JR55834 enhances token-based CSRF protection on REST APIs when cookies are used for
authentication and the corresponding WCToken and WCTrustedToken parameters are not
provided.
Before you begin
Install the interim fix for JR55834.For information about
how to install an interim fix, see
About this task
A new configuration AuthTokenEnabled
is created, which you can set in the
wc-component.xml file.The new configuration determines whether the
WCAuthToken HTTP header field is required for DELETE/PUT/POST calls when cookies are used for
authentication. Its value must be equal to the authToken request attribute that is set by the store
runtime.
Procedure
-
Create a custom foundation component configuration file
(wc-component.xml), if one does not exist.
-
In your extended configuration, add the
AuthToeknEnabled
property to the
REST
configgroup.
For example,
<_config:configgrouping name="REST">
<!--
Determines if the WCAuthToken HTTP header field is required for DELETE/PUT/POST calls when cookies are used for authentication.
Its value must be equal to the authToken request attribute set by the store runtime.
-->
<_config:property name="AuthTokenEnabled" value="false"/>
</_config:configgrouping>
-
Save and close the extended configuration file.
-
Test your configuration changes.
-
Deploy your changes to the production environment.