使用Java API将资源推送到APIM 2.0.0的注册表失败。无法使用Java API将资源推送到WSO2 API Manager v2.0.0注册表
对APIM 1.10.0使用相同的代码成功。
实施例代码重现是那种
String tenantDomain = “mytenant.com";
String url = "https://localhost:9443/t/"+tenantDomain+"/registry";
String userName = “[email protected]";
String password = “admin";
System.setProperty("carbon.repo.write.mode", "true");
//Get the file which needs to be added to the registry
File file = new File(“/home/bob/Desktop/myPayload.json");
RemoteRegistry remote_registry = new RemoteRegistry(new URL(url), userName, password);
//Import the file to config registry
RegistryClientUtils.importToRegistry(file ,"/_system/config" ,remote_registry);
//Export from registry
//RegistryClientUtils.exportFromRegistry(file ,"/_system/governance/SomePayload.json" ,remote_registry);
调用RegistryClientUtils.importToRegistry(file ,"/_system/config" ,remote_registry);
将失败。针对APIM 1.10.0的相同代码运行良好,因为它一直使用ESB等其他产品。
典型的例外是:
Caused by: org.wso2.carbon.registry.core.exceptions.RegistryException: Add resource fail. Suggested Path: /_system/governance/apimgt/applicationdata/customdata/somedata, Response Status: 403, Response Type: CLIENT_ERROR at org.wso2.carbon.registry.app.RemoteRegistry.put(RemoteRegistry.java:543) at org.wso2.carbon.registry.core.utils.RegistryClientUtils.processImport(RegistryClientUtils.java:113) at org.wso2.carbon.registry.core.utils.RegistryClientUtils.processImport(RegistryClientUtils.java:102) at org.wso2.carbon.registry.core.utils.RegistryClientUtils.processImport(RegistryClientUtils.java:102) at org.wso2.carbon.registry.core.utils.RegistryClientUtils.processImport(RegistryClientUtils.java:102) at org.wso2.carbon.registry.core.utils.RegistryClientUtils.importToRegistry(RegistryClientUtils.java:65)
而在APIM 2.0.0日志,我们看到通常
[2016-08-18 15:57:34,699] WARN - JavaLogger potential cross-site request forgery (CSRF) attack thwarted (user:, ip:127.0.0.1, method:POST, uri:/registry/atom/_system/governance/apimgt/applicationdata/customdata/somedata, error:required token is missing from the request)
感谢。我已经试过了,但无济于事。它似乎依赖于HTTP引用标头。你确定注册表API代码正在设置吗? – maddaneccles
[link](https://docs.wso2.com/display/IS500/Mitigating+Cross+Site+Request+Forgery+(CSRF)+ Attacks)中的信息指出:标签包含一个关联的源列表与合法的请求,以便Valve可以检查引用标头,以验证请求是否来自包含在白名单中的服务器。我已经确认(如预期的)在注册表API生成的请求中没有引用HTTP头 –
maddaneccles