Hi Joe, This is what I tried and it worked for me. curl -i -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/api/v1/topology/wordcount-1-1419399960
from the above the request I take antiForgeryToken curl -i -b ~/cookiejar.txt -c ~/cookiejar.txt -X POST -H 'x-csrf-token:aB5nEmd7TsQOeluQpRXqKo6rLfFDw3h+L4RwKGe7zVbhzMV9tJeX3bHu+Sh0vLa+vkbo71Rq2VoXfj4c' http://localhost:8080/api/v1/topology/wordcount-1-1419399960/deactivate The second curl request will succeed and will give you a 302 which is a bug on the UI rest api part but above request will work. -Harsha On Tue, Dec 23, 2014, at 09:07 PM, Parth Brahmbhatt wrote: > I am not sure why the command won’t work for you. > > If you want to see the actual post request from your browser you can > follow the following steps: > > In Chrome, Click on the settings button (its on the top right corner) > > Settings -> More tools -> Developer Tools. > > On the developer tool bar click on the Network tab and check the > "Preserve log” check box. Now navigate to a topology and click > activate. In the network tab you will see a post request for activate. > Right Click on that and you will see a copy as curl option. This > should give you the complete curl command. You can remove everything > but the x-csrf-token and ring-session and see if the request succeeds. > > > Thanks Parth On Dec 23, 2014, at 8:46 PM, Joe Zhang (SDE) > <[email protected]> wrote: > >> I have passed both csrf token and the ring-session Ids as the second >> request head, but It still has this issue ~ >> >> But I can deactivate the topology using the Storm UI >> >> Best wishes Joe zhang >> >> *From:*Parth Brahmbhatt [mailto:[email protected]] >> *Sent:*Wednesday, December 24, 2014 12:33 PM *To:*Joe Zhang (SDE) >> *Cc:*[email protected] *Subject:*Re: Missing CSRF token error >> when trying to use POST operations of Storm Rest API >> >> Sorry for the confusion here is how its working on my desktop. First >> I make a get call with curl and write the cookie to a file: >> >> curl -c cookies.txt >> 'http://localhost:8080/api/v1/topology/wordcount-2-1419393872?sys=false' >> >> I copy the >> "antiForgeryToken":"UtBiKWAewurAl+QZNQLPCY969YBPMRdrxGhOB9yL35sXzFRNQLIOOMi6kSg9yIAT5NLdRz0VF2iCdmEc” >> value from the response and the “ring-session >> c6880c5b-1651-412a-962b-763bba966d4e" value from cookies.txt file. >> >> Using these two values I make a post request : >> >> curl >> 'http://localhost:8080/api/v1/topology/wordcount-2-1419393872/deactivate'-X >> POST -H 'x-csrf-token: >> UtBiKWAewurAl+QZNQLPCY969YBPMRdrxGhOB9yL35sXzFRNQLIOOMi6kSg9yIAT5NLdRz0VF2iCdmEc' >> -H 'Cookie: ring-session=c6880c5b-1651-412a-962b-763bba966d4e’ >> >> Note that both csrf token and the ring-session Ids are passed as >> headers. >> >> >> Let me know if this still does not work for you. >> >> Thanks Parth >> >> On Dec 23, 2014, at 7:37 PM, Joe Zhang (SDE) >> <[email protected]> wrote: >> >> >>> Try using this curl >>> 'http://localhost:8080/api/v1/topology/wordcount-1-1417552268/deactivate[1]' >>> -X POST -H 'x-csrf-token: >>> K7RAB7TXD579g4JCs2hK6S0bxP35x8IZB4uFZqueT1eqj451+pvz0b7BGvFi2DZ2HKLenCJQTSE5hSlE'-H'Cookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4; >>> ring-session=e1c4715f-e3d3-47e1-8573-1f736cefdb34' >>> >>> The high light is the filed I get from response filed >>> antiForgeryToken, butCookie:csrftoken also need a csrftoken, what I >>> mean is where can I get this?? Best wishes Joe zhang >>> >>> *From:*Parth Brahmbhatt [mailto:[email protected]] >>> *Sent:*Wednesday, December 24, 2014 11:18 AM *To:*Joe Zhang (SDE) >>> *Cc:*[email protected] *Subject:*Re: Missing CSRF token error >>> when trying to use POST operations of Storm Rest API >>> >>> any get request that you make will have a field called >>> antiForgeryToken in response. The value of this field should be sent >>> as csrfToken. >>> >>> Thanks Parth On Dec 23, 2014, at 6:39 PM, Joe Zhang (SDE) >>> <[email protected]> wrote: >>> >>> >>> >>>> How can I get >>>> theCookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4 ?? >>>> >>>> Best wishes Joe zhang >>>> >>>> *From:*Parth Brahmbhatt [mailto:[email protected]] >>>> *Sent:*Wednesday, December 24, 2014 12:49 AM >>>> *To:*[email protected] *Cc:*Joe Zhang (SDE) *Subject:*Re: >>>> Missing CSRF token error when trying to use POST operations of >>>> Storm Rest API >>>> >>>> Hey, >>>> >>>> Try using this curl >>>> 'http://localhost:8080/api/v1/topology/wordcount-1-1417552268/deactivate[2]' >>>> -X POST -H 'x-csrf-token: >>>> K7RAB7TXD579g4JCs2hK6S0bxP35x8IZB4uFZqueT1eqj451+pvz0b7BGvFi2DZ2HKLenCJQTSE5hSlE' >>>> -H'Cookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4; >>>> ring-session=e1c4715f-e3d3-47e1-8573-1f736cefdb34' >>>> >>>> >>>> >>>> On Mon, Dec 22, 2014 at 10:23 PM, Xiaoyong Zhu >>>> <[email protected]> wrote: >>>>> Hi Storm experts, My colleague and I are trying to using the REST >>>>> API to active or detactive storm topology using C# Httpclient. >>>>> Unfortunately , no matter how we tried, Storm returns the same >>>>> error : >>>>> >>>>> { "error" : "Forbidden action.", "errorMessage" : "missing CSRF >>>>> token." } >>>>> >>>>> We notice that“ All the post requests below must include a header >>>>> "x-csrf-token" with the value of "antiForgeryToken" from the GET >>>>> response”, but we still hit this error. >>>>> >>>>> Below is my code: >>>>> >>>>> <1> First Get CSRF Token string requestUrl = >>>>> "http://127.0.0.1:8744/api/v1/topology/my_word_count-4-1417592340";; >>>>> HttpServerBroker serverBroker = new HttpServerBroker(null, null); >>>>> string jsonResult = serverBroker.GetHttpRequestResult(requestUrl, >>>>> "GET"); >>>>> >>>>> <2> Using the token do the post request >>>>> >>>>> HttpServerBroker serverBroker = new HttpServerBroker(null, token); >>>>> >>>>> string requestUrl = >>>>> "http://127.0.0.1:8744/api/v1/topology/my_word_count-4-1417592340/deactivate";; >>>>> string jsonResult = serverBroker.GetHttpRequestResult(requestUrl, >>>>> "POST"); >>>>> >>>>> public class HttpServerBroker { >>>>> >>>>> // In order to prevent CSRF vulnerability, storm rest API uses a >>>>> CSRF token private readonly string _antiForgeryToken; private >>>>> ICredentials _credentials; public HttpServerBroker(ICredentials >>>>> credentials, string antiForgeryToken) { _credentials = >>>>> credentials; _antiForgeryToken = antiForgeryToken; } >>>>> >>>>> public string GetHttpRequestResult(string requestUrl, string >>>>> method, string contentType = "application/x-www-form-urlencoded", >>>>> string strPostData = null) { string httpResultString = null; >>>>> HttpWebRequest httpRequest = this.GenerateHttpRequest(requestUrl, >>>>> contentType, method, strPostData); using (HttpWebResponse response >>>>> = (HttpWebResponse)httpRequest.GetResponse()) { using (Stream >>>>> responseStream = response.GetResponseStream()) { if >>>>> (responseStream != null) { using (StreamReader reader = new >>>>> StreamReader(responseStream)) { httpResultString = >>>>> reader.ReadToEnd(); } } } >>>>> >>>>> } >>>>> >>>>> return httpResultString; } >>>>> >>>>> public HttpWebRequest GenerateHttpRequest(string requestUrl, >>>>> string contentType, string method, string strPostData) { >>>>> HttpWebRequest request = >>>>> (HttpWebRequest)WebRequest.Create(requestUrl); request.ContentType >>>>> = contentType; request.Method = method; >>>>> >>>>> if (!String.IsNullOrWhiteSpace(_antiForgeryToken)) { >>>>> request.Headers.Add("x-csrf-token", _antiForgeryToken.Trim()); } >>>>> >>>>> // This is necessary since during NTLM authentication with the // >>>>> auth server, a session ID is passed around in a cookie. This // >>>>> cookie will not be passed correctly during authentication if // a >>>>> cookie container is not specified as cookies are disabled // by >>>>> default. >>>>> >>>>> request.CookieContainer = new CookieContainer(); >>>>> >>>>> >>>>> return request; } } >>>>> >>>>> Any help will be appreciated! Thanks! >>>>> >>>>> Xiaoyong & Joe >>>>> >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks Parth >>>> >>>> CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use >>>> of the individual or entity to which it is addressed and may >>>> contain information that is confidential, privileged and exempt >>>> from disclosure under applicable law. If the reader of this message >>>> is not the intended recipient, you are hereby notified that any >>>> printing, copying, dissemination, distribution, disclosure or >>>> forwarding of this communication is strictly prohibited. If you >>>> have received this communication in error, please contact the >>>> sender immediately and delete it from your system. Thank You. >>> >>> >>> CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use >>> of the individual or entity to which it is addressed and may contain >>> information that is confidential, privileged and exempt from >>> disclosure under applicable law. If the reader of this message is >>> not the intended recipient, you are hereby notified that any >>> printing, copying, dissemination, distribution, disclosure or >>> forwarding of this communication is strictly prohibited. If you have >>> received this communication in error, please contact the sender >>> immediately and delete it from your system. Thank You. >> >> >> CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use >> of the individual or entity to which it is addressed and may contain >> information that is confidential, privileged and exempt from >> disclosure under applicable law. If the reader of this message is not >> the intended recipient, you are hereby notified that any printing, >> copying, dissemination, distribution, disclosure or forwarding of >> this communication is strictly prohibited. If you have received this >> communication in error, please contact the sender immediately and >> delete it from your system. Thank You. > > > CONFIDENTIALITY NOTICE NOTICE: This message is intended for the use of > the individual or entity to which it is addressed and may contain > information that is confidential, privileged and exempt from > disclosure under applicable law. If the reader of this message is not > the intended recipient, you are hereby notified that any printing, > copying, dissemination, distribution, disclosure or forwarding of this > communication is strictly prohibited. If you have received this > communication in error, please contact the sender immediately and > delete it from your system. Thank You. Links: 1. http://www.google.com/url?q=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fv1%2Ftopology%2Fwordcount-1-1417552268%2Fdeactivate&sa=D&sntz=1&usg=AFQjCNHoQwJSyBCU7x5ZJ2c6b4r18gkRtw 2. http://www.google.com/url?q=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fv1%2Ftopology%2Fwordcount-1-1417552268%2Fdeactivate&sa=D&sntz=1&usg=AFQjCNHoQwJSyBCU7x5ZJ2c6b4r18gkRtw
