It's all about the answers!

Ask a question

'X-Jazz-CSRF-Prevent' Header is required to create a work item via OSLC on version

Lionel Li (23111216) | asked Jan 04 '13, 4:48 p.m.
When trying to create a workitem via OSLC call as following sample:

Content-Type application/rdf+xml
OSLC-Core-Version OSLC-Core-Version

    xmlns:dcterms=" "
    xmlns:rdf=" #"
    xmlns:rtc_cm=" " > 
  <rdf:Description rdf:nodeID="A0">
    <dcterms:title rdf:parseType="Literal">Sample Work Item</dcterms:title>
    <rtc_cm:type rdf:resource="https://<hostname>:9443/ccm/oslc/types/<Project Area UUID>/task "/>;

Response Headers:

Status Code: 403 Forbidden
Content-Length: 1964
Content-Type: text/html;charset=utf-8
Server: Apache-Coyote/1.1

Response body has the following info:
"The user has the roles required to perform this operation, but the permission has been denied because this request might have been forged by a malicous website. To prove that this request is not part of a CSRF attack add a new HTTP header with the name 'X-Jazz-CSRF-Prevent' and use the current JSESSIONID value as the value."

Accepted answer

permanent link
Lionel Li (23111216) | answered Jan 04 '13, 4:49 p.m.
 Searched around and found  mentioning the new header.  

In Infocenter,   , the new header only shows once in the example, which is not clear enough to lead the user using the OSLC function correctly. 

A doc enhancement has been opened to have a clear answer about this new header:

comment 7 from Martin in the RFE:
The check for the header X-Jazz-CSRF-Prevent only happens if the access is a POST access and is coming out of a browser environment (that means the 'user-agent' header indicates that the request was sent out of a browser).
Ralph Schoon selected this answer as the correct answer

Stephane Leroy commented Apr 29 '13, 9:02 a.m.

+1 on Lionel's answer.

This common pitfall is covered in this post as well:

Your answer

Register or to post your answer.

Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.