topic Re: how to connect to qsense web engine November 2024 ? in Integration, Extension & APIs

how to connect to qsense web engine November 2024 ?

PhilippeG — Mon, 24 Feb 2025 16:39:17 GMT

hi everybody,

the java code below works fine with qlik sense version February 2024

URI serverUri = new URI("wss://serverqsense.domaine.fr/vproxyname/app/" + idApp + "?Xrfkey=ABCDEFGH123456");

WebSocketClient wsAppClient = new WebSocketClient(serverUri);

wsAppClient.addHeader("Xrfkey", "ABCDEFGH123456");

wsAppClient.addHeader("usr-api", "BB\\USERQLIKADM");

wsAppClient.addHeader("Cookie", "");

// Connexion au serveur WebSocket

wsAppClient.connect();

with November 2024 I got error http 403 😞

any idea ?

thanks in advance

Philippe

Re: how to connect to qsense web engine November 2024 ?

alex_colombo — Tue, 25 Feb 2025 09:35:31 GMT

Hey @PhilippeG , in Nov 2024 we introduced few changes at security levels. On of them is the CSRF token. This has to be added to websocket connection as url param.

When you are authenticated, you have to call a QPS APIs for getting the crsf token value, here the API doc.

Then, attach csrf token to websocket url like this: URI serverUri = new URI("wss://serverqsense.domaine.fr/vproxyname/app/" + idApp + "?Xrfkey=ABCDEFGH123456&qlik-csrf-token=_yourToken_");

Our docs is not up to date, I've raised this internally.

Re: how to connect to qsense web engine November 2024 ?

PhilippeG — Tue, 25 Feb 2025 11:11:43 GMT

Hi @alex_colombo and thanks for your response !

However I still have the 403 error when opening websocket despite adding qlik-csrf-token :

I got qlik-csrf-token with this url :
https://serverqsense.domaine.fr/vproxyname/qps/csrftoken
and headers :
wsAppClient.addHeader("Xrfkey", "ABCDEFGH123456");
wsAppClient.addHeader("usr-api", "BB\\USERQLIKADM");

I got qlik-csrf-token and a value (j7kh4Y8fmPooKs7QDdfk8A) in response header : so far so good ?

then I call wsAppClient.connect() with URI("wss://serverqsense.domaine.fr/vproxyname/app/" + idApp + "?Xrfkey=ABCDEFGH123456&qlik-csrf-token=j7kh4Y8fmPooKs7QDdfk8A")
always got Status Code: 403 Forbidden

I notice something weird:
if I put a wrong value for domain/user for the "usr-api" key I still get a token.

Do you have another way to get past this 403 error?

Re: how to connect to qsense web engine November 2024 ?

alex_colombo — Tue, 25 Feb 2025 11:57:31 GMT

Forgot to mention that you need to apply a modification into Virtual Proxy configuration. Go in VP configuration, click on Advanced, then Additional response headers.

You have to add below headers:

Access-Control-Allow-Credentials: true

Access-Control-Expose-Headers: qlik-csrf-token

Re: how to connect to qsense web engine November 2024 ?

PhilippeG — Tue, 25 Feb 2025 13:32:48 GMT

I added this parameters in my QMC :

Access-Control-Allow-Credentials: true

Access-Control-Expose-Headers: qlik-csrf-token

in virtual proxy conf , but always 403 !!

I put some pic to illustrate my parameters...

Thanks to help me !

Re: how to connect to qsense web engine November 2024 ?

alex_colombo — Tue, 25 Feb 2025 16:21:51 GMT

I've made some tests and with Ticket auth is working with steps made so far.

Using header auth, an extra step is required. When you call csrf API you will receive qlik csrf token param and a set Cookie in response headers. Grab that cookie value and attach to websocket headers. It should work.

Below an example of set cookie response header from csrf API and websocket connection: