CSRF_NONCE Validation
MFT has enhanced the security of the JSONDIRTREE by including checking for a CSRF nonce. This check protects jsondirtree requests against CSRF attacks by including a CSRF token, referred to as CSRF_NONCE, on each request.
Here is how this works: The first jsondirtree request must be executed without any parameters. This request does not require a CSRF_NONCE and returns a CSRF_NONCE that must be used in the next jsondirtree request.
For example:
https://localhost:8443/cfcc/control?view=view/filetransfer/jsondirtree.jsp
{"vmgrname":"null","deldir":"N","errmsg":"\"Unknown action: null\"","changemode":"","delfile":"N","readfid":"","token":"-8923610393526332683","rc":1,"path":"\/","writefid":"","rename":"N"," action":null,"create":"N","csrftoken":"&org.apache.catalina.filters.CSRF_NONCE=0BC0207D47896DBF5EEA627EEA716193","currentmode":"","currentcrlf":""}
https://localhost:8443/cfcc/control?view=view/filetransfer/jsondirtree.jsp&action=gettree&path=/&org.apache.catalina.filters.CSRF_NONCE=0BC0207D47896DBF5EEA627EEA716193
Each jsondirtree request returns a CSRF_NONCE. The CSRF_NONCE must be included in the URL of the next jsondirtree call in the format: &org.apache.catalina.filters.CSRF_NONCE=nonceReturnedOnLastCall