'X-Jazz-CSRF-Prevent' Header is required to create a work item via OSLC on version 4.0.0.1
When trying to create a workitem via OSLC call as following sample:
Headers:
Content-Type application/rdf+xml
OSLC-Core-Version OSLC-Core-Version
Body:
<rdf:RDF
xmlns:dcterms="http://purl.org/dc/terms/
"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns
#"
xmlns:rtc_cm="http://jazz.net/xmlns/prod/jazz/rtc/cm/1.0/
" >
<rdf:Description rdf:nodeID="A0">
<dcterms:title rdf:parseType="Literal">Sample Work Item</dcterms:title>
<rtc_cm:type rdf:resource="https://<hostname>:9443/ccm/oslc/types/<Project Area UUID>/task
"/>;
</rdf:Description>
</rdf:RDF>
-Result
Response Headers:
Status Code: 403 Forbidden
Content-Length: 1964
Content-Type: text/html;charset=utf-8
Server: Apache-Coyote/1.1
Content-Type application/rdf+xml
OSLC-Core-Version OSLC-Core-Version
Body:
<rdf:RDF
xmlns:dcterms="http://purl.org/dc/terms/
"
xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns
#"
xmlns:rtc_cm="http://jazz.net/xmlns/prod/jazz/rtc/cm/1.0/
" >
<rdf:Description rdf:nodeID="A0">
<dcterms:title rdf:parseType="Literal">Sample Work Item</dcterms:title>
<rtc_cm:type rdf:resource="https://<hostname>:9443/ccm/oslc/types/<Project Area UUID>/task
"/>;
</rdf:Description>
</rdf:RDF>
-Result
Response Headers:
Status Code: 403 Forbidden
Content-Length: 1964
Content-Type: text/html;charset=utf-8
Server: Apache-Coyote/1.1
Response body has the following info:
"The user has the roles required to perform this operation, but the permission has been denied because this request might have been forged by a malicous website. To prove that this request is not part of a CSRF attack add a new HTTP header with the name 'X-Jazz-CSRF-Prevent' and use the current JSESSIONID value as the value."
Accepted answer
Searched around and found https://jazz.net/wiki/bin/rdiff/Sandbox/RationalSSOWorkEstimates
mentioning the new header.
In Infocenter, https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.team.build.doc%2Ftopics%2Ft_ee_z_wi_REST_promotion.html
, the new header only shows once in the example, which is not clear enough to lead the user using the OSLC function correctly.
mentioning the new header.
In Infocenter, https://jazz.net/help-dev/clm/index.jsp?topic=%2Fcom.ibm.team.build.doc%2Ftopics%2Ft_ee_z_wi_REST_promotion.html
, the new header only shows once in the example, which is not clear enough to lead the user using the OSLC function correctly.
A doc enhancement has been opened to have a clear answer about this new header:
https://jazz.net/jazz/web/projects/Rational%20Team%20Concert#action=com.ibm.team.workitem.viewWorkItem&id=234984
https://jazz.net/jazz/web/projects/Rational%20Team%20Concert#action=com.ibm.team.workitem.viewWorkItem&id=234984
comment 7 from Martin in the RFE:
The check for the header X-Jazz-CSRF-Prevent only happens if the access is a POST access and is coming out of a browser environment (that means the 'user-agent' header indicates that the request was sent out of a browser).
Comments
+1 on Lionel's answer.
This common pitfall is covered in this post as well: http://sleroyblog.wordpress.com/2013/04/09/querying-rqm-40-through-oslc-and-rest-api/#PutPostSection