Written by The Jahia Team
 
Developers
   Estimated reading time:
8.0.1.0

When I try to use my custom action I get an error and seems the action is not available, what can I do? The error is

[CsrfGuard] - potential cross-site request forgery (CSRF) attack thwarted ....  

 

Answer

Add the action to the allow list

The non-permanent way

Per default the CsrfGuard, block all actions. But you can configure it for your actions using a configuration file. One way to do it is from the Jahia tools --> OSGI console, there you have the possibility to change the config (under OSGI - Configuration):

image-2020-09-29-12-03-39-841.png

There you have to search for the org.jahia.modules.jahiacsrfguard-default.cfg, when you click on it the configuration pops up:

image-2020-09-29-12-05-50-121.png

There you should see a whitelist. By default, *.myAction.do will be there, and you can comma-separated add other actions to this whitelist, for instance in my example I added *.uploadTest.do

After saving this config, it should be deployed and the action should work as expected.

The permanent way

A configuration file can be packaged directly in your module. This is the best way to allows CsrfGuard executing your actions as these settings will be used on module deployment. Here is a quick way to do it:

  1. First create a new configuration folder src/main/resources/META-INF/configurations
  2. Create a new file org.jahia.modules.jahiacsrfguard-yourModule.cfg in this folder. Note this filename needs to be unique as it will be deployed in your digital-factory-data/karaf/etc. So we suggest replacing yourModule with the name of your module. So for instance if your module name is test-module then you should create such a file src/main/resources/META-INF/configurations/org.jahia.modules.jahiacsrfguard-test-module.cfg
  3. Edit this new configuration file, and  whitelist all your action URLs with such a line:
     
    whitelist = *.action1.do,*.action2.do

See example

Allow GET method

By default, all the actions are restricted to POST. You can explicitly declare that GET is allowed in your spring file with requiredMethods="GET,POST"

 

Related links