Jazz Forum Welcome to the Jazz Community Forum Connect and collaborate with IBM Engineering experts and users

Getting 403 when attempting to access LDX incoming-links

Questions
Tags
Users
Badges
Jim Amsden
(26223) Mar 26, 11:49 a.m.

I am attempting to POST  https://jazz.net/sandbox02-ldx/ldx/incoming-links and getting error 403 with the following message: 

CRLQE0629E The user has the roles required to perform this operation, but the permission has been denied because this request might have been forged by a malicous website. To prove that this request is not part of a CSRF attack add a new HTTP header with the name 'X-Jazz-CSRF-Prevent.

I have provided the X-Jazz-CSRF-Prevent header with the JSESSIONID and that made no difference. There were two JSESSIONID headers in a successful GET request to LDX, I tried them both, same result.  One of these JSESSIONIDs was JSESSIONID00007476E30E27BCCA3082A2B86019A4:28e05f04-2609-42a5-b77e-d6fea32ebe5e. Is this the correct value to use? Does the : need to be escaped with %3A? The other JSESSIONID was DCCB7476E30E27BCCA3082A2B86019A4, this didn't work either. 

What am I missing?




0 votes

3 answers
731 views
0 votes

3 answers

Permanent link
Ralph Schoon
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER (64.6k33649) edited
Mar 27, 4:05 a.m.

Hi Jim,


from the response when you are authenticating, get the cookie value for the cookie JSESSIONID. Pass the value unmodified as value for the header X-Jazz-CSRF-Prevent. You do not have to url encode the value.

I recently noticed that this is sometimes not enough. I noticed using different REST extensions, that requests did not get through, where they should. I found that the value of the header User-Agent influenced the POST call being accepted or not. If I set User-Agent to an arbitrary value, other than the browser default,  the request succeeded. 

0 votes

Permanent link
Matthias Buettgen
(23612332) Mar 27, 6:36 a.m.
Hi Jim.

As far as I know is there only one TRS Consumer license available which is usually assigned to an internal user. If you don't use this user to query ldx it might be the answer for the 403 Forbidden response.

0 votes

Permanent link
Jim Amsden
(26223) Mar 27, 8:30 a.m.

I made some progress. Setting header X-Jazz-CSRF-Prevent=1 seemed to get past the 403 Forbidden error. Is it possible that for LQE/LDX this is now a boolean parameter? 


Accept=application/json
Configuration-Context=
X-Jazz-CSRF-Prevent=1
Content-Type=x-www-form-urlencoded

limit=10

Now gives 404 instead of 403 which might indicate LDX incoming-links isn't enabled for 7.2?

So I assumed that perhaps LQE is handling incoming links in 7.2 and tried:

Accept=application/json
Configuration-Context=
X-Jazz-CSRF-Prevent=1
Content-Type=x-www-form-urlencoded

limit=10

which now gives 401 Unauthorized (not 403 Forbidden) which would indicate that I need to use the functional ID to access, which I probably can't do on jazz.net. I probably need to setup a local server to do this. MID's ELM installation is still 7.0.2.

0 votes

Your answer

Register or log in to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.

Ask a question
Guidelines
FAQ
Search context
Follow this question

By Email: 

Once you sign in you will be able to subscribe for any updates here.

By RSS:

Answers
Answers and Comments
Question details
× 11,047

Question asked: Mar 26, 11:49 a.m.

Question was seen: 731 times

Last updated: Mar 27, 8:30 a.m.

Confirmation Cancel Confirm