Preventing cross site request forgery
To prevent cross site request forgery attacks, the Workflow REST API operations require
that the HTTP header
BPMCSRFToken
is set with every request.
The client application must obtain the necessary token by calling
the
POST /bpm/system/login
REST API with a JSON body
that is similar to the following example.{
"refresh-groups": false,
"requested-lifetime": 7200
}
Where setting the value of the refresh-groups
property
to false
avoids the overheads that are associated
with updating the group membership for the calling user, and requested-lifetime
is
the number of seconds that the token will be valid for. If requested-lifetime
is
not specified in the request, the default of 7200 seconds is used,
which is the maximum permitted value.The token is returned as a string in the csrf_token
property of the response
object. Every call to Workflow REST API operations must include a valid token in the HTTP header
BPMCSRFToken
.
Any attempt to call a Workflow REST API with an expired token fails with HTTP response code 403
and error_number
CWTBG0651E in the response, which indicates that the token could
not be verified and that the token must be renewed. To retrieve a new token, the client application
must call the /bpm/system/login
API again. The client application can then use the
new token to resubmit the failed request.