It's all about the answers!

Ask a question

'X-Jazz-CSRF-Prevent' Header is required to create a work item via OSLC on version

Lionel Li (21611216) | asked Jan 04 '13, 4:48 p.m.
When trying to create a workitem via OSLC call as following sample:

Content-Type application/rdf+xml
OSLC-Core-Version OSLC-Core-Version

    xmlns:dcterms=" "
    xmlns:rdf=" #"
    xmlns:rtc_cm=" " > 
  <rdf:Description rdf:nodeID="A0">
    <dcterms:title rdf:parseType="Literal">Sample Work Item</dcterms:title>
    <rtc_cm:type rdf:resource="https://<hostname>:9443/ccm/oslc/types/<Project Area UUID>/task "/>;

Response Headers:

Status Code: 403 Forbidden
Content-Length: 1964
Content-Type: text/html;charset=utf-8
Server: Apache-Coyote/1.1

Response body has the following info:
"The user has the roles required to perform this operation, but the permission has been denied because this request might have been forged by a malicous website. To prove that this request is not part of a CSRF attack add a new HTTP header with the name 'X-Jazz-CSRF-Prevent' and use the current JSESSIONID value as the value."

One answer

permanent link
Lionel Li (21611216) | answered Jan 04 '13, 4:49 p.m.
 Searched around and found  mentioning the new header.  

In Infocenter,   , the new header only shows once in the example, which is not clear enough to lead the user using the OSLC function correctly. 

A doc enhancement has been opened to have a clear answer about this new header:

comment 7 from Martin in the RFE:
The check for the header X-Jazz-CSRF-Prevent only happens if the access is a POST access and is coming out of a browser environment (that means the 'user-agent' header indicates that the request was sent out of a browser).

Stephane Leroy commented Apr 29 '13, 9:02 a.m.

+1 on Lionel's answer.

This common pitfall is covered in this post as well:

Your answer

Register or to post your answer.