It's all about the answers!

Ask a question

Programmatically create a project area on RTC with curl


Kivanc Ahat (1122) | asked Sep 22 '11, 4:09 a.m.
Hi,
I am using rtc 2.0.0.2 and i want to create a project area with curl commands but i get HTTP/1.1 403 Forbidden error.
On the other hand i succeed to add members to a rtc project area with curl.

My user has got "JazzAdmins" role.

Project area creation commands:(fail)
@echo off
curl -k -c cookies.txt https://<server>:<port>/jazz/authenticated/identity
curl -k -L -b cookies.txt -c cookies.txt -d j_username=user -d j_password=pass https://<server>:<port>/jazz/authenticated/j_security_check
curl -D - -k -b cookies.txt -H "Content-Type: application/xml" -X POST --data-binary @pa.xml https://<server>:<port>/jazz/process/project-areas

pa.xml:
Specified from "https://jazz.net/wiki/bin/view/Main/DraftTeamProcessRestApi#POST_project_areas_collection"

adding members to project area commands are: (succeed)

curl -k -c cookies.txt https://<server>:<port>/jazz/authenticated/identity
curl -k -L -b cookies.txt -c cookies.txt -d j_username=user -d j_password=pass https://<server>:<port>/jazz/authenticated/j_security_check
curl -D - -k -b cookies.txt -H "Content-Type: application/xml" -X POST --data-binary @member.xml https://<server>:<port>/jazz/process/project-areas/_Ssh3sCr5EeCeN45TDlZ_OA/members



and i got error message when creating project area is:

HTTP/1.1 403 Forbidden
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Length: 964
Date: Thu, 22 Sep 2011 07:51:35 GMT

&lt;html&gt;&lt;head&gt;&lt;title&gt;Apache Tomcat/5.5.28 - Error report&lt;/title&gt;&lt;style&gt;&lt;H1&gt;&lt;/style&gt; &lt;/head&gt;&lt;body&gt;&lt;h1&gt;HTTP Status 403 - &lt;/h1&gt;&lt;HR&gt;&lt;p&gt;<b>type</b> Status report&lt;/p&gt;&lt;p&gt;<b>message</b> <u></u>&lt;/p&gt;&lt;p&gt;<b>description</b> <u>Access to the specified resource () has been forbidde
n.</u>&lt;/p&gt;&lt;HR&gt;&lt;h3&gt;Apache Tomcat/5.5.28&lt;/h3&gt;&lt;/body&gt;&lt;/h&gt;



Also i read and tried &quot;https://jazz.net/forums/viewtopic.php?p=59796&amp;sid=bd0f0fe85a4950a4be1aa869e176d6b2&quot; topic but it didn't help.


I really don't undstand the problem.
Please help..

5 answers



permanent link
Kivanc Ahat (1122) | answered Sep 28 '11, 4:08 a.m.
Hi,
We are using rtc 2.0.0.2 Standard Edition.
Mentioned difference between standard edition and enterprise edition is High Availability. What is the details of High Availability ?
Is that may be reason of 403 error message while posting project area collection ?

please help.

permanent link
Kevin Gu (17131) | answered Sep 28 '11, 11:16 p.m.
JAZZ DEVELOPER
Hi,
We are using rtc 2.0.0.2 Standard Edition.
Mentioned difference between standard edition and enterprise edition is High Availability. What is the details of High Availability ?
Is that may be reason of 403 error message while posting project area collection ?

please help.


Hi kivancahat,

Have you tried to add specific headers in the post request, e.g.

Referer: https://&lt;server&gt;:&lt;port&gt;/jazz/admin
Host: &lt;server&gt;:&lt;port&gt;
Content-Length: &lt;data_size&gt;
Content-Type: application/xml;charset=UTF-8

Kevin
Jazz Foundation Process Team

permanent link
Kivanc Ahat (1122) | answered Sep 29 '11, 8:32 a.m.
Hi mincer,
Unfortunatelly, that failed again.

I think, this problem is about the tomcat security constraint. I am not sure but i guess.

I have got security constraint like below: (jazz/web.xml)
&lt;security&gt;
&lt;web&gt;
&lt;web&gt;adminsecurepost&lt;/web&gt;
&lt;url&gt;/_theming/*&lt;/url&gt;
&lt;http&gt;POST&lt;/http&gt;
&lt;/web&gt;
&lt;auth&gt;
&lt;role&gt;JazzAdmins&lt;/role&gt;
&lt;/auth&gt;
&lt;user&gt;
&lt;transport&gt;CONFIDENTIAL&lt;/transport&gt;
&lt;/user&gt;
&lt;/security&gt;


Should i add this ??

&lt;web&gt;
&lt;web&gt;adminsecurepost&lt;/web&gt;
&lt;url&gt;/process/*&lt;/url&gt;
&lt;http&gt;POST&lt;/http&gt;
&lt;/web&gt;

permanent link
Dancy Xia (11632) | answered Oct 10 '11, 5:38 a.m.
Hi mincer,
Should i add this ??

&lt;web&gt;
&lt;web&gt;adminsecurepost&lt;/web&gt;
&lt;url&gt;/process/*&lt;/url&gt;
&lt;http&gt;POST&lt;/http&gt;
&lt;/web&gt;


I don't think it is about the security configuration on Tomcat. You've succeeded in adding members. I feel it maybe about the problem of the cookie data.

How about you try request like this?
set headers:
Referer=https://&lt;host&gt;:9443/jazz/admin
Cookie=JSESSIONID=1oviuaxpzdvsgq215vl23qfpf; JazzFormAuth=Form; net-jazz-ajax-cookie-rememberUserId=
Content-Type=application/xml; charset=utf-8

set body like this:

&amp;lt;?xml version=&quot;1.0&quot; encoding=&quot;UTF-8&quot;?&amp;gt;
&amp;lt;jp06:project-area xmlns:jp06=&quot;http://jazz.net/xmlns/prod/jazz/process/0.6/&quot; jp06:name=&quot;PA8&quot; jp06:templateId=&quot;com.ibm.team.process.example.process&quot;&amp;gt;
&amp;lt;/jp06:project-area&amp;gt;

I tried with REST client with above data and get the correct 201 response(please make sure to replace &amp;lt; and &amp;gt; with the correct tag, and use the correct templateId)

Dancy

Jazz Foundation Process Team

permanent link
Martha (Ruby) Andrews (3.0k44251) | answered May 19 '15, 8:57 p.m.
JAZZ DEVELOPER
The key here is to pass in a header that tells Jazz (CLM) that the request is not a CSRF attack. The name of the header is "X-Jazz-CSRF-Prevent" and the value is the JSESSIONID for the current session. You can get the JSESSIONID from the cookies.txt file, if you are willing to do some text manipulation.

Here is the snippet that worked for me:
curl -k -c %COOKIES% -sslv3 "%HOST%/authenticated/identity"
rem log in and save the JSESSIONID to use as X-Jazz-CSRF-Prevent header 
curl  -k -L -b %COOKIES% -c %COOKIES% -d j_username=%USER% -d j_password=%PASSWORD% -sslv3 "%HOST%/authenticated/j_security_check" 
grep "JSESSION" %COOKIES% > %TEMP_JSESSION%
for /F "tokens=7" %%G in (%TEMP_JSESSION%) do set JSESSIONID=%%G
curl -k -b %COOKIES% -H "Content-Type: application/xml" -H "X-Jazz-CSRF-Prevent: %JSESSIONID%" -X POST -d @project_area_xml_jazz.txt -sslv3 "%PROJECT_AREAS_URL%

Hope that helps,
Ruby
Martha (Ruby) Andrews
Jazz Foundation L3 Development Team Lead

Your answer


Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.