token tools wget

How to access the tools using wget and token

Question

Starting with DX 7.2.3.1 we have introduced CSRF protection for all the tools requests. In this context if you are executing requests against the tools to automate some tasks you will need to update your scripts to retrieve the token and use it in your requests.

Let say this was your original request:

wget -q -O - http://localhost:8080/modules/tools/precompileServlet?compile_type=all&jsp_precompile=true \
   --user=jahia --password=password

What is the way to do it using the token?

Answer

You will need to execute two requests, the first one will be to retrieve the token and the session ID cookie, the second one will be your original request tweaked with the data you retrieved.

Using the example above it will become something like:

TOKEN=\$(wget -q -Ohttp://localhost:8080/modules/tools/precompileServlet \
    --user=jahia --password=password --keep-session-cookies \
    --save-cookies=cookies.txt |  sed -n -e 's/.*toolAccessToken=([^\"]*\).*/\1/p’ | head -1);
    wget -q -O - http://localhost:8080/modules/tools/precompileServlet?compile_type=all&jsp_precompile=true&toolAccessToken\=\$TOKEN \
    --load-cookies=cookies.txt

But there are two cases to handle:

  1. The tool page you are requesting contains the token in the URL, then the regex to use with sed is the following:
    sed -n -e 's/.*toolAccessToken=([^\"]*\).*/\1/p’
  2. The tool page you are requesting does not contain the token in the URL but instead it’s in a form, then the regex will be:
    sed -n -e 's/.*toolAccessToken\” value=\"\([^\"]*\).*/\1/p’

You can modify the expiration time (in minutes) of the token as well by adding to your "jahia.properties" file the following line (default value is 20)  :

toolsTokenExpiration = 20