How to develop an HTTP POST method in Java Classes - REST Resources (Extend BasePluginResource)?

IdentityIQ (IIQ) IIQ Discussion and Questions
,
5

@ffalcitelli -
This may be due to the CSRF (Cross-Site Request Forgery) protection enforced by SailPoint IdentityIQ’s RestCsrfValidationFilter. This filter is designed to prevent CSRF attacks by validating requests to REST endpoints, and it can block POST and PUT requests if they do not include a valid CSRF token.

Understanding the Issue:

  • GET Requests Work: Your GET methods work fine because the CSRF filter allows GET requests without validation or they are ignored via the ignoredPaths parameter.
  • POST Requests Fail with 405: Your POST request returns a 405 Method Not Allowed
    may be because the CSRF filter is blocking it due to a missing or invalid CSRF token.

Why the CSRF Filter is Blocking Your Request:

In your web.xml, you have the following configuration:

<!--
  REST CSRF validation filter. Remove the following filter and filter mappings to disable CSRF validation for 
  REST apis.
-->

<filter>
  <filter-name>restCsrfValidationFilter</filter-name>
  <filter-class>
    sailpoint.rest.RestCsrfValidationFilter
  </filter-class>
  <!-- The list of GET paths to ignore in Csrf validation. Note: POST and PUT paths are never ignored. -->
  <init-param>
    <param-name>ignoredPaths</param-name>
    <param-value>/rest/report, /rest/image, /ui/rest/redirect, /ui/rest/certifications/export, ui/rest/redirect/hash, /ui/rest/accessHistory/export</param-value>
  </init-param>
</filter>

<filter-mapping>
  <filter-name>restCsrfValidationFilter</filter-name>
  <url-pattern>/rest/*</url-pattern>
</filter-mapping>

<filter-mapping>
  <filter-name>restCsrfValidationFilter</filter-name>
  <url-pattern>/ui/rest/*</url-pattern>
</filter-mapping>

<filter-mapping>
  <filter-name>restCsrfValidationFilter</filter-name>
  <url-pattern>/plugin/rest/*</url-pattern>
</filter-mapping>
  • The filter applies to /plugin/rest/*, which includes your endpoint.
  • According to the comment, POST and PUT methods are never ignored by the ignoredPaths parameter.
  • Therefore, any POST request to your REST endpoints must pass CSRF validation.

For Testing purpose, we can Include a Valid CSRF Token in Your POST Request

To satisfy the CSRF filter, you need to include a valid CSRF token in your POST request.

Steps to Obtain and Include the CSRF Token:

  1. Make an Initial GET Request to Obtain the CSRF Token:
  • Perform a GET request to any endpoint (e.g., your login endpoint or any public API).
  • The CSRF token is typically provided in a cookie named CSRF-TOKEN or in a response header. For Testing purpose you can use chrome developer tool.
  • image
    image2308×978 175 KB
  1. Extract the CSRF Token:
  • In Postman, after the GET request, go to the Cookies tab and look for CSRF-TOKEN.
  • Alternatively, check the Headers tab for any CSRF token information.
  1. Include the CSRF Token in Your POST Request:
  • Add a Header to Your POST Request:
CSRF-TOKEN: [your_csrf_token_value]
  • Ensure Cookies are Sent:
    • In Postman, enable the option to Automatically follow redirects and Send cookies.
  • Include the CSRF Token as a Cookie (if required):
    • Add the CSRF-TOKEN cookie with the obtained value.

Let me know the Outcome.