'X-Jazz-CSRF-Prevent' Header is required to create a work item via OSLC on version 4.0.0.1
When trying to create a workitem via OSLC call as following sample:
Headers:
Content-Type application/rdf+xml OSLC-Core-Version OSLC-Core-Version Body: <rdf:RDF xmlns:dcterms="http://purl.org/dc/terms/ 
"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns
#"
xmlns:rtc_cm="http://jazz.net/xmlns/prod/jazz/rtc/cm/1.0/
" >
<rdf:Description rdf:nodeID="A0"> <dcterms:title rdf:parseType="Literal">Sample Work Item</dcterms:title> <rtc_cm:type rdf:resource="https://<hostname>:9443/ccm/oslc/types/<Project Area UUID>/task
"/>;
</rdf:Description> </rdf:RDF> -Result Response Headers: Status Code: 403 Forbidden Content-Length: 1964 Content-Type: text/html;charset=utf-8 Server: Apache-Coyote/1.1
Response body has the following info:
"The user has the roles required to perform this operation, but the permission has been denied because this request might have been forged by a malicous website. To prove that this request is not part of a CSRF attack add a new HTTP header with the name 'X-Jazz-CSRF-Prevent' and use the current JSESSIONID value as the value."
|
One answer
|
Searched around and found https://jazz.net/wiki/bin/rdiff/Sandbox/RationalSSOWorkEstimates
mentioning the new header.
In Infocenter, https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.team.build.doc%2Ftopics%2Ft_ee_z_wi_REST_promotion.html
, the new header only shows once in the example, which is not clear enough to lead the user using the OSLC function correctly.
A doc enhancement has been opened to have a clear answer about this new header:
https://jazz.net/jazz/web/projects/Rational%20Team%20Concert#action=com.ibm.team.workitem.viewWorkItem&id=234984
comment 7 from Martin in the RFE:
The check for the header X-Jazz-CSRF-Prevent only happens if the access is a POST access and is coming out of a browser environment (that means the 'user-agent' header indicates that the request was sent out of a browser).
Comments +1 on Lionel's answer.
|
