By the way, I find another thing:
If I keep the x-csrf-token and the cookie and then I use the same
x-csrf-token and the cookie saved when I do the post request(activate or
deactivate ) every time , will the save token or cookie be expired??
I also do anther experiment , for every post request , I will try get the
different x-csrf-token and cookie using the get
http://localhost:8080/api/v1/topology/wordcount-1-1419399960,it will failed
randomly and return the error of
{
"error" : "Forbidden action.",
"errorMessage" : "missing CSRF token."
}
Best wishes
Joe zhang
From: Joe Zhang (SDE) [mailto:[email protected]]
Sent: Wednesday, December 24, 2014 3:23 PM
To: [email protected]
Subject: RE: Missing CSRF token error when trying to use POST operations of
Storm Rest API
I can run it successully , thanks for your investigate
Best wishes
Joe zhang
From: Harsha [mailto:[email protected]]
Sent: Wednesday, December 24, 2014 1:57 PM
To: [email protected]<mailto:[email protected]>
Subject: Re: Missing CSRF token error when trying to use POST operations of
Storm Rest API
Hi Joe,
This is what I tried and it worked for me.
curl -i -b ~/cookiejar.txt -c ~/cookiejar.txt
http://localhost:8080/api/v1/topology/wordcount-1-1419399960
from the above the request I take antiForgeryToken
curl -i -b ~/cookiejar.txt -c ~/cookiejar.txt -X POST -H
'x-csrf-token:aB5nEmd7TsQOeluQpRXqKo6rLfFDw3h+L4RwKGe7zVbhzMV9tJeX3bHu+Sh0vLa+vkbo71Rq2VoXfj4c'
http://localhost:8080/api/v1/topology/wordcount-1-1419399960/deactivate
The second curl request will succeed and will give you a 302 which is a bug on
the UI rest api part but above request will work.
-Harsha
On Tue, Dec 23, 2014, at 09:07 PM, Parth Brahmbhatt wrote:
I am not sure why the command won’t work for you.
If you want to see the actual post request from your browser you can follow the
following steps:
In Chrome, Click on the settings button (its on the top right corner)
Settings -> More tools -> Developer Tools.
On the developer tool bar click on the Network tab and check the "Preserve log”
check box. Now navigate to a topology and click activate. In the network tab
you will see a post request for activate. Right Click on that and you will see
a copy as curl option. This should give you the complete curl command. You can
remove everything but the x-csrf-token and ring-session and see if the request
succeeds.
Thanks
Parth
On Dec 23, 2014, at 8:46 PM, Joe Zhang (SDE)
<[email protected]<mailto:[email protected]>> wrote:
I have passed both csrf token and the ring-session Ids as the second request
head, but It still has this issue ~
But I can deactivate the topology using the Storm UI
Best wishes
Joe zhang
From:Parth Brahmbhatt [mailto:[email protected]]
Sent:Wednesday, December 24, 2014 12:33 PM
To:Joe Zhang (SDE)
Cc:[email protected]<mailto:[email protected]>
Subject:Re: Missing CSRF token error when trying to use POST operations of
Storm Rest API
Sorry for the confusion here is how its working on my desktop. First I make a
get call with curl and write the cookie to a file:
curl -c cookies.txt
'http://localhost:8080/api/v1/topology/wordcount-2-1419393872?sys=false'
I copy the
"antiForgeryToken":"UtBiKWAewurAl+QZNQLPCY969YBPMRdrxGhOB9yL35sXzFRNQLIOOMi6kSg9yIAT5NLdRz0VF2iCdmEc”
value from the response and the “ring-session
c6880c5b-1651-412a-962b-763bba966d4e" value from cookies.txt file.
Using these two values I make a post request :
curl
'http://localhost:8080/api/v1/topology/wordcount-2-1419393872/deactivate'-X
POST -H 'x-csrf-token:
UtBiKWAewurAl+QZNQLPCY969YBPMRdrxGhOB9yL35sXzFRNQLIOOMi6kSg9yIAT5NLdRz0VF2iCdmEc'
-H 'Cookie: ring-session=c6880c5b-1651-412a-962b-763bba966d4e’
Note that both csrf token and the ring-session Ids are passed as headers.
Let me know if this still does not work for you.
Thanks
Parth
On Dec 23, 2014, at 7:37 PM, Joe Zhang (SDE)
<[email protected]<mailto:[email protected]>> wrote:
Try using this curl
'http://localhost:8080/api/v1/topology/wordcount-1-1417552268/deactivate<http://www.google.com/url?q=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fv1%2Ftopology%2Fwordcount-1-1417552268%2Fdeactivate&sa=D&sntz=1&usg=AFQjCNHoQwJSyBCU7x5ZJ2c6b4r18gkRtw>'
-X POST -H 'x-csrf-token:
K7RAB7TXD579g4JCs2hK6S0bxP35x8IZB4uFZqueT1eqj451+pvz0b7BGvFi2DZ2HKLenCJQTSE5hSlE'-H'Cookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4;
ring-session=e1c4715f-e3d3-47e1-8573-1f736cefdb34'
The high light is the filed I get from response filed antiForgeryToken,
butCookie:csrftoken also need a csrftoken, what I mean is where can I get this??
Best wishes
Joe zhang
From:Parth Brahmbhatt [mailto:[email protected]]
Sent:Wednesday, December 24, 2014 11:18 AM
To:Joe Zhang (SDE)
Cc:[email protected]<mailto:[email protected]>
Subject:Re: Missing CSRF token error when trying to use POST operations of
Storm Rest API
any get request that you make will have a field called antiForgeryToken in
response. The value of this field should be sent as csrfToken.
Thanks
Parth
On Dec 23, 2014, at 6:39 PM, Joe Zhang (SDE)
<[email protected]<mailto:[email protected]>> wrote:
How can I get theCookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4 ??
Best wishes
Joe zhang
From:Parth Brahmbhatt [mailto:[email protected]]
Sent:Wednesday, December 24, 2014 12:49 AM
To:[email protected]<mailto:[email protected]>
Cc:Joe Zhang (SDE)
Subject:Re: Missing CSRF token error when trying to use POST operations of
Storm Rest API
Hey,
Try using this curl
'http://localhost:8080/api/v1/topology/wordcount-1-1417552268/deactivate<http://www.google.com/url?q=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fv1%2Ftopology%2Fwordcount-1-1417552268%2Fdeactivate&sa=D&sntz=1&usg=AFQjCNHoQwJSyBCU7x5ZJ2c6b4r18gkRtw>'
-X POST -H 'x-csrf-token:
K7RAB7TXD579g4JCs2hK6S0bxP35x8IZB4uFZqueT1eqj451+pvz0b7BGvFi2DZ2HKLenCJQTSE5hSlE'
-H'Cookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4;
ring-session=e1c4715f-e3d3-47e1-8573-1f736cefdb34'
On Mon, Dec 22, 2014 at 10:23 PM, Xiaoyong Zhu
<[email protected]<mailto:[email protected]>> wrote:
Hi Storm experts,
My colleague and I are trying to using the REST API to active or detactive
storm topology using C# Httpclient. Unfortunately , no matter how we tried,
Storm returns the same error :
{
"error" : "Forbidden action.",
"errorMessage" : "missing CSRF token."
}
We notice that“ All the post requests below must include a header
"x-csrf-token" with the value of "antiForgeryToken" from the GET response”, but
we still hit this error.
Below is my code:
<1> First Get CSRF Token
string requestUrl =
"http://127.0.0.1:8744/api/v1/topology/my_word_count-4-1417592340";;
HttpServerBroker serverBroker = new HttpServerBroker(null, null);
string jsonResult = serverBroker.GetHttpRequestResult(requestUrl,
"GET");
<2> Using the token do the post request
HttpServerBroker serverBroker = new HttpServerBroker(null, token);
string requestUrl =
"http://127.0.0.1:8744/api/v1/topology/my_word_count-4-1417592340/deactivate";;
string jsonResult = serverBroker.GetHttpRequestResult(requestUrl, "POST");
public class HttpServerBroker
{
// In order to prevent CSRF vulnerability, storm rest API uses a CSRF
token
private readonly string _antiForgeryToken;
private ICredentials _credentials;
public HttpServerBroker(ICredentials credentials, string
antiForgeryToken)
{
_credentials = credentials;
_antiForgeryToken = antiForgeryToken;
}
public string GetHttpRequestResult(string requestUrl, string method,
string contentType = "application/x-www-form-urlencoded", string strPostData =
null)
{
string httpResultString = null;
HttpWebRequest httpRequest = this.GenerateHttpRequest(requestUrl,
contentType, method, strPostData);
using (HttpWebResponse response =
(HttpWebResponse)httpRequest.GetResponse())
{
using (Stream responseStream = response.GetResponseStream())
{
if (responseStream != null)
{
using (StreamReader reader = new
StreamReader(responseStream))
{
httpResultString = reader.ReadToEnd();
}
}
}
}
return httpResultString;
}
public HttpWebRequest GenerateHttpRequest(string requestUrl, string
contentType, string method, string strPostData)
{
HttpWebRequest request =
(HttpWebRequest)WebRequest.Create(requestUrl);
request.ContentType = contentType;
request.Method = method;
if (!String.IsNullOrWhiteSpace(_antiForgeryToken))
{
request.Headers.Add("x-csrf-token", _antiForgeryToken.Trim());
}
// This is necessary since during NTLM authentication with the
// auth server, a session ID is passed around in a cookie. This
// cookie will not be passed correctly during authentication if
// a cookie container is not specified as cookies are disabled
// by default.
request.CookieContainer = new CookieContainer();
return request;
}
}
Any help will be appreciated! Thanks!
Xiaoyong & Joe
--
Thanks
Parth
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader of
this message is not the intended recipient, you are hereby notified that any
printing, copying, dissemination, distribution, disclosure or forwarding of
this communication is strictly prohibited. If you have received this
communication in error, please contact the sender immediately and delete it
from your system. Thank You.
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader of
this message is not the intended recipient, you are hereby notified that any
printing, copying, dissemination, distribution, disclosure or forwarding of
this communication is strictly prohibited. If you have received this
communication in error, please contact the sender immediately and delete it
from your system. Thank You.
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader of
this message is not the intended recipient, you are hereby notified that any
printing, copying, dissemination, distribution, disclosure or forwarding of
this communication is strictly prohibited. If you have received this
communication in error, please contact the sender immediately and delete it
from your system. Thank You.
CONFIDENTIALITY NOTICE
NOTICE: This message is intended for the use of the individual or entity to
which it is addressed and may contain information that is confidential,
privileged and exempt from disclosure under applicable law. If the reader of
this message is not the intended recipient, you are hereby notified that any
printing, copying, dissemination, distribution, disclosure or forwarding of
this communication is strictly prohibited. If you have received this
communication in error, please contact the sender immediately and delete it
from your system. Thank You.
