12 Replies Latest reply: Dec 7, 2016 11:22 AM by praveena mundolimoole RSS

    Rejected when making POST calls.

    Jack Lee

      Dear Qlik users.

       

      I'm trying to integrate with our Qlik Sense service in a .NET-program.

       

      I don't have problem running these tutorials / examples:

       

      Creating a working ASP.NET MVC example ‒ Qlik Sense

      https://help.qlik.com/en-US/sense-developer/2.2/Subsystems/Plugins/Content/GettingStarted/CreatingWorkingExUsingToolbox.htm

       

      Connecting using Microsoft Windows authentication ‒ Qlik Sense

      https://help.qlik.com/en-US/sense-developer/2.2/Subsystems/RepositoryServiceAPI/Content/RepositoryServiceAPI/RepositoryServiceAPI-Example-Connect-DotNet-Windows.htm

       

      But things seem to get more convoluted for doing POST operations.

       

      I've been trying to copy an app with this request:

      POST http://[servername]/QRS/app/0f2e9f6d-360f-475e-a446-f0a7f1da69b6/copy?name=NewPlayground&xrfkey=0123456789abcdef

       

      This is the result:

       

      Error 403 - Forbidden

      The initial authentication request must be a GET request in order to be redirected to the authentication module.

       

      OK, so I tried sending this GET-request prior to the POST:

       

      GET http://[servername]/QRS/app?xrfkey=0123456789abcdef&qlikTicket=0MMtH8KE5W6swG8K

       

      This went fine, the server returned the list of apps but this is apparently not enough to create a "session cookie" for the subsequent POST as described here:

       

      Issuing POST commands via the proxy ‒ Qlik Sense

      https://help.qlik.com/en-US/sense-developer/2.2/Subsystems/RepositoryServiceAPI/Content/RepositoryServiceAPI/RepositoryServiceAPI-Example-Connect-POST-Proxy.htm

       

      The word "session" is also mentioned here:

       

      Authentication ‒ Qlik Sense

      https://help.qlik.com/en-US/sense/2.2/Subsystems/PlanningQlikSenseDeployments/Content/Server/Server-Security-Authentication.htm

       

      "Using the Session API, whereby an external module can transfer web sessions that identify the user and the user's attributes to Qlik Sense."

       

      Is this somehow connected to the "session cookie" I need for making POST calls? If so, what could this "external module" be?

       

      Someone has asked a similar question less than a week ago:

       

      Qlik Sense Engine API Authorization | Qlik Community

      https://community.qlik.com/message/1049837#1049837

       

      ...and the answer is suggesting OP to have a look at QlikAuthNet but it seems to be based on "ticket authentication". But surely, it must be enough authenticate using Windows authentication as described in the following links below?

       

      Default authentication module ‒ Qlik Sense

      https://help.qlik.com/en-US/sense/2.2/Subsystems/PlanningQlikSenseDeployments/Content/Server/Server-Security-Authentication-MS-Windows-Environment.htm

       

      Authenticating with a Windows user account ‒ Qlik Sense

      https://help.qlik.com/en-US/sense-developer/2.2/Subsystems/RepositoryServiceAPI/Content/RepositoryServiceAPI/RepositoryServiceAPI-Connect-API-Authenticate-Reqs-NTLM.htm

       

      I can see another person solved this by "using certificates":

       

      Duplicate App using .NET SDK | Qlik Community

      https://community.qlik.com/message/732327#732327

       

      But then... what is the Windows authentication for? Only for GET-requests?

        • Re: Rejected when making POST calls.
          Gustav Gager

          Hi! Did you ever get this to work? Im having the exat same issue. GET request works fine but it doesnt return any cookies and there are no special headers or anything that i can use.

            • Re: Rejected when making POST calls.
              Jack Lee

              Hi Gustav.

               

              No I still haven't figured out what to do yet. But I've read the documentation again and I think I understand the concept now. Basically, in my case, Windows authentication is used as the "middle man" to retrieve a ticket from the proxy service but not for authenticating the proxy directly.

               

              It also helps I have access to our QMC so I can see what you can configure in the administration.

               

              I'm going to look a bit further into the "ticket" solution which seems to require a certificate. It can easily be exported from the QMC but it's not enough "just" to install it in your local repository and expect QlikAuthNet to work.

                • Re: Rejected when making POST calls.
                  Gustav Gager

                  Hi Jack.

                  Yes im currently working on something similar. I have created a certificate on the server and imported it on my client and now i try to authenticate using the certificate. Im not have much luck though. And i would like to skip tye certificates if i can.

                   

                  The strange thing is that if i use Postman i can get a POST command working with no problem at all...

                    • Re: Rejected when making POST calls.
                      Jack Lee

                      Hi Gustav.

                       

                      How did you get the POST command working? I'm using Fiddler.

                       

                      Request: /GET http://[SERVERNAME:8081]/sense/app/0f2e9f6d-360f-475e-a446-f0a7f1da69b6

                       

                      First response:

                       

                      HTTP/1.1 302 Authenticate at this location

                      Location: http://[SERVERNAME:4248]/form/?targetId=8375dd73-c7e9-4ff9-b7e7-6dd9040b2d9c

                      Content-Length: 0

                      Access-Control-Allow-Origin: http://[SERVERNAME:8081]

                       

                      Then the second response is a HTML page, seemingly for entering username and password. I'm wondering if the right GET-parameters would lead me to /windows_authentication.

                       

                      Can you do stuff like CopyApp using POST?

                       

                      I've gotten hold of the .NET SDK and I can easily do CreateApp but apparently CopyApp, ImportApp and others are only available through the REST API [1] so I'm back to square one.

                       

                      /Jack

                       

                      [1] Publishing an app using the .Net API - why not ... | Qlik Community

                      https://community.qlik.com/message/872234#872234

                        • Re: Rejected when making POST calls.
                          Gustav Gager

                          Hi Jack!

                          I did not try Copy App, but i got the "start task" working using Postman (a add-in to google chrome). If i have time later, i can try copy app for you. Post man uses just standard Windows authentication, witch is exactly what i want. But as you know, we cant get it to work.

                          Have you tried exporting certificates from the server and use thoose with authentication?

                            • Re: Rejected when making POST calls.
                              Jack Lee

                              Hi again.

                               

                              Dunno how I've managed to oversee this page but it looks like a full code sample for retrieving a ticket using server certificates

                               

                              Connecting to the QPS API using certificates ‒ Qlik Sense

                              https://help.qlik.com/en-US/sense-developer/2.2/Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/ProxyServiceAPI-Example-Connect-API-Certificates.htm

                               

                              For the arguments to the TicketRequest method, 'user' and 'userDirectory', I had to read their definitions here:

                               

                              Qlik Sense User Directory Connector API ‒ Qlik Sense

                              https://help.qlik.com/en-US/sense-developer/2.2/Subsystems/UserDirectoryConnectorAPI/Content/UDCAPI/UDCAPI-Introduction.htm?q=user%20directory

                               

                              Anyway, the good thing is I can see the program is fetching the QlikClient certificate from my local store. The lesser good thing is that I'm still getting "403 Forbidden" from the QPS.


                              I had Fiddler running in the background at the same time and this seems to be the underlying cause:

                               

                              HTTP/1.1 403 No client certificate supplied!

                              Cache-Control: private, must-revalidate, max-age=0

                              Expires: Wed, 15 Jun 2016 15:34:23 GMT

                              Server: QPS/2.1.1.0 Microsoft-HTTPAPI/2.0

                              Date: Wed, 15 Jun 2016 15:34:22 GMT

                              Content-Length: 0

                               

                              Considering the code added the certificate to the request I don't know why I get this... Well, that's enough testing for today.

                                • Re: Rejected when making POST calls.
                                  Jack Lee

                                  So, not sure if either Fiddler or re-exporting the certificate actually helped but..

                                   

                                  1) I re-exported the certificate from the QMC. I didn't add a secret key nor password. Installed the client.pfx on my developer machine.

                                  2) Ran the code again and this time it works woohoo!

                                   

                                  Then because I wanted to see how a proper request/response flow looks like I enabled Fiddler again... This time it returned the "403 Forbidden" error message again. I suppose Fiddler is using its own certificate for https communication which is not what the server expected or something?

                                   

                                  So I'm not sure if the code would have worked yesterday if I didn't have Fiddler enabled (i.e. didn't need to re-export the certificate) but I'm getting a proper response including the ticket. So hopefully, now comes the fun part...

                                    • Re: Rejected when making POST calls.
                                      Gustav Gager

                                      This is great news!

                                      So you basicly just exported the Server certs from the QMC and imported them on you local machine? In my case im building a small application that will run on the local server itself and the certificates are already there so i should be ok.

                                       

                                      But did you write your code in C#? Or what did you write it in?

                                        • Re: Rejected when making POST calls.
                                          Jack Lee

                                          Yeah, I only imported client.pfx, not the server's. But sounds like you should be ok, assuming you're also developing on the Qlik-server too?

                                           

                                          Yes, I'm coding in C#. Code sample can be found here:

                                           

                                          Connecting to the QPS API using certificates ‒ Qlik Sense

                                          https://help.qlik.com/en-US/sense-developer/2.2/Subsystems/ProxyServiceAPI/Content/ProxyServiceAPI/ProxyServiceAPI-Example-Connect-API-Certificates.htm

                                            • Re: Rejected when making POST calls.
                                              Gustav Gager

                                              Ok. But are you connecting directly to the Engine, or are you going trough the proxy? This error only occurs becuase POSt command have some issues while going trough the proxy. And to go directly, you need the certificates.

                                               

                                              Im not programming in C# and i have never done so. Im scripting in a language called autoit and I have only got this to work trough the proxy

                                               

                                              Edit: Here is my working code for a standard GET request.

                                              This uses a standard web request with username and password and i query the Proxy, and i get a response.

                                              $key = "ABCDEFGHIJKLMNOP"
                                              $password = "password"
                                              $objHTTP = ObjCreate("Msxml2.XMLHTTP.6.0")
                                              $objHTTP.open("GET","http://servername/qrs/about/?Xrfkey=" & $key, False,@UserName,$password)
                                              $objHTTP.setRequestHeader("X-Qlik-Xrfkey",$key)
                                              $objHTTP.send()
                                              ConsoleWrite("Sense API Output: " & $objHTTP.responseText & @CRLF)
                                              

                                               

                                              But if i do this:

                                              $key = "ABCDEFGHIJKLMNOP"
                                              $password = "password"
                                              $objHTTP = ObjCreate("Msxml2.XMLHTTP.6.0")
                                              $objHTTP.open("POST","http://servername/qrs/task/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/start/?Xrfkey=" & $key, False,@UserName,$password)
                                              $objHTTP.setRequestHeader("X-Qlik-Xrfkey",$key)
                                              $objHTTP.send()
                                              ConsoleWrite("Sense API Output: " & $objHTTP.responseText & @CRLF)
                                              

                                              I get HTML code. The code is basicly a standard page that say i need to make a GET request first.

                                              So does that mean that I need to query the Repository directly? I tried but i just get diffrent errors.

                              • Re: Rejected when making POST calls.
                                Jose Cardenas

                                Hi Gustav

                                 

                                I've tried with Postman and no getting result using header config.  I've got cookie and everything seems to be alright, but for some reason I've got a XSRF msg and 403 forbidden.  Any Ideas?

                              • Re: Rejected when making POST calls.
                                praveena mundolimoole

                                If you are using WebClient for you QRS API operations use below code to attach cookie to all your HTTP requests.

                                 

                                public class CookierAwareWebClient : WebClient

                                    {

                                        public CookieContainer QRSCookieContainer = new CookieContainer();

                                 

                                 

                                        protected override WebRequest GetWebRequest(Uri address)

                                        {

                                            HttpWebRequest request = (HttpWebRequest)base.GetWebRequest(address);

                                            request.CookieContainer = QRSCookieContainer;

                                            request.UserAgent = "Windows";

                                            return request;

                                        }

                                    }