Preventing cross site request forgery
To prevent cross site request forgery attacks, the Workflow REST API operations require
that the HTTP header
BPMCSRFToken is set with every request.
The client application must obtain the necessary token by calling
the
POST /bpm/system/login REST API with a JSON body
that is similar to the following example.{
"refresh-groups": false,
"requested-lifetime": 7200
}refresh-groups property
to false avoids the overheads that are associated
with updating the group membership for the calling user, and requested-lifetime is
the number of seconds that the token will be valid for. If requested-lifetime is
not specified in the request, the default of 7200 seconds is used,
which is the maximum permitted value.The token is returned as a string in the csrf_token property of the response
object. Every call to Workflow REST API operations must include a valid token in the HTTP header
BPMCSRFToken.
Any attempt to call a Workflow REST API with an expired token fails with HTTP response code 403
and error_number CWTBG0651E in the response, which indicates that the token could
not be verified and that the token must be renewed. To retrieve a new token, the client application
must call the /bpm/system/login API again. The client application can then use the
new token to resubmit the failed request.
Cloud environments: Client applications must use the
following URL:
https://subscription_hostname/cloud_offering/environment/bpm/system/login- subscription_hostname can be one of the following values:
bpm.ibmcloud.comorautomationcloud.ibm.com - cloud_offering can take one of the following values:
bawfor Business Automation Workflow on Clouddbafor cloud subscriptions with multiple IBM® Cloud Pak for Business Automation as a Service offerings, including Business Automation Workflow on Cloud
- environment has the value
devfor the development environment,testfor the test environment, orrunfor the production (runtime) environment. A token for one environment is not valid for another environment.