Qlik Community

Qlik Sense Integration, Extensions, & APIs

Discussion board where members can learn more about Integration, Extensions and API’s for Qlik Sense.

Announcements
Qlik® Product Spotlight: Discover what’s possible. Get more from our products.
See for yourself. Register today.
rthamman
New Contributor

"XSRF prevention check failed. Possible XSRF discovered."

ticket REST api in Qlik Sense is returning "XSRF prevention check failed. Possible XSRF discovered." error. Xrf key is in the URL and the header. Any thoughts?? Below is the code snippet:

.

.

.

.

   String Xrfkey = "0123456789abcdef";

   String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";
  
   URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);
   request = (HttpsURLConnection)url.openConnection();
   request.setRequestMethod("POST");
   request.setRequestProperty("Content-Type", "application/json");
   request.setRequestProperty("X-Qlik-Xrfkey", Xrfkey);
   request.setUseCaches(false);
   request.setDoInput(true);
   request.setDoOutput(true);
  
   String userDirectory = "USERDIRECTORY";
   String userId= "USERID";
   String body = "{'UserDirectory':'" + userDirectory + "', 'UserId':'" + userId + "','Attributes': []}";
   byte[] bodyBytes = body.getBytes("UTF-8");

.

.

Error:

0070: 46 72 69 2C 20 31 30 20   41 70 72 20 32 30 31 35  Fri, 10 Apr 2015

0080: 20 30 36 3A 34 38 3A 31   30 20 47 4D 54 0D 0A 53   06:48:10 GMT..S

0090: 65 72 76 65 72 3A 20 51   50 53 2F 31 2E 31 2E 30  erver: QPS/1.1.0

00A0: 2E 30 20 4D 69 63 72 6F   73 6F 66 74 2D 48 54 54  .0 Microsoft-HTT

00B0: 50 41 50 49 2F 32 2E 30   0D 0A 44 61 74 65 3A 20  PAPI/2.0..Date:

00C0: 46 72 69 2C 20 31 30 20   41 70 72 20 32 30 31 35  Fri, 10 Apr 2015

00D0: 20 30 36 3A 34 38 3A 31   30 20 47 4D 54 0D 0A 0D   06:48:10 GMT...

00E0: 0A 33 37 0D 0A 58 53 52   46 20 70 72 65 76 65 6E  .37..XSRF preven

00F0: 74 69 6F 6E 20 63 68 65   63 6B 20 66 61 69 6C 65  tion check faile

0100: 64 2E 20 50 6F 73 73 69   62 6C 65 20 58 53 52 46  d. Possible XSRF

0110: 20 64 69 73 63 6F 76 65   72 65 64 2E 0D 0A 7F 6E   discovered....n

0120: 8B 7B 18 15 D4 FC 0A 2C   9F 13 7E 96 27 99 3E 6B  .......,....'.>k

0130: C1 EB 0D 0D 0D 0D 0D 0D   0D 0D 0D 0D 0D 0D 0D 0D  ................

8 Replies
Not applicable

Re: "XSRF prevention check failed. Possible XSRF discovered."

It appears you are supplying the xrfkey twice in parameters and you are missing a certificate to trust the communication when you make the web request.  Here is the sample code from help.qlik.com.

http://help.qlik.com/sense/en-us/developer/#../Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/Pr...

See how your targetUrl has XrfKey param twice?

String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";

URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);

Even after you fix this it likely won't give you a ticket because you are not supplying a cert in the request.

rthamman
New Contributor

Re: "XSRF prevention check failed. Possible XSRF discovered."

Jeff,

I'm past the connectivity point.It is the qlik ticket API that is throwing the error. Here's the code. I have removed the ip address, etc...

import java.io.BufferedReader;

import java.io.DataOutputStream;

import java.io.File;

import java.io.FileInputStream;

import java.io.InputStream;

import java.io.InputStreamReader;

import java.net.URL;

import java.security.KeyStore;

import java.security.SecureRandom;

import javax.net.ssl.HostnameVerifier;

import javax.net.ssl.HttpsURLConnection;

import javax.net.ssl.KeyManagerFactory;

import javax.net.ssl.SSLContext;

import javax.net.ssl.SSLSession;

import javax.net.ssl.SSLSocketFactory;

public class QlikTicket {

   

    static {

   

        //if certificate for create for an IP address you need to do this.

        HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()

            {

                public boolean verify(String hostname, SSLSession session)               

                {

                    if (hostname.equals("xx.xx.xx.xx"))

                        return true;

                    return false;

                }

            });

    }

    public static void main(String args[]) {

        HttpsURLConnection request = null;

        InputStream inputStream = null;

   

        try {

            KeyStore keyStore  = KeyStore.getInstance(KeyStore.getDefaultType());

            FileInputStream instream = new FileInputStream(new File("path to jks that has the client cert"));

            keyStore.load(instream, "password".toCharArray());

            instream.close();

           

            String Xrfkey = "0123456789abcdef";

            String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";

           

            URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);

            request = (HttpsURLConnection)url.openConnection();

            request.setRequestMethod("POST");

            request.setRequestProperty("Content-Type", "application/json");

            request.setRequestProperty("X-Qlik-Xrfkey", Xrfkey);

            request.setUseCaches(false);

            request.setDoInput(true);

            request.setDoOutput(true);

           

            String userDirectory = "USERDIRECTORY";

            String userId= "USERID";

            String body = "{'UserDirectory':'" + userDirectory + "', 'UserId':'" + userId + "','Attributes': []}";

            byte[] bodyBytes = body.getBytes("UTF-8");

           

            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");

            keyManagerFactory.init(keyStore, "password".toCharArray());

            SSLContext sslContext = SSLContext.getInstance("TLS");

            sslContext.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());

            SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

            request.setSSLSocketFactory(sslSocketFactory);

           

            request.setDoOutput(true);

            request.setDoInput(true);

            DataOutputStream out = new DataOutputStream(request.getOutputStream());

            out.write(bodyBytes);

            out.flush();

            out.close();

            inputStream = request.getErrorStream();

            InputStreamReader inputStreamReader = null;

            String string = null;

            BufferedReader bufferedreader = null;

            if(inputStream != null) {

                inputStreamReader = new InputStreamReader(inputStream);

                bufferedreader = new BufferedReader(inputStreamReader);

                string = null;

                while ((string = bufferedreader.readLine()) != null) {

                    System.out.println("Error Received " + string);

                }

            }

           

            inputStream = request.getInputStream();

            inputStreamReader = new InputStreamReader(inputStream);

            bufferedreader = new BufferedReader(inputStreamReader);

            while ((string = bufferedreader.readLine()) != null) {

                System.out.println("Received " + string);

            }

           

            inputStream = request.getInputStream();

            inputStreamReader = new InputStreamReader(inputStream);

            bufferedreader = new BufferedReader(inputStreamReader);

            while ((string = bufferedreader.readLine()) != null) {

                System.out.println("Received " + string);

            }

        }catch (Exception ex) {

            ex.printStackTrace();

            if(inputStream != null) {

                try {

                    inputStream.close();

                } catch(Exception ex1) {

                   

                }

            }

        }

    }       

}

Error:

00C0: 46 72 69 2C 20 31 30 20   41 70 72 20 32 30 31 35  Fri, 10 Apr 2015

00D0: 20 30 36 3A 34 38 3A 31   30 20 47 4D 54 0D 0A 0D   06:48:10 GMT...

00E0: 0A 33 37 0D 0A 58 53 52   46 20 70 72 65 76 65 6E  .37..XSRF preven

00F0: 74 69 6F 6E 20 63 68 65   63 6B 20 66 61 69 6C 65  tion check faile

0100: 64 2E 20 50 6F 73 73 69   62 6C 65 20 58 53 52 46  d. Possible XSRF

0110: 20 64 69 73 63 6F 76 65   72 65 64 2E 0D 0A 7F 6E   discovered....n

0120: 8B 7B 18 15 D4 FC 0A 2C   9F 13 7E 96 27 99 3E 6B  .......,....'.>k

0130: C1 EB 0D 0D 0D 0D 0D 0D   0D 0D 0D 0D 0D 0D 0D 0D  ................

Not applicable

Re: "XSRF prevention check failed. Possible XSRF discovered."

did you change your code from

  String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";

  URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);


to something like below to remove the duplicate '?Xrfkey=' ?

  String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?";

  URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);

rthamman
New Contributor

Re: "XSRF prevention check failed. Possible XSRF discovered."

Thanks Jeff. Removing the duplicate param worked.

Not applicable

Re: "XSRF prevention check failed. Possible XSRF discovered."

Rama, good to read that everything is working now.  Please click on the Actions button on my reply above and choose correct answer or helpful.

Cheers,

Jeff G

rthamman
New Contributor

Re: "XSRF prevention check failed. Possible XSRF discovered."

Jeff, in one of the environment, qlik sense is returning 403 error for a ticket request. Is there a way to turn on logging to get granular debug messages for ticket api?

Not applicable

Re: "XSRF prevention check failed. Possible XSRF discovered."

The proxy log located in %programdata%\Qlik\Sense\Logs\Proxy\Audit Proxy log file is where you want to look.  If you want to get it more granular, go to Proxies in the QMC and change the logging level from info to debug.

jg

Not applicable

Re: "XSRF prevention check failed. Possible XSRF discovered."

Rama,

Does your server certificate or QlikClient certificate have a private key?  You must use client and server certificates with public and private keys because Qlik Sense uses Transport Layer Security (TLS) to secure communication.  No private keys on these certificates are the most common cause of 403 messages.

Because you are using java, do the certificates in your java keystore (jks) have private keys?

jg

Community Browser