8 Replies Latest reply: May 14, 2015 1:45 PM by Jeffrey Goldberg RSS

    "XSRF prevention check failed. Possible XSRF discovered."

    Rama Thamman

      ticket REST api in Qlik Sense is returning "XSRF prevention check failed. Possible XSRF discovered." error. Xrf key is in the URL and the header. Any thoughts?? Below is the code snippet:

       

      .

      .

      .

      .

         String Xrfkey = "0123456789abcdef";

       

         String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";
        
         URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);
         request = (HttpsURLConnection)url.openConnection();
         request.setRequestMethod("POST");
         request.setRequestProperty("Content-Type", "application/json");
         request.setRequestProperty("X-Qlik-Xrfkey", Xrfkey);
         request.setUseCaches(false);
         request.setDoInput(true);
         request.setDoOutput(true);
        
         String userDirectory = "USERDIRECTORY";
         String userId= "USERID";
         String body = "{'UserDirectory':'" + userDirectory + "', 'UserId':'" + userId + "','Attributes': []}";
         byte[] bodyBytes = body.getBytes("UTF-8");

       

      .

      .

       

      Error:

      0070: 46 72 69 2C 20 31 30 20   41 70 72 20 32 30 31 35  Fri, 10 Apr 2015

      0080: 20 30 36 3A 34 38 3A 31   30 20 47 4D 54 0D 0A 53   06:48:10 GMT..S

      0090: 65 72 76 65 72 3A 20 51   50 53 2F 31 2E 31 2E 30  erver: QPS/1.1.0

      00A0: 2E 30 20 4D 69 63 72 6F   73 6F 66 74 2D 48 54 54  .0 Microsoft-HTT

      00B0: 50 41 50 49 2F 32 2E 30   0D 0A 44 61 74 65 3A 20  PAPI/2.0..Date:

      00C0: 46 72 69 2C 20 31 30 20   41 70 72 20 32 30 31 35  Fri, 10 Apr 2015

      00D0: 20 30 36 3A 34 38 3A 31   30 20 47 4D 54 0D 0A 0D   06:48:10 GMT...

      00E0: 0A 33 37 0D 0A 58 53 52   46 20 70 72 65 76 65 6E  .37..XSRF preven

      00F0: 74 69 6F 6E 20 63 68 65   63 6B 20 66 61 69 6C 65  tion check faile

      0100: 64 2E 20 50 6F 73 73 69   62 6C 65 20 58 53 52 46  d. Possible XSRF

      0110: 20 64 69 73 63 6F 76 65   72 65 64 2E 0D 0A 7F 6E   discovered....n

      0120: 8B 7B 18 15 D4 FC 0A 2C   9F 13 7E 96 27 99 3E 6B  .......,....'.>k

      0130: C1 EB 0D 0D 0D 0D 0D 0D   0D 0D 0D 0D 0D 0D 0D 0D  ................

        • Re: "XSRF prevention check failed. Possible XSRF discovered."
          Jeffrey Goldberg

          It appears you are supplying the xrfkey twice in parameters and you are missing a certificate to trust the communication when you make the web request.  Here is the sample code from help.qlik.com.

           

          http://help.qlik.com/sense/en-us/developer/#../Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/ProxyServiceAPI-Exampl…

           

          See how your targetUrl has XrfKey param twice?

           

          String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";

           

          URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);

           

          Even after you fix this it likely won't give you a ticket because you are not supplying a cert in the request.

            • Re: "XSRF prevention check failed. Possible XSRF discovered."
              Rama Thamman

              Jeff,

               

              I'm past the connectivity point.It is the qlik ticket API that is throwing the error. Here's the code. I have removed the ip address, etc...

               

              import java.io.BufferedReader;

              import java.io.DataOutputStream;

              import java.io.File;

              import java.io.FileInputStream;

              import java.io.InputStream;

              import java.io.InputStreamReader;

              import java.net.URL;

              import java.security.KeyStore;

              import java.security.SecureRandom;

               

              import javax.net.ssl.HostnameVerifier;

              import javax.net.ssl.HttpsURLConnection;

              import javax.net.ssl.KeyManagerFactory;

              import javax.net.ssl.SSLContext;

              import javax.net.ssl.SSLSession;

              import javax.net.ssl.SSLSocketFactory;

               

               

               

              public class QlikTicket {

                 

                  static {

                 

                      //if certificate for create for an IP address you need to do this.

                      HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier()

                          {

                              public boolean verify(String hostname, SSLSession session)               

                              {

                                  if (hostname.equals("xx.xx.xx.xx"))

                                      return true;

                                  return false;

                              }

                          });

                  }

               

                  public static void main(String args[]) {

                      HttpsURLConnection request = null;

                      InputStream inputStream = null;

                 

                      try {

                          KeyStore keyStore  = KeyStore.getInstance(KeyStore.getDefaultType());

                          FileInputStream instream = new FileInputStream(new File("path to jks that has the client cert"));

                          keyStore.load(instream, "password".toCharArray());

                          instream.close();

                         

                          String Xrfkey = "0123456789abcdef";

               

                          String targetURL = "https://xx.xx.xx.xx:4243/qps/ticket?Xrfkey=";

                         

                          URL url = new URL(targetURL + "?Xrfkey=" + Xrfkey);

                          request = (HttpsURLConnection)url.openConnection();

                          request.setRequestMethod("POST");

                          request.setRequestProperty("Content-Type", "application/json");

                          request.setRequestProperty("X-Qlik-Xrfkey", Xrfkey);

                          request.setUseCaches(false);

                          request.setDoInput(true);

                          request.setDoOutput(true);

                         

                          String userDirectory = "USERDIRECTORY";

                          String userId= "USERID";

                          String body = "{'UserDirectory':'" + userDirectory + "', 'UserId':'" + userId + "','Attributes': []}";

                          byte[] bodyBytes = body.getBytes("UTF-8");

                         

               

                          KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");

                          keyManagerFactory.init(keyStore, "password".toCharArray());

               

                          SSLContext sslContext = SSLContext.getInstance("TLS");

                          sslContext.init(keyManagerFactory.getKeyManagers(), null, new SecureRandom());

                          SSLSocketFactory sslSocketFactory = sslContext.getSocketFactory();

                          request.setSSLSocketFactory(sslSocketFactory);

               

                         

                          request.setDoOutput(true);

                          request.setDoInput(true);

               

                          DataOutputStream out = new DataOutputStream(request.getOutputStream());

               

                          out.write(bodyBytes);

                          out.flush();

                          out.close();

               

                          inputStream = request.getErrorStream();

                          InputStreamReader inputStreamReader = null;

                          String string = null;

                          BufferedReader bufferedreader = null;

                          if(inputStream != null) {

                              inputStreamReader = new InputStreamReader(inputStream);

                              bufferedreader = new BufferedReader(inputStreamReader);

                              string = null;

                              while ((string = bufferedreader.readLine()) != null) {

                                  System.out.println("Error Received " + string);

                              }

                          }

                         

                          inputStream = request.getInputStream();

                          inputStreamReader = new InputStreamReader(inputStream);

                          bufferedreader = new BufferedReader(inputStreamReader);

               

                          while ((string = bufferedreader.readLine()) != null) {

                              System.out.println("Received " + string);

                          }

                         

                          inputStream = request.getInputStream();

                          inputStreamReader = new InputStreamReader(inputStream);

                          bufferedreader = new BufferedReader(inputStreamReader);

               

                          while ((string = bufferedreader.readLine()) != null) {

                              System.out.println("Received " + string);

                          }

                      }catch (Exception ex) {

                          ex.printStackTrace();

                          if(inputStream != null) {

                              try {

                                  inputStream.close();

                              } catch(Exception ex1) {

                                 

                              }

                          }

                      }

                  }       

               

              }

               

              Error:

               

              00C0: 46 72 69 2C 20 31 30 20   41 70 72 20 32 30 31 35  Fri, 10 Apr 2015

              00D0: 20 30 36 3A 34 38 3A 31   30 20 47 4D 54 0D 0A 0D   06:48:10 GMT...

              00E0: 0A 33 37 0D 0A 58 53 52   46 20 70 72 65 76 65 6E  .37..XSRF preven

              00F0: 74 69 6F 6E 20 63 68 65   63 6B 20 66 61 69 6C 65  tion check faile

              0100: 64 2E 20 50 6F 73 73 69   62 6C 65 20 58 53 52 46  d. Possible XSRF

              0110: 20 64 69 73 63 6F 76 65   72 65 64 2E 0D 0A 7F 6E   discovered....n

              0120: 8B 7B 18 15 D4 FC 0A 2C   9F 13 7E 96 27 99 3E 6B  .......,....'.>k

              0130: C1 EB 0D 0D 0D 0D 0D 0D   0D 0D 0D 0D 0D 0D 0D 0D  ................

              • Re: "XSRF prevention check failed. Possible XSRF discovered."
                Rama Thamman

                Thanks Jeff. Removing the duplicate param worked.