It's all about the answers!

Ask a question
QuestionsTagsUsersBadges
Guidelines | FAQ
Follow this question
Question details

×42,884
×6,034
×368
×62

question asked: Jan 04 '13, 4:48 p.m.
question was seen: 9,171 times
last updated: Apr 29 '13, 9:02 a.m.

Related questions

'X-Jazz-CSRF-Prevent' Header is required to create a work item via OSLC on version 4.0.0.1

0
Lionel Li (23111216) | asked Jan 04 '13, 4:48 p.m.
JAZZ DEVELOPER
When trying to create a workitem via OSLC call as following sample:

Headers:
Content-Type application/rdf+xml
OSLC-Core-Version OSLC-Core-Version

Body:
<rdf:RDF
    xmlns:dcterms="http://purl.org/dc/terms/ "
    xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns #"
    xmlns:rtc_cm="http://jazz.net/xmlns/prod/jazz/rtc/cm/1.0/ " > 
  <rdf:Description rdf:nodeID="A0">
    <dcterms:title rdf:parseType="Literal">Sample Work Item</dcterms:title>
    <rtc_cm:type rdf:resource="https://<hostname>:9443/ccm/oslc/types/<Project Area UUID>/task "/>;
  </rdf:Description>
</rdf:RDF>

-Result
Response Headers:

Status Code: 403 Forbidden
Content-Length: 1964
Content-Type: text/html;charset=utf-8
Server: Apache-Coyote/1.1

Response body has the following info:
"The user has the roles required to perform this operation, but the permission has been denied because this request might have been forged by a malicous website. To prove that this request is not part of a CSRF attack add a new HTTP header with the name 'X-Jazz-CSRF-Prevent' and use the current JSESSIONID value as the value."

Accepted answer

3
permanent link
Lionel Li (23111216) | answered Jan 04 '13, 4:49 p.m.
JAZZ DEVELOPER
 Searched around and found https://jazz.net/wiki/bin/rdiff/Sandbox/RationalSSOWorkEstimates  mentioning the new header.  

In Infocenter, https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.team.build.doc%2Ftopics%2Ft_ee_z_wi_REST_promotion.html   , the new header only shows once in the example, which is not clear enough to lead the user using the OSLC function correctly. 

A doc enhancement has been opened to have a clear answer about this new header:
https://jazz.net/jazz/web/projects/Rational%20Team%20Concert#action=com.ibm.team.workitem.viewWorkItem&id=234984

comment 7 from Martin in the RFE:
The check for the header X-Jazz-CSRF-Prevent only happens if the access is a POST access and is coming out of a browser environment (that means the 'user-agent' header indicates that the request was sent out of a browser).
Ralph Schoon selected this answer as the correct answer
Comments
Stephane Leroy commented Apr 29 '13, 9:02 a.m.
JAZZ DEVELOPER

+1 on Lionel's answer.

This common pitfall is covered in this post as well:  http://sleroyblog.wordpress.com/2013/04/09/querying-rqm-40-through-oslc-and-rest-api/#PutPostSection

Your answer

Register or to post your answer.


Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.