I have a working servlet that tests properly with Postman, but I can't get the request to execute from the front end. The fact that Postman can execute the servlet with either a Get or a Post tells me the problem is likely with the front-end code. Does anyone see where the misconfiguration is in this block? The Basic key and cookie are copied from Postman, there is no CORs problem.

const response = await axios.get(url, null, {
    headers: {
        'Access-Control-Allow-Origin': '*',
        'Accept': '*/*',
        'Content-type': 'application/json',
        'Access-Control-Allow-Methods': 'GET, POST, OPTIONS, PUT, PATCH, DELETE',
        'Access-Control-Allow-Headers': 'Origin, Content-Type, X-Auth-Token',
        'Authorization': 'Basic YWRtaW46YWRtaW4='
    },
    withCredentials: true,
    Cookie: "cq-authoring-mode=TOUCH;",
    params: {
        path: rootPath,
        maxCount: sourceMax
    }
}).catch(err => {
    console.log(err)
}, () => {
    console.log(response)
}).then(res => {
    console.log(res)
})

CodePudding user response：

This is most likely the CSRF filter which rejects some requests that don’t contain a CSRF token. By default it checks only POST, PUT and DELETE requests.

It’s weird that it also checks your request, which seems to be a GET. Either your filter is configured differently or you sending a Content-type header, which describes the request body content type makes axios switch the request from GET to POST (because GETs don’t have a request body and, thus, don’t need to declare their content type).

The CSRF filter can be configured in various ways and can exclude certain requests from filtering by path or user-agent:

You could also request a token from the /libs/granite/csrf/token.json endpoint and then send it along in your request. One way to do this is via the query, as the :cq_csrf_token param.