Security

The service uses the host server and security server to validate and grant access that is based on user permissions.

To enable or disable the Cloverleaf API, on the Server Administration > Web Server tab, the Enable Cloverleaf API check box enables/disables the Cloverleaf API. The default is cleared (disabled).

  • If enabled, then the server returns results on a request or a rejection notification.
  • If disabled, then an error code (404) is returned to any clients attempting to access the API.

For security reasons, the CSRF token is added to the HTTP POST request to access the CLAPI.

Note: Regarding the HTTP POST request, except for the HTTP GET request, all others are affected, including POST, PUT, and DELETE.

For example, this is a curl command for sending a POST request with the CSRF token. To do this, you must send two requests:

  1. Send the request to get the cookie file that contains the session ID. This returns the CSRF token value.
    curl -G https://hostname:15047/clapi/api/security/csrf -k --header 
    "Authorization:Basic YWRtaW5pc3RyYXRvcjpQQHNzd29yZDAx" -c cookieFile.out -v 
    YWRtaW5pc3RyYXRvcjpQQHNzd29yZDAx is the Base64 encoded string for username:password.
    2980a518-1728-46bc-a95d-9767baac2f48 is the CSRF token value in the response. This is later used in the request header.
  2. Send the real request for starting the process. The CSRF token and cookie file are used to get the session ID that is being imported into the header.
    curl https://hostname:15047/clapi/api/site/{sitename}/process/{processname}/
    start -k --header "Authorization:Basic YWRtaW5pc3RyYXRvcjpQQHNzd29yZDAx" 
    -H --header "X-CSRF-TOKEN:2980a518-1728-46bc-a95d-9767baac2f48" 
    -b cookieFile.out --request POST -v