I have a somewhat strange Issue.
I have made a REST service in Confluence via Scriptrunner as in https://scriptrunner.adaptavist.com/latest/confluence/rest-endpoints.html
<code>
analytics(
httpMethod: "POST"
) { MultivaluedMap queryParams, String body ->
...
....
<code>
Using curl from my mac it works, I can pass the body:
curl -X POST -H "Content-type: text/json" --data "@analytics.json" http://www.mos-eisley.dk/rest/scriptrunner/latest/custom/analytics
But If I run some Java script from a Confluence page (the same Confluence), I get a 500 XSRF check failed back:
<log>
2017-04-06 19:35:06,777 WARN [http-nio-8090-exec-300] [common.security.jersey.XsrfResourceFilter] passesAllXsrfChecks XSRF checks failed for request: http://www.mos-eisley.dk/rest/scriptrunner/latest/custom/analytics , origin: http://www.mos-eisley.dk , referrer: http://www.mos-eisley.dk/
-- referer: http://www.mos-eisley.dk/ | url: /rest/scriptrunner/latest/custom/analytics | traceId: cc342232a91476ac | userName: anonymous
<log>
The script is very simple:
var localJSONData = '{"ipaddress":"10.0.0.1"}';
AJS.$.ajax({
data: localJSONData,
type: 'POST',
url: 'http://www.mos-eisley.dk/rest/scriptrunner/latest/custom/analytics',
dataType: 'text/json',
success: function(data1){
}
});
All normal XSRF checks are done - apache reverse proxy etc etc.
<Connector port="8090" connectionTimeout="20000" redirectPort="8443"
maxThreads="48" minSpareThreads="10"
enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8"
protocol="org.apache.coyote.http11.Http11NioProtocol" compression="on" scheme="http" proxyName="www.mos-eisley.dk" proxyPort="80"
compressableMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/gif,image/jpg,image/png" />
Additional checks appear to be made if the request is initiated from a browser. I can't test this right now but it looks like you can replace AJS.$.ajax with AJS.safe.ajax() - source: https://developer.atlassian.com/confdev/confluence-plugin-guide/writing-confluence-plugins/form-token-handling#FormTokenHandling-ProvidingthetokeninAJAXcalls
If all else fails you should be able to use a GET, at least to check that that works.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.