AEM Admin UI not working after URL or IP change
After migrating to a new server or updating the IP or FQDN (Fully Qualified Domain Name), the AEM Admin UI can become inaccessible. CSRF (Cross-Site Request Forgery)-related errors occur in the logs, and the UI fails to load. This happens because the new URL isn’t whitelisted in the referer settings. To fix this, temporarily disable the CSRF filter, update the allowed referer URLs, and restart the server.
Description description
Environment
Product: Adobe Experience Manager - Forms (AEM - Forms)
Version: 6.5
Issue/Symptoms
- The AEM Admin UI is inaccessible after migrating to a new server with a new FQDN and IP.
- Errors appear in the logs and Admin UI similar to these examples:
20:33:13,809 WARNING [ com.adobe.xxx.xx.auth.filter.CSRFFilter] (default task-4) Blocked request for resource:/adminui/login.faces due to invalid referer: http://NEW_FQDN:8080/adminui/. More information is available at http://www.adobe.com/go/learn_dep_hardening_10
20:52:38,284 WARNING [ com.adobe.xxx.xx.auth.filter.CSRFFilter] (default task-32) Blocked request for resource:/adminui/login.faces due to invalid referer
Resolution resolution
The issue occurs because the CSRF filter blocks requests from URLs that aren’t whitelisted. To restore access to the Admin UI, follow these steps:
-
Add the following Java argument to the server’s startup script to temporarily disable the CSRF filter:
code language-none -Dlc.um.csrffilter.disabled=trueThis argument must be added to the Java arguments section of your application server startup script (For example: in JBoss, WebLogic, or WebSphere).
-
Restart the server. The Admin UI should now be accessible.
-
Once the Admin UI is up, whitelist the new IP and FQDN:
- Go to Home
>Settings>User Management>Configure Allowed Referer URL’s.
- Go to Home
-
Perform a clean restart of the server to apply the changes.