Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
rthamman
Contributor III
Contributor III

"XSRF prevention check failed. Possible XSRF discovered."

ticket REST api in Qlik Sense is returning "XSRF prevention check failed. Possible XSRF discovered." error. Xrf key is in the URL and the header. Any thoughts?? Below is the code snippet:

.

.

.

.

   String Xrfkey = "0123456789abcdef";

   String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";
  
   URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);
   request = (HttpsURLConnection)url.openConnection();
   request.setRequestMethod("POST");
   request.setRequestProperty("Content-Type", "application/json");
   request.setRequestProperty("X-Qlik-Xrfkey", Xrfkey);
   request.setUseCaches(false);
   request.setDoInput(true);
   request.setDoOutput(true);
  
   String userDirectory = "USERDIRECTORY";
   String userId= "USERID";
   String body = "{'UserDirectory':'" + userDirectory + "', 'UserId':'" + userId + "','Attributes': []}";
   byte[] bodyBytes = body.getBytes("UTF-8");

.

.

Error:

0070: 46 72 69 2C 20 31 30 20   41 70 72 20 32 30 31 35  Fri, 10 Apr 2015

0080: 20 30 36 3A 34 38 3A 31   30 20 47 4D 54 0D 0A 53   06:48:10 GMT..S

0090: 65 72 76 65 72 3A 20 51   50 53 2F 31 2E 31 2E 30  erver: QPS/1.1.0

00A0: 2E 30 20 4D 69 63 72 6F   73 6F 66 74 2D 48 54 54  .0 Microsoft-HTT

00B0: 50 41 50 49 2F 32 2E 30   0D 0A 44 61 74 65 3A 20  PAPI/2.0..Date:

00C0: 46 72 69 2C 20 31 30 20   41 70 72 20 32 30 31 35  Fri, 10 Apr 2015

00D0: 20 30 36 3A 34 38 3A 31   30 20 47 4D 54 0D 0A 0D   06:48:10 GMT...

00E0: 0A 33 37 0D 0A 58 53 52   46 20 70 72 65 76 65 6E  .37..XSRF preven

00F0: 74 69 6F 6E 20 63 68 65   63 6B 20 66 61 69 6C 65  tion check faile

0100: 64 2E 20 50 6F 73 73 69   62 6C 65 20 58 53 52 46  d. Possible XSRF

0110: 20 64 69 73 63 6F 76 65   72 65 64 2E 0D 0A 7F 6E   discovered....n

0120: 8B 7B 18 15 D4 FC 0A 2C   9F 13 7E 96 27 99 3E 6B  .......,....'.>k

0130: C1 EB 0D 0D 0D 0D 0D 0D   0D 0D 0D 0D 0D 0D 0D 0D  ................

1 Solution

Accepted Solutions
Not applicable

did you change your code from

  String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";

  URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);


to something like below to remove the duplicate '?Xrfkey=' ?

  String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?";

  URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);

View solution in original post

8 Replies
Not applicable

It appears you are supplying the xrfkey twice in parameters and you are missing a certificate to trust the communication when you make the web request.  Here is the sample code from help.qlik.com.

http://help.qlik.com/sense/en-us/developer/#../Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/Pr...

See how your targetUrl has XrfKey param twice?

String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";

URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);

Even after you fix this it likely won't give you a ticket because you are not supplying a cert in the request.

rthamman
Contributor III
Contributor III
Author

Jeff,

I'm past the connectivity point.It is the qlik ticket API that is throwing the error. Here's the code. I have removed the ip address, etc...

import java.io.BufferedReader;

import java.io.DataOutputStream;

import java.io.File;

import java.io.FileInputStream;

import java.io.InputStream;

import java.io.InputStreamReader;

import java.net.URL;

import java.security.KeyStore;

import java.security.SecureRandom;

import javax.net.ssl.HostnameVerifier;

import javax.net.ssl.HttpsURLConnection;

import javax.net.ssl.KeyManagerFactory;

import javax.net.ssl.SSLContext;

import javax.net.ssl.SSLSession;

import javax.net.ssl.SSLSocketFactory;

public class QlikTicket {

   

    static {

   

        //if certificate for create for an IP address you need to do this.

        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()

            {

                public boolean verify(String hostname, SSLSession session)               

                {

                    if (hostname.equals("xx.xx.xx.xx"))

                        return true;

                    return false;

                }

            });

    }

    public static void main(String args[]) {

        HttpsURLConnection request = null;

        InputStream inputStream = null;

   

        try {

            KeyStore keyStore  = KeyStore.getInstance(KeyStore.getDefaultType());

            FileInputStream instream = new FileInputStream(new File("path to jks that has the client cert"));

            keyStore.load(instream, "password".toCharArray());

            instream.close();

           

            String Xrfkey = "0123456789abcdef";

            String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";

           

            URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);

            request = (HttpsURLConnection)url.openConnection();

            request.setRequestMethod("POST");

            request.setRequestProperty("Content-Type", "application/json");

            request.setRequestProperty("X-Qlik-Xrfkey", Xrfkey);

            request.setUseCaches(false);

            request.setDoInput(true);

            request.setDoOutput(true);

           

            String userDirectory = "USERDIRECTORY";

            String userId= "USERID";

            String body = "{'UserDirectory':'" + userDirectory + "', 'UserId':'" + userId + "','Attributes': []}";

            byte[] bodyBytes = body.getBytes("UTF-8");

           

            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");

            keyManagerFactory.init(keyStore, "password".toCharArray());

            SSLContext sslContext = SSLContext.getInstance("TLS");

            sslContext.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());

            SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

            request.setSSLSocketFactory(sslSocketFactory);

           

            request.setDoOutput(true);

            request.setDoInput(true);

            DataOutputStream out = new DataOutputStream(request.getOutputStream());

            out.write(bodyBytes);

            out.flush();

            out.close();

            inputStream = request.getErrorStream();

            InputStreamReader inputStreamReader = null;

            String string = null;

            BufferedReader bufferedreader = null;

            if(inputStream != null) {

                inputStreamReader = new InputStreamReader(inputStream);

                bufferedreader = new BufferedReader(inputStreamReader);

                string = null;

                while ((string = bufferedreader.readLine()) != null) {

                    System.out.println("Error Received " + string);

                }

            }

           

            inputStream = request.getInputStream();

            inputStreamReader = new InputStreamReader(inputStream);

            bufferedreader = new BufferedReader(inputStreamReader);

            while ((string = bufferedreader.readLine()) != null) {

                System.out.println("Received " + string);

            }

           

            inputStream = request.getInputStream();

            inputStreamReader = new InputStreamReader(inputStream);

            bufferedreader = new BufferedReader(inputStreamReader);

            while ((string = bufferedreader.readLine()) != null) {

                System.out.println("Received " + string);

            }

        }catch (Exception ex) {

            ex.printStackTrace();

            if(inputStream != null) {

                try {

                    inputStream.close();

                } catch(Exception ex1) {

                   

                }

            }

        }

    }       

}

Error:

00C0: 46 72 69 2C 20 31 30 20   41 70 72 20 32 30 31 35  Fri, 10 Apr 2015

00D0: 20 30 36 3A 34 38 3A 31   30 20 47 4D 54 0D 0A 0D   06:48:10 GMT...

00E0: 0A 33 37 0D 0A 58 53 52   46 20 70 72 65 76 65 6E  .37..XSRF preven

00F0: 74 69 6F 6E 20 63 68 65   63 6B 20 66 61 69 6C 65  tion check faile

0100: 64 2E 20 50 6F 73 73 69   62 6C 65 20 58 53 52 46  d. Possible XSRF

0110: 20 64 69 73 63 6F 76 65   72 65 64 2E 0D 0A 7F 6E   discovered....n

0120: 8B 7B 18 15 D4 FC 0A 2C   9F 13 7E 96 27 99 3E 6B  .......,....'.>k

0130: C1 EB 0D 0D 0D 0D 0D 0D   0D 0D 0D 0D 0D 0D 0D 0D  ................

Not applicable

did you change your code from

  String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";

  URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);


to something like below to remove the duplicate '?Xrfkey=' ?

  String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?";

  URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);

rthamman
Contributor III
Contributor III
Author

Thanks Jeff. Removing the duplicate param worked.

Not applicable

Rama, good to read that everything is working now.  Please click on the Actions button on my reply above and choose correct answer or helpful.

Cheers,

Jeff G

rthamman
Contributor III
Contributor III
Author

Jeff, in one of the environment, qlik sense is returning 403 error for a ticket request. Is there a way to turn on logging to get granular debug messages for ticket api?

Not applicable

The proxy log located in %programdata%\Qlik\Sense\Logs\Proxy\Audit Proxy log file is where you want to look.  If you want to get it more granular, go to Proxies in the QMC and change the logging level from info to debug.

jg

Not applicable

Rama,

Does your server certificate or QlikClient certificate have a private key?  You must use client and server certificates with public and private keys because Qlik Sense uses Transport Layer Security (TLS) to secure communication.  No private keys on these certificates are the most common cause of 403 messages.

Because you are using java, do the certificates in your java keystore (jks) have private keys?

jg