Skip navigation

For any developer who has used the Jive REST API, you may have run into a problem with a security measure we put in place a while back that prefixes API responses with the following line:

throw 'allowIllegalResourceCall is false.';

{

...

}

Rationale

This aspect of the API as introduced to help prevent against JSON Hijacking back when web browsers were susceptible. 

 

As modern browsers have matured, so has inherent protection from this type of attack.  As such, Jive is looking into migration paths to allow us to remove this line from our API allowing the response to be pure JSON once again.  Once we have cleared our browser support list of susceptible browsers, we can start taking active measures to remove this safety measure.

 

What Does This Mean for You / Recommendations

When it comes time to roll-out changes, it is always hard because you never know how developers have coded things to this point.

 

To best prepare yourself (and your code) for this change, of which timing or process has not yet been discussed, it is recommended that you:

  • review your code for any references to the "code stripping"
  • insure that any code executed will work successfully, with or without this prefix in the response body.

 

Some example solutions include:

  • response.substring(response.indexOf('{')) - "find the first {, and do a substring from that position to the end of the string."
  • JSON.parse(response.replace(/$throw.*;/, "").trim()); - "using RegEx, find the first line with throw and ending in a semi-colon, if found replace with empty string"


As we get closer to determining the approach for introducing movement on this, we'll let the community know, but for now it is recommended that developers prepare their existing and new code with similar patterns to be protected.


Stay tuned.  You may now return to your IDE. =)

Binary documents can be upload using the Jive v3 APIs (see: Upload a local file using the Jive API) and they can also be updated with new versions.  This is an example (for Jive 6.x and above) of updating a binary document using the cURL command in a shell script .


First you need to know the Jive document unique identifier in order to update the document.   One way to get this is to call the search API to get it to return Jive document ID (the browse Id) for the document you want to upload a new version into.


http://mydomainname.com/api/core/v3/search/contents?filter=type(document)&filter=search(sometext)

 

Response:

{

  "list" : [ {

    "name" : "GettingStarted.pdf",

    "type" : "file",

    "size" : 23433,

.....

      "self" : {

        "ref" : "http://mydomainname.com/api/core/v3/contents/1144",

        "allowed" : [ "PUT", "GET", "DELETE" ]

      },

....

  } ],

  "startIndex" : 0,

  "itemsPerPage" : 25,

  "suggestedQuery" : "search(Apia)"

}

In the above example the document ID is 1144.

 

Once you have the document ID you are ready to upload a new binary document version.  Remember to put the document ID in the URL and add minor=true as a query parameter if you don't want notifications or activity stream updates to be generated as result of the document file update.

 

curl -X PUT -i -v -u ${username}:${password} \

     -F "file=@MyFile.pdf;type=text/xml" \

     -F "json=@jsonPayloadUpdate.json;type=application/json" \

     "https://mydomainname.com/api/core/v3/contents/1144?minor=true"

 

where the file jsonPayloadUpdate.json contains the valid JSON in the following format:

{

  "authorship": "author",

  "type": "file",

  "visibility": "place",

  "parent": "https://mydomainname.com/api/core/v3/places/51467",

  "subject": "Update binary file",

  "tags": [api_upload_update],

  "content": {

    "type": "text/html",

    "text": "The file upload update description",

    "name" : "a-new-version-of-my-pdf-file.pdf",

    "size" : "23443"

  }

}

Binary documents can be upload using the Jive v3 API.  This is an example (for Jive 6.x and above) of uploading a local file into a Jive Group using the cURL command from within a shell script.

 

curl -i -v -u ${username}:${password} \

     -F "file=@ConfiguringJivePresent.pdf;type=text/xml" \

     -F "json=@jsonPayload.json;type=application/json" \

     "https://myjivedomain.com/api/core/v3/contents"

 

where the file

jsonPayload.json contains the valid JSON in the following format:

 

{

  "authorship": "author",

  "type": "file",

  "visibility": "place",

  "parent": "https://myjivedomain/api/core/v3/places/51467",

  "subject": "This is my uploaded binary file",

  "tags": [api_upload],

  "content": {

    "type": "text/html",

    "text": "This is my description for the upload file",

    "name" : "a-pdf-file.pdf",

    "size" : "307284"

  }

}

 

There are a number of additional properties you can set and these are document here Jive REST API → File entity

 

Note:  The target Place ID (51467 in the example above) is the Jive unique internal identifier for the Place and has to be first looked up.  This can be done by querying the database table jivebrowsecntr or by calling this Jive Places API.  For example;

 

https://myjivedomain/api/core/v3/places/?filter=entityDescriptor(700,1263)

 

Returns:

{

...

"self" : {

  "ref" : "https://myjivedomain/api/core/v3/places/51467",

  "allowed" : [ "GET", "DELETE", "PUT" ]

  },

...

}

 

Where 1263 is the Group ID visible from the Group edit page in Jive and 51467 is the Place ID unique identifier returned that you need to use in the upload file API call.

 

Note: The procedure for uploading into a Space is the same as for a Group.

Filter Blog