WSO2TORIAL Deploying CARS using WSO2 DSS 3.5.1 and DSS Tooling

Posted by Rob Blaauboer on 16 Feb, 2017
Find me on:

WSO2 Data Services Server (WSO2 DSS) is a great tool to enable SOAP, REST and ODATA access to datasources like databases, XLS files and so on.

However, when using the current out of the box (downloaded) DSS and tooling version we find that we cannot deploy a CAR file from Developer Studio. It is possible to export a CAR file and manually deploy that to the DSS by uploading it through  the Management UI.

Let’s take a look what goes wrong when trying to deploy a car file.

First start eclipse:

Start eclipse - WSO2 Tutorial Deploying CARS using DSS.png

We will create a simple Data Service with an added WS-Security policy, The reason to include this policy is that the Developer Studio is the only way to add this since adding security is no longer available through the management UI.

Lets first start up a DSS server. We only have the possibility to link to a remote server.

Define a new server - WSO2 Tutorial Deploying CARS using DSS.png

Click remote server and fill in the details, in this case I am running it on localhost:9443.

Remote Carbon Server - WSO2 Tutorial Deploying CARS using DSS.png

We can connect to the remote server so that is up and running.

Lets create a test project first to house the data service.

Data Services Project - WSO2 Tutorial Deploying CARS using DSS.png

I will import an existing Data Service since this article is about deployment, not so much about creating a Data Service.

Data Service Artifact Creation Options - WSO2 Tutorial Deploying CARS Using DSS.png

Create Data Service Using descriptor file - WSO2 Tutorial Deploying CARS using DSS.png

And the WS Security Policy imported from a file as well. Keep in mind that creating a project first and then a resource it the best way to do it, rather than the option to Create New Project  when creating a resource. It is a question of procedure, first a project, after that the resource.

Create a Registry Resource using a resource file - WSO2 Tutorial Deploying CARS using DSS.png

A Carbon APP is needed to deploy to the server. Set the Server Role to Data ServicesServer on the Security Policy in order to deploy.

TEST CAR -  WSO2 Tutorial Deploying CARS using DSS.png

Select the CAR file to deploy to the Server

Modify the resources that are configured on the server - WSO2 Tutorial Deploying CARS using DSS.png

The result is an error message on the console

WARN {org.owasp.csrfguard.log.JavaLogger} -  potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:, method:POST, uri://services/CarbonAppUploader, error:required token is missing from the request)

As you can see, REST is used to activate the upload function and it triggers a warning and error since it looks like a CSRF attack. The CAR file is not deployed because of the error.


The solution is simple: add POST as an allowed method to the csrfguard configuration In the

[wso2dss-3.5.1 HOME]\repository\conf\security\ file.


# WSO2 : Since state-changing operations are not performed via HTTP GET,
# disabling CSRF validation for GET method.
org.owasp.csrfguard.UnprotectedMethods=GET, POST

org.owasp.csrfguard.UnprotectedMethods=GET, POST - WSO2 Tutorial Deploying CARS Using DSS.png

Restart the DSS and the CAR file is now allowed to be deployed.

Carbon Applications List - WSO2 Tutorial Deploying CARS using DSS.png

If you have any questions about this blogpost contact us via the comments section of this blog. View also our WSO2 Tutorialswebinars or white papers for more technical information. Need support? We do deliver WSO2 Product Support, WSO2 Development SupportWSO2 Operational Support and WSO2 Training Programs. 

Thanks to Thijs Volders for his contribution to this blog.

Digital Transformation


Topics: WSO2 DSS

Written by Rob Blaauboer

Rob Blaauboer
Rob is a Senior Business Consultant and Solution Architect with more than twenty years experience. In addition to his work he is an active blogger working on a number of articles on the ‘Internet of Things’ and a WSO2 ‘Getting Started with …’ series (WSO2 tutorial) in which he talks about WSO2 components and their purpose especially aimed at non technical readers. Rob is a WSO2 expert and official WSO2 trainer.

Find me on: