Xioyong, It looks like a bug. Please file a JIRA here https://issues.apache.org/jira/secure/Dashboard.jspa .Use "create" button. make sure you select "Apache Storm" as project. example https://issues.apache.org/jira/browse/STORM-187
-Harsha On Wed, Dec 24, 2014, at 11:04 PM, Xiaoyong Zhu wrote: > Is this some bug in Storm? If so, how could we file bugs for the > community? > > Xiaoyong > > *From:* Joe Zhang (SDE) [mailto:[email protected]] > > *Sent:* Wednesday, December 24, 2014 4:17 PM *To:* > [email protected] *Subject:* RE: Missing CSRF token error when > trying to use POST operations of Storm Rest API > > I do some more investigate about the random error > > I find some x-csrf-token getting from the first http get request > contains “\/”, for example > “\/dE\/k8N5H0Ora1IY9UAfx3fc7M4b0EZOMbWUXdUNn9IitAjOhmup+OiHx\/v5W+kUuWu4TkBsFsfvd7Km” > > If I replace \/ with / and this should be > /dE/k8N5H0Ora1IY9UAfx3fc7M4b0EZOMbWUXdUNn9IitAjOhmup+OiHx/v5W+kUuWu4TkBsFsfvd7Km, > It can run the second post request successfully~ > > Best wishes > > Joe zhang > > *From:* Joe Zhang (SDE) [mailto:[email protected]] > > *Sent:* Wednesday, December 24, 2014 3:53 PM *To:* > [email protected] *Subject:* RE: Missing CSRF token error when > trying to use POST operations of Storm Rest API > > By the way, I find another thing: > If I keep the x-csrf-token and the cookie and then I use the same > x-csrf-token and the cookie saved when I do the post request(activate > or deactivate ) every time , will the save token or cookie be > expired?? > > I also do anther experiment , for every post request , I will try get > the different x-csrf-token and cookie using the get http://localhost:8080/api/v1/topology/wordcount-1-1419399960,it will failed randomly and return the error of > { > "error" : "Forbidden action.", > "errorMessage" : "missing CSRF token." > } > > > > Best wishes > > Joe zhang > > *From:* Joe Zhang (SDE) [mailto:[email protected]] > > *Sent:* Wednesday, December 24, 2014 3:23 PM *To:* > [email protected] *Subject:* RE: Missing CSRF token error when > trying to use POST operations of Storm Rest API > > I can run it successully , thanks for your investigate > > Best wishes > > Joe zhang > > *From:* Harsha [mailto:[email protected]] > > *Sent:* Wednesday, December 24, 2014 1:57 PM *To:* > [email protected] *Subject:* Re: Missing CSRF token error when > trying to use POST operations of Storm Rest API > > Hi Joe, > This is what I tried and it worked for me. > > curl -i -b ~/cookiejar.txt -c ~/cookiejar.txt http://localhost:8080/api/v1/topology/wordcount-1-1419399960 > from the above the request I take antiForgeryToken > > curl -i -b ~/cookiejar.txt -c ~/cookiejar.txt -X POST -H > 'x-csrf-token:aB5nEmd7TsQOeluQpRXqKo6rLfFDw3h+L4RwKGe7zVbhzMV9tJeX3bHu+Sh0vLa+vkbo71Rq2VoXfj4c' > http://localhost:8080/api/v1/topology/wordcount-1-1419399960/deactivate > > The second curl request will succeed and will give you a 302 which is > a bug on the UI rest api part but above request will work. > > -Harsha > > > On Tue, Dec 23, 2014, at 09:07 PM, Parth Brahmbhatt wrote: >> I am not sure why the command won’t work for you. >> >> If you want to see the actual post request from your browser you can >> follow the following steps: >> >> In Chrome, Click on the settings button (its on the top right corner) >> >> Settings -> More tools -> Developer Tools. >> >> On the developer tool bar click on the Network tab and check the >> "Preserve log” check box. Now navigate to a topology and click >> activate. In the network tab you will see a post request for >> activate. Right Click on that and you will see a copy as curl option. This should give you the complete curl command. You can remove everything but the x-csrf-token and ring-session and see if the request succeeds. >> >> >> Thanks >> Parth >> On Dec 23, 2014, at 8:46 PM, Joe Zhang (SDE) >> <[email protected]> wrote: >> >>> I have passed both csrf token and the ring-session Ids as the second >>> request head, but It still has this issue ~ >>> >>> But I can deactivate the topology using the Storm UI >>> >>> Best wishes >>> Joe zhang >>> >>> *From:*Parth Brahmbhatt [mailto:[email protected]] >>> *Sent:*Wednesday, December 24, 2014 12:33 PM >>> *To:*Joe Zhang (SDE) >>> *Cc:*[email protected] >>> *Subject:*Re: Missing CSRF token error when trying to use POST operations of Storm Rest API >>> >>> Sorry for the confusion here is how its working on my desktop. First >>> I make a get call with curl and write the cookie to a file: >>> >>> curl -c cookies.txt >>> 'http://localhost:8080/api/v1/topology/wordcount-2-1419393872?sys=false' >>> >>> I copy the >>> "antiForgeryToken":"UtBiKWAewurAl+QZNQLPCY969YBPMRdrxGhOB9yL35sXzFRNQLIOOMi6kSg9yIAT5NLdRz0VF2iCdmEc” >>> value from the response and the “ring-session >>> c6880c5b-1651-412a-962b-763bba966d4e" value from cookies.txt file. >>> >>> Using these two values I make a post request : >>> >>> curl >>> 'http://localhost:8080/api/v1/topology/wordcount-2-1419393872/deactivate'-X POST -H 'x-csrf-token: UtBiKWAewurAl+QZNQLPCY969YBPMRdrxGhOB9yL35sXzFRNQLIOOMi6kSg9yIAT5NLdRz0VF2iCdmEc' -H 'Cookie: ring-session=c6880c5b-1651-412a-962b-763bba966d4e’ >>> >>> Note that both csrf token and the ring-session Ids are passed as >>> headers. >>> >>> >>> Let me know if this still does not work for you. >>> >>> Thanks >>> Parth >>> >>> On Dec 23, 2014, at 7:37 PM, Joe Zhang (SDE) <[email protected]> >>> wrote: >>> >>> >>>> Try using this curl >>>> 'http://localhost:8080/api/v1/topology/wordcount-1-1417552268/deactivate[1]' -X POST -H 'x-csrf-token: K7RAB7TXD579g4JCs2hK6S0bxP35x8IZB4uFZqueT1eqj451+pvz0b7BGvFi2DZ2HKLenCJQTSE5hSlE'-H'Cookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4; ring-session=e1c4715f-e3d3-47e1-8573-1f736cefdb34' >>>> >>>> The high light is the filed I get from response filed >>>> antiForgeryToken, butCookie:csrftoken also need a csrftoken, what I mean is where can I get this?? >>>> Best wishes >>>> Joe zhang >>>> >>>> *From:*Parth Brahmbhatt [mailto:[email protected]] >>>> *Sent:*Wednesday, December 24, 2014 11:18 AM >>>> *To:*Joe Zhang (SDE) >>>> *Cc:*[email protected] >>>> *Subject:*Re: Missing CSRF token error when trying to use POST operations of Storm Rest API >>>> >>>> any get request that you make will have a field called >>>> antiForgeryToken in response. The value of this field should be sent as csrfToken. >>>> >>>> Thanks >>>> Parth >>>> On Dec 23, 2014, at 6:39 PM, Joe Zhang (SDE) <[email protected]> >>>> wrote: >>>> >>>> >>>> >>>>> How can I get theCookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4 ?? >>>>> >>>>> Best wishes >>>>> Joe zhang >>>>> >>>>> *From:*Parth Brahmbhatt [mailto:[email protected]] >>>>> *Sent:*Wednesday, December 24, 2014 12:49 AM >>>>> *To:*[email protected] >>>>> *Cc:*Joe Zhang (SDE) >>>>> *Subject:*Re: Missing CSRF token error when trying to use POST operations of Storm Rest API >>>>> >>>>> Hey, >>>>> >>>>> Try using this curl >>>>> 'http://localhost:8080/api/v1/topology/wordcount-1-1417552268/deactivate[2]' -X POST -H 'x-csrf-token: K7RAB7TXD579g4JCs2hK6S0bxP35x8IZB4uFZqueT1eqj451+pvz0b7BGvFi2DZ2HKLenCJQTSE5hSlE' -H'Cookie:csrftoken=64142f8e6fc9f9bedc70b15aef657ef4; ring-session=e1c4715f-e3d3-47e1-8573-1f736cefdb34' >>>>> >>>>> >>>>> >>>>> On Mon, Dec 22, 2014 at 10:23 PM, Xiaoyong Zhu >>>>> <[email protected]> wrote: >>>>>> Hi Storm experts, >>>>>> My colleague and I are trying to using the REST API to active or >>>>>> detactive storm topology using C# Httpclient. Unfortunately , no >>>>>> matter how we tried, Storm returns the same error : >>>>>> >>>>>> { >>>>>> "error" : "Forbidden action.", >>>>>> "errorMessage" : "missing CSRF token." >>>>>> } >>>>>> >>>>>> We notice that“ All the post requests below must include a header >>>>>> "x-csrf-token" with the value of "antiForgeryToken" from the GET response”, but we still hit this error. >>>>>> >>>>>> Below is my code: >>>>>> >>>>>> <1> First Get CSRF Token >>>>>> string requestUrl = >>>>>> "http://127.0.0.1:8744/api/v1/topology/my_word_count-4-1417592340";; >>>>>> HttpServerBroker serverBroker = new HttpServerBroker(null, null); >>>>>> string jsonResult = serverBroker.GetHttpRequestResult(requestUrl, >>>>>> "GET"); >>>>>> >>>>>> <2> Using the token do the post request >>>>>> >>>>>> HttpServerBroker serverBroker = new HttpServerBroker(null, >>>>>> token); >>>>>> >>>>>> string requestUrl = >>>>>> "http://127.0.0.1:8744/api/v1/topology/my_word_count-4-1417592340/deactivate";; >>>>>> string jsonResult = serverBroker.GetHttpRequestResult(requestUrl, >>>>>> "POST"); >>>>>> >>>>>> public class HttpServerBroker >>>>>> { >>>>>> >>>>>> // In order to prevent CSRF vulnerability, storm rest API uses a >>>>>> CSRF token >>>>>> private readonly string _antiForgeryToken; >>>>>> private ICredentials _credentials; >>>>>> public HttpServerBroker(ICredentials credentials, string >>>>>> antiForgeryToken) >>>>>> { >>>>>> _credentials = credentials; >>>>>> _antiForgeryToken = antiForgeryToken; >>>>>> } >>>>>> >>>>>> public string GetHttpRequestResult(string requestUrl, string >>>>>> method, string contentType = "application/x-www-form-urlencoded", >>>>>> string strPostData = null) >>>>>> { >>>>>> string httpResultString = null; >>>>>> HttpWebRequest httpRequest = this.GenerateHttpRequest(requestUrl, >>>>>> contentType, method, strPostData); >>>>>> using (HttpWebResponse response = >>>>>> (HttpWebResponse)httpRequest.GetResponse()) >>>>>> { >>>>>> using (Stream responseStream = response.GetResponseStream()) >>>>>> { >>>>>> if (responseStream != null) >>>>>> { >>>>>> using (StreamReader reader = new StreamReader(responseStream)) >>>>>> { >>>>>> httpResultString = reader.ReadToEnd(); >>>>>> } >>>>>> } >>>>>> } >>>>>> >>>>>> } >>>>>> >>>>>> return httpResultString; >>>>>> } >>>>>> >>>>>> public HttpWebRequest GenerateHttpRequest(string requestUrl, >>>>>> string contentType, string method, string strPostData) >>>>>> { >>>>>> HttpWebRequest request = >>>>>> (HttpWebRequest)WebRequest.Create(requestUrl); >>>>>> request.ContentType = contentType; >>>>>> request.Method = method; >>>>>> >>>>>> if (!String.IsNullOrWhiteSpace(_antiForgeryToken)) >>>>>> { >>>>>> request.Headers.Add("x-csrf-token", _antiForgeryToken.Trim()); >>>>>> } >>>>>> >>>>>> // This is necessary since during NTLM authentication with the >>>>>> // auth server, a session ID is passed around in a cookie. This >>>>>> // cookie will not be passed correctly during authentication if >>>>>> // a cookie container is not specified as cookies are disabled >>>>>> // by default. >>>>>> >>>>>> request.CookieContainer = new CookieContainer(); >>>>>> >>>>>> >>>>>> return request; >>>>>> } >>>>>> } >>>>>> >>>>>> Any help will be appreciated! Thanks! >>>>>> >>>>>> Xiaoyong & Joe >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks >>>>> Parth >>>>> >>>>> CONFIDENTIALITY NOTICE >>>>> NOTICE: This message is intended for the use of the individual or >>>>> entity to which it is addressed and may contain information that >>>>> is confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You. >>>> >>>> >>>> CONFIDENTIALITY NOTICE >>>> NOTICE: This message is intended for the use of the individual or >>>> entity to which it is addressed and may contain information that is >>>> confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You. >>> >>> >>> CONFIDENTIALITY NOTICE >>> NOTICE: This message is intended for the use of the individual or >>> entity to which it is addressed and may contain information that is >>> confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You. >> >> >> CONFIDENTIALITY NOTICE >> NOTICE: This message is intended for the use of the individual or >> entity to which it is addressed and may contain information that is >> confidential, privileged and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are hereby notified that any printing, copying, dissemination, distribution, disclosure or forwarding of this communication is strictly prohibited. If you have received this communication in error, please contact the sender immediately and delete it from your system. Thank You. > Links: 1. http://www.google.com/url?q=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fv1%2Ftopology%2Fwordcount-1-1417552268%2Fdeactivate&sa=D&sntz=1&usg=AFQjCNHoQwJSyBCU7x5ZJ2c6b4r18gkRtw 2. http://www.google.com/url?q=http%3A%2F%2Flocalhost%3A8080%2Fapi%2Fv1%2Ftopology%2Fwordcount-1-1417552268%2Fdeactivate&sa=D&sntz=1&usg=AFQjCNHoQwJSyBCU7x5ZJ2c6b4r18gkRtw
