Overview

Skill Level: Intermediate

IBM BPM, IBM BAW, IBM DBA

In this recipe we will try to understand cross site forgery request prevention and the process of obtaining the BPMCSRFToken to make IBM BPM standard REST API calls.

Ingredients

IBM BPM

Step-by-step

  1. Overview of CSRF Token

    o prevent cross site request forgery attacks, the IBM BPM Standard REST API operations require that the HTTP header BPMCSRFToken is set with every request. The client application must obtain the necessary token by calling the POST /bpm/system/login REST API with a JSON body like –

     

    {
    “refresh-groups”: false,
    “requested-lifetime”: 7200
    }

    refresh-groups:  This property is used for updating the group membership for the calling user.

    requested-lifetime: This is the number of seconds that the token will be valid for. The default value is 7200 seconds (2 hours)

    The token is returned as a string in the csrf_token property of the response object. Every call to IBM BPM Standard REST API operations must include a valid token in the HTTP header BPMCSRFToken.

  2. Create a human service

    Lets create a human service which will contain a button “Get Token” and on click of that button we will obtain the csrf_token. Create a private variable “token” to hold the value of the csrf_token and display in the UI.

    image-1

    image-1-2

    image-2

  3. Create a coach view to make the REST call

    Then, create a coach view with a configuration option “token” which will be bound to the server side variable of the human service. In this coach view, we will be calling the REST API on click of the “Get Token” button of the coach.

    In the View function of the coach view, let’s implement the REST call –

    var _this = this;

    // Get the button node
    var buttonNode = dojo.query(“div[data-viewid=’okbutton’]”)[0];

    // Set the request body of the REST call
    var input = {
        “refresh-groups”: false,
        “requested-lifetime”: 7200
    };

    // Button onclick function
    buttonNode.onclick = function(){
        var csrfXhrArgs = {
            url: “https://atanu-dell:9443/bpm/system/login”,
            headers: {
                “Accept”: “application/json”,
                “Accept-Language” : “en-GB”,
                “Content-Type” : “application/json”
            },
            postData: JSON.stringify(input),
            handleAs: “json”,
            load: function(data){
                // Set the configuration option
                _this.context.options.token.set(“value”, data.csrf_token);

            },
            error: function(e){
                console.log(“An error occured while obtaining the csrf token – “+e)
            }
        };
        var xhrToGetCSRFToken = dojo.xhrPost(csrfXhrArgs);
    }

  4. Final Assembly

    Now, place the coach view in the human service’s coach and add an output text field to display the token obtained. Map the token variable with the configuration option of the coach view and with the output text field.

    image-3

    image-4

    image-5

  5. Let’s test the service

    If I run the human service –

    image-8

    image-10

     

     

    In the background –

     

    image-11

    image-12

  6. Reference

    https://www.ibm.com/support/knowledgecenter/en/SSFTN5_8.5.7/com.ibm.wbpm.main.doc/topics/stdrest_xsrf.html

Join The Discussion