WSO2 Data Services Server (WSO2 DSS) is a great tool to enable SOAP, REST and ODATA access to datasources like databases, XLS files and so on.
However, when using the current out of the box (downloaded) DSS and tooling version we find that we cannot deploy a CAR file from Developer Studio. It is possible to export a CAR file and manually deploy that to the DSS by uploading it through the Management UI.
Let’s take a look what goes wrong when trying to deploy a car file.
First start eclipse:
We will create a simple Data Service with an added WS-Security policy, The reason to include this policy is that the Developer Studio is the only way to add this since adding security is no longer available through the management UI.
Lets first start up a DSS server. We only have the possibility to link to a remote server.
Click remote server and fill in the details, in this case I am running it on localhost:9443.
We can connect to the remote server so that is up and running.
Lets create a test project first to house the data service.
I will import an existing Data Service since this article is about deployment, not so much about creating a Data Service.
And the WS Security Policy imported from a file as well. Keep in mind that creating a project first and then a resource it the best way to do it, rather than the option to Create New Project when creating a resource. It is a question of procedure, first a project, after that the resource.
A Carbon APP is needed to deploy to the server. Set the Server Role to Data ServicesServer on the Security Policy in order to deploy.
Select the CAR file to deploy to the Server
The result is an error message on the console
WARN {org.owasp.csrfguard.log.JavaLogger} – potential cross-site request forgery (CSRF) attack thwarted (user:<anonymous>, ip:127.0.0.1, method:POST, uri://services/CarbonAppUploader, error:required token is missing from the request)
As you can see, REST is used to activate the upload function and it triggers a warning and error since it looks like a CSRF attack. The CAR file is not deployed because of the error.
Solution
The solution is simple: add POST as an allowed method to the csrfguard configuration In the
[wso2dss-3.5.1 HOME]repositoryconfsecurity Owasp.CsrfGuard.Carbon.properties file.
i.e.:
# WSO2 : Since state-changing operations are not performed via HTTP GET,
# disabling CSRF validation for GET method.
org.owasp.csrfguard.UnprotectedMethods=GET, POST
Restart the DSS and the CAR file is now allowed to be deployed.
If you have any questions about this blogpost contact us via the comments section of this blog. View also our WSO2 Tutorials, webinars or white papers for more technical information. Need support? We do deliver WSO2 Product Support, WSO2 Development Support, WSO2 Operational Support and WSO2 Training Programs.
Thanks to Thijs Volders for his contribution to this blog.