post - 500 XSRF token mismatch (null). Session may be expired -
i trying call rest api creating cart /api/v1/cart on post method. tried , without customer id. still facing error. there configured?? great. below isthe stackrace of jetty server
http error 500
problem accessing /api/v1/cart. reason:
xsrf token mismatch (null). session may expired.
caused by:
org.broadleafcommerce.common.exception.serviceexception: xsrf token mismatch (null). session may expired. @ org.broadleafcommerce.common.security.service.exploitprotectionserviceimpl.comparetoken(exploitprotectionserviceimpl.java:122) @ org.broadleafcommerce.common.security.handler.csrffilter.dofilter(csrffilter.java:79) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:342) @ org.springframework.security.web.authentication.logout.logoutfilter.dofilter(logoutfilter.java:105) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:342) @ org.springframework.security.web.context.securitycontextpersistencefilter.dofilter(securitycontextpersistencefilter.java:87) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:342) @ org.springframework.security.web.access.channel.channelprocessingfilter.dofilter(channelprocessingfilter.java:144) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:342) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:330) @ org.broadleafcommerce.common.web.filter.establishsessionfilter.dofilter(establishsessionfilter.java:43) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:342) @ org.springframework.orm.jpa.support.openentitymanagerinviewfilter.dofilterinternal(openentitymanagerinviewfilter.java:180) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:342) @ org.springframework.security.web.filterchainproxy.dofilterinternal(filterchainproxy.java:192) @ org.springframework.security.web.filterchainproxy.dofilter(filterchainproxy.java:166) @ org.springframework.security.web.filterchainproxy$virtualfilterchain.dofilter(filterchainproxy.java:342) @ org.springframework.security.web.filterchainproxy.dofilterinternal(filterchainproxy.java:192) @ org.springframework.security.web.filterchainproxy.dofilter(filterchainproxy.java:160) @ org.springframework.web.filter.delegatingfilterproxy.invokedelegate(delegatingfilterproxy.java:346) @ org.springframework.web.filter.delegatingfilterproxy.dofilter(delegatingfilterproxy.java:259) @ org.eclipse.jetty.servlet.servlethandler$cachedchain.dofilter(servlethandler.java:1302) @ com.anvayin.webapp.customcorsfilter.dofilter(customcorsfilter.java:38) @ org.eclipse.jetty.servlet.servlethandler$cachedchain.dofilter(servlethandler.java:1302) @ org.springframework.web.filter.characterencodingfilter.dofilterinternal(characterencodingfilter.java:88) @ org.springframework.web.filter.onceperrequestfilter.dofilter(onceperrequestfilter.java:107) @ org.eclipse.jetty.servlet.servlethandler$cachedchain.dofilter(servlethandler.java:1302) @ org.eclipse.jetty.servlet.servlethandler.dohandle(servlethandler.java:448) @ org.eclipse.jetty.server.handler.scopedhandler.handle(scopedhandler.java:131) @ org.eclipse.jetty.security.securityhandler.handle(securityhandler.java:524) @ org.eclipse.jetty.server.session.sessionhandler.dohandle(sessionhandler.java:231) @ org.eclipse.jetty.server.handler.contexthandler.dohandle(contexthandler.java:1067) @ org.eclipse.jetty.servlet.servlethandler.doscope(servlethandler.java:377) @ org.eclipse.jetty.server.session.sessionhandler.doscope(sessionhandler.java:192) @ org.eclipse.jetty.server.handler.contexthandler.doscope(contexthandler.java:1001) @ org.eclipse.jetty.server.handler.scopedhandler.handle(scopedhandler.java:129) @ org.eclipse.jetty.server.handler.contexthandlercollection.handle(contexthandlercollection.java:250) @ org.eclipse.jetty.server.handler.handlercollection.handle(handlercollection.java:149) @ org.eclipse.jetty.server.handler.handlerwrapper.handle(handlerwrapper.java:111) @ org.eclipse.jetty.server.server.handle(server.java:360) @ org.eclipse.jetty.server.abstracthttpconnection.handlerequest(abstracthttpconnection.java:454) @ org.eclipse.jetty.server.abstracthttpconnection.headercomplete(abstracthttpconnection.java:890) @ org.eclipse.jetty.server.abstracthttpconnection$requesthandler.headercomplete(abstracthttpconnection.java:944) @ org.eclipse.jetty.http.httpparser.parsenext(httpparser.java:630) @ org.eclipse.jetty.http.httpparser.parseavailable(httpparser.java:230) @ org.eclipse.jetty.server.asynchttpconnection.handle(asynchttpconnection.java:77) @ org.eclipse.jetty.io.nio.selectchannelendpoint.handle(selectchannelendpoint.java:622) @ org.eclipse.jetty.io.nio.selectchannelendpoint$1.run(selectchannelendpoint.java:46) @ org.eclipse.jetty.util.thread.queuedthreadpool.runjob(queuedthreadpool.java:603) @ org.eclipse.jetty.util.thread.queuedthreadpool$3.run(queuedthreadpool.java:538) @ java.lang.thread.run(thread.java:744)--
thanks, sneha
ensure in site's web.xml, applicationcontext-rest-api.xml included in list of patchconfiglocations above applicationcontext-security.xml. applicationcontext-rest-api.xml excludes blcsrffilter paths start /api/:
<!-- set spring security restful api --> <sec:http pattern="/api/**" create-session="stateless"> <sec:http-basic /> <sec:custom-filter ref="blrestpresecurityfilterchain" before="channel_filter"/> <sec:custom-filter ref="blrestcustomerstatefilter" after="remember_me_filter"/> <sec:custom-filter ref="blrestpostsecurityfilterchain" after="switch_user_filter"/> </sec:http> if not have piece, spring security throw in blcsrffilter security filter chain required site should excluded in rest apis. applicationcontext-security.xml:
<sec:http auto-config="false" authentication-manager-ref="blauthenticationmanager" disable-url-rewriting="true"> <!-- handle session fixation protection ourselves --> <sec:session-management session-fixation-protection="none" /> <!-- .................................. --> <!-- other configuration excluded --> <!-- .................................. --> <!-- specify our custom filters --> <sec:custom-filter ref="blpresecurityfilterchain" before="channel_filter"/> <sec:custom-filter ref="blcsrffilter" before="form_login_filter"/> <sec:custom-filter ref="blsessionfixationprotectionfilter" before="session_management_filter"/> <sec:custom-filter ref="blpostsecurityfilterchain" after="switch_user_filter"/> </sec:http>
Comments
Post a Comment