.doFilterInternal(OpenEntityManagerInViewFilter.java:180)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:166)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342)
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192)
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160)
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1302)
at com.anvayin.webapp.CustomCORSFilter.doFilter(CustomCORSFilter.java:38)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1302)
at org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:88)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1302)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:448)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:231)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1067)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:377)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:192)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1001)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:250)
at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:149)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:111)
at org.eclipse.jetty.server.Server.handle(Server.java:360)
at org.eclipse.jetty.server.AbstractHttpConnection.handleRequest(AbstractHttpConnection.java:454)
at org.eclipse.jetty.server.AbstractHttpConnection.headerComplete(AbstractHttpConnection.java:890)
at org.eclipse.jetty.server.AbstractHttpConnection$RequestHandler.headerComplete(AbstractHttpConnection.java:944)
at org.eclipse.jetty.http.HttpParser.parseNext(HttpParser.java:630)
at org.eclipse.jetty.http.HttpParser.parseAvailable(HttpParser.java:230)
at org.eclipse.jetty.server.AsyncHttpConnection.handle(AsyncHttpConnection.java:77)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint.handle(SelectChannelEndPoint.java:622)
at org.eclipse.jetty.io.nio.SelectChannelEndPoint$1.run(SelectChannelEndPoint.java:46)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:603)
at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:538)
at java.lang.Thread.run(Thread.java:744)
--
Thanks Sneha

[phillipuniverse]

What version of Broadleaf are you on?

[sneha@anvayin.com]

Sorry I am new to broadleaf. Am not sure abt the version. Can you tell me how to find the version?

[phillipuniverse]

And also, what does applicationContext-filter look like?

You should also ensure that in your site's web.xml, applicationContext-rest-api.xml is included in the list of patchConfigLocations above applicationContext-security.xml. That applicationContext-rest-api.xml excludes the blCsrfFilter for all paths that start with /api/:

Code: Select all

<!-- Set up Spring security for the RESTful API -->
<sec:http pattern="/api/**" create-session="stateless">
    <sec:http-basic />
    <sec:custom-filter ref="blRestPreSecurityFilterChain" before="CHANNEL_FILTER"/>
    <sec:custom-filter ref="blRestCustomerStateFilter" after="REMEMBER_ME_FILTER"/>
    <sec:custom-filter ref="blRestPostSecurityFilterChain" after="SWITCH_USER_FILTER"/>
</sec:http>


If you do not have that piece, then Spring Security will throw in the blCsrfFilter into the security filter chain which is required for the site but should be excluded in the Rest APIs. From applicationContext-security.xml:

Code: Select all

    <sec:http auto-config="false" authentication-manager-ref="blAuthenticationManager" disable-url-rewriting="true">
        <!-- We handle session fixation protection ourselves  -->
        <sec:session-management session-fixation-protection="none" />
       
       <!-- .................................. -->
       <!-- Other configuration excluded -->
       <!-- .................................. -->
       
        <!-- Specify our custom filters -->
        <sec:custom-filter ref="blPreSecurityFilterChain" before="CHANNEL_FILTER"/>
        <sec:custom-filter ref="blCsrfFilter" before="FORM_LOGIN_FILTER"/>
        <sec:custom-filter ref="blSessionFixationProtectionFilter" before="SESSION_MANAGEMENT_FILTER"/>
        <sec:custom-filter ref="blPostSecurityFilterChain" after="SWITCH_USER_FILTER"/>
    </sec:http>


[phillipuniverse]

The version of Broadleaf is in the root pom.xml of your application. If you downloaded the workspace, look for the broadleaf.version property in the root pom.xml.

[sneha@anvayin.com]

Hi,

Thank you so much. That worked. I have a doubt, the other api calls of catalog worked without this configuration. Why is it so?

[phillipuniverse]

Because the blCsrfFilter is only activated on POST requests: https://github.com/BroadleafCommerce/Br ... r.java#L76

[sneha@anvayin.com]

Thank you