IBM Business Automation Community Come for answers. Stay for best practices. All we’re missing is you. Join / Log in Ask a question
IBM BPM, IBM BAW
IBM BPM
To prevent cross site request forgery attacks, the IBM BPM Standard REST API operations require that the HTTP header BPMCSRFToken is set with every request. The client application must obtain the necessary token by calling the POST /bpm/system/login REST API with a JSON body like –
{“refresh-groups”: false,“requested-lifetime”: 7200}
refresh-groups: This property is used for updating the group membership for the calling user.
requested-lifetime: This is the number of seconds that the token will be valid for. The default value is 7200 seconds (2 hours)
The token is returned as a string in the csrf_token property of the response object. Every call to IBM BPM Standard REST API operations must include a valid token in the HTTP header BPMCSRFToken.
Let's create a human service which will contain a button “Get Token” and on click of that button we will obtain the csrf_token. Create a private variable “token” to hold the value of the csrf_token and display in the UI.
Then, create a coach view with a configuration option “token” which will be bound to the server side variable of the human service. In this coach view, we will be calling the REST API on click of the “Get Token” button of the coach.
In the View function of the coach view, let’s implement the REST call –
var _this = this;// Get the button nodevar buttonNode = dojo.query(“div[data-viewid=’okbutton’]”)[0];// Set the request body of the REST callvar input = { “refresh-groups”: false, “requested-lifetime”: 7200};// Button onclick functionbuttonNode.onclick = function(){ var csrfXhrArgs = { url: “https://atanu-dell:9443/bpm/system/login”, headers: { “Accept”: “application/json”, “Accept-Language” : “en-GB”, “Content-Type” : “application/json” }, postData: JSON.stringify(input), handleAs: “json”, load: function(data){ // Set the configuration option _this.context.options.token.set(“value”, data.csrf_token); }, error: function(e){ console.log(“An error occured while obtaining the csrf token – “+e) } }; var xhrToGetCSRFToken = dojo.xhrPost(csrfXhrArgs);}
Now, place the coach view in the human service’s coach and add an output text field to display the token obtained. Map the token variable with the configuration option of the coach view and with the output text field.
If I run the human service –
In the background –
https://www.ibm.com/support/knowledgecenter/en/SSFTN5_8.5.7/com.ibm.wbpm.main.doc/topics/stdrest_xsrf.html