Requesting and submitting a CSRF token

Content Platform for Cloud Scale Management API Reference

Version
2.5.x
Audience
anonymous
Part Number
MK-HCPCS007-08

To protect against cross-site-request forgery, the Object Storage Management MAPI requires an XSRF token and a Vert.x web session token in all requests. A MAPI method is provided to return the tokens in cookies for use in subsequent MAPI calls.

The Object Storage Management MAPI requires you to pass the XSRF token in the request header, and the XSRF token and Vert.x web session information as a cookie, within each request. If you do not use the tokens in a request, it will fail with a 401 (invalid) error.

Tip: The XSRF token has a limited lifetime, so it's best to obtain a fresh token before issuing every group of requests.

To obtain the token and session information and pass them as part of a request:

Use the MAPI method csrf to obtain the XSRF token and Vert.x web session information:
GET https://10.10.24.195:9099/mapi/v1/csrf
The XSRF token is returned as a cookie named XSRF-TOKEN and the Vert.x session token is returned as a cookie named vertx-web.session.

Use the cookies in subsequent requests.

This example includes a set of commands that does the following:

  1. Calls the MAPI method csrf and stores the response in a variable named cookieResponse
  2. Finds the XSRF-TOKEN key string in the value stored in cookieResponse, extracts the value for that key, and stores it in a variable named xsrf
  3. Finds the vertx-web.session key string in the value stored in cookieResponse, extracts the value for that key, and stores it in a variable named vertx
  4. Stores the extracted XSRF and Vert.x tokens in a cookie named cookie
  5. Passes the XSRF token and the cookie as part of a request to obtain S3 authorization, and saves the results in a variable named token
echo "Generating credentials for ${user}"
cookieResponse=`curl -s -kc - https://${cluster}:9099/mapi/v1/csrf`
xsrf=`echo "${cookieResponse}" | grep XSRF-TOKEN | cut -d$'\t' -f 7`
vertx=`echo "${cookieResponse}" | grep vertx-web.session | cut -d$'\t' -f 7`
cookie="XSRF-TOKEN=${xsrf}; vertx-web.session=${vertx}"
token=`curl -s -H "X-XSRF-TOKEN: ${xsrf}" -b "${cookie}" \
-d "grant_type=password&username=${user}&password=password&realm=${realm}" \
http://${cluster}:8889/api/foundry/security/oauth/token | python -mjson.tool \
| grep access_token | cut -d: -f2 | cut -d\" -f2`