https://connect.hyland.com/t5/alfresco-archive/authentication-woes-on-share-rest-api/m-p/302839#M255969 <HTML><HEAD></HEAD><BODY><SPAN>I'm trying to ultimately get a CSRF token to post to create-site. I start with the share login to get the JSESSIONID.</SPAN><BR /><BR /><SPAN>On executing the below, I have the following:</SPAN><BR /><BR /><SPAN>curl –junk-session-cookies -L -H "Content-Type: application/x-www-form-urlencoded" –cookie-jar cookies.txt –cookie cookies.txt -H "Origin: </SPAN><A href="http://localhost:8080" rel="nofollow noopener noreferrer">http://localhost:8080</A><SPAN>" -D headers.txt -e "</SPAN><A href="http://localhost:8080/;auto" rel="nofollow noopener noreferrer">http://localhost:8080/;auto</A><SPAN>" -X POST -d "username=username&amp;password=password" </SPAN><A href="http://localhost:8080/share/page/dologin" rel="nofollow noopener noreferrer">http://localhost:8080/share/page/dologin</A><BR /><BR /><SPAN>(u/n and p/w disguised for obvious reasons)</SPAN><BR /><BR /><SPAN>This gives an error:</SPAN><BR /><BR /><SPAN>javax.servlet.ServletException: Possible CSRF attack noted when comparing token in session and request header. Request: POST /share/page/user/admin/dashboard</SPAN><BR /><BR /><SPAN>Now I've been informed this is natural, and the JSESSIONID is usable.</SPAN><BR /><BR /><BR /><SPAN>I then do (to get a CSRF token) a get to create-site:</SPAN><BR /><BR /><SPAN>curl –cookie cookies.txt –cookie-jar cookies.txt -H "Origin: </SPAN><A href="http://localhost:8080" rel="nofollow noopener noreferrer">http://localhost:8080</A><SPAN>" -D headers.txt -e "</SPAN><A href="http://localhost:8080/;auto" rel="nofollow noopener noreferrer">http://localhost:8080/;auto</A><SPAN>" "</SPAN><A href="http://localhost:8080/share/service/modules/create-site?htmlid=alfresco-createSite-instance" rel="nofollow noopener noreferrer">http://localhost:8080/share/service/modules/create-site?htmlid=alfresco-createSite-instance</A><SPAN>"</SPAN><BR /><BR /><SPAN>yields:</SPAN><BR /><SPAN>…</SPAN><BR /><SPAN>Alfresco.util.addMessages({"error.loggedOut": "Your user session has timed out, please login and try again", "label.type": "Type", "title.collaborationSite": "Collaboration Site", "label.isPrivate": "Private", "message.creating": "Site is being created…", "label.moderatedHelp": "Site managers can control who joins the site", "error.noPermissions": "Could not create site. You do not have permissions to perform this operation.", "error.duplicateShortName": "Could not create site since the URL is already used", "label.isPublic": "Public", "label.shortNameHelp": "This is used to access the site URL in your browser&lt;br\/&gt;and also when accessing the site through other protocols&lt;br\/&gt;such as WebDav.&lt;br&gt;Do not use spaces or special characters.", "header.createSite": "Create Site", "error.create": "Could not create the site at this time. Please try again later.", "label.isModerated": "Moderated site membership", "message.failure": "Could not create site", "label.access": "Visibility", "label.shortName": "URL Name"}, "Alfresco.module.CreateSite")</SPAN><BR /><BR /><SPAN>I get the same result with a correct or incorrect password at the initial step. </SPAN><BR /><BR /><SPAN>The finally I get negative results posting to create-site:</SPAN><BR /><SPAN>curl –cookie cookies.txt -X POST –data @site.json -H "Content-Type:application/json;charset=UTF-8" -H "Origin: </SPAN><A href="http://localhost:8080" rel="nofollow noopener noreferrer">http://localhost:8080</A><SPAN>" -H 'Alfresco-CSRFToken: zL91jbFfxMNVIL8+svbXPx4a3vakN4pQ6VMIEU0Djzo=' -D headers,txt -e "</SPAN><A href="http://localhost:8080/;auto" rel="nofollow noopener noreferrer">http://localhost:8080/;auto</A><SPAN>" </SPAN><A href="http://localhost:8080/share/service/modules/create-site" rel="nofollow noopener noreferrer">http://localhost:8080/share/service/modules/create-site</A><BR /><SPAN>{</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; "status" :</SPAN><BR /><SPAN>&nbsp; {</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; "code" : 400,</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; "name" : "Bad Request",</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp; "description" : "Request sent by the client was syntactically incorrect."</SPAN><BR /><SPAN>&nbsp; }, </SPAN><BR /><SPAN> </SPAN><BR /><SPAN>&nbsp; "message" : "error.duplicateShortName", </SPAN><BR /><SPAN>&nbsp; "exception" : "",</SPAN><BR /><SPAN> </SPAN><BR /><SPAN>&nbsp; "callstack" :</SPAN><BR /><SPAN>&nbsp; [</SPAN><BR /><SPAN>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </SPAN><BR /><SPAN>&nbsp; ],</SPAN><BR /><SPAN> </SPAN><BR /><SPAN>&nbsp; "server" : "Spring WebScripts - v1.2.0 (Release 1549) schema 1,000",</SPAN><BR /><SPAN>&nbsp; "time" : "18-Sep-2014 16:11:59"</SPAN><BR /><SPAN>}</SPAN><BR /><BR /><SPAN>Now, the very first time I did this, it worked and a site was created. Note the obvious – the shortname does not exist and I have checked and confirmed this with existing repo sites and generated new random shortnames and I still get the same results. Note these results are the same whether or not I use a correct or incorrect password at step 1.</SPAN><BR /><BR /><SPAN>My initial indication is that there is a cookie lying around somewhere that Alfresco is looking at which I need to unset (although unlikely as I'm junking the session cookies (see curl command)), or I need to unset some state within Alfresco that it's holding on to.</SPAN></BODY></HTML> Mon, 22 Sep 2014 12:04:43 GMT jocylincouch 2014-09-22T12:04:43Z https://connect.hyland.com/t5/alfresco-archive/authentication-woes-on-share-rest-api/m-p/302839#M255969 I'm trying to ultimately get a CSRF token to post to create-site. I start with the share login to get the JSESSIONID.On executing the below, I have the following:curl –junk-session-cookies -L -H "Content-Type: application/x-www-form-urlencoded" –cookie-jar cookies.txt –cookie cookies.txt -H "Origin: Mon, 22 Sep 2014 12:04:43 GMT https://connect.hyland.com/t5/alfresco-archive/authentication-woes-on-share-rest-api/m-p/302839#M255969 jocylincouch 2014-09-22T12:04:43Z https://connect.hyland.com/t5/alfresco-archive/authentication-woes-on-share-rest-api/m-p/302840#M255970 <HTML><HEAD></HEAD><BODY><SPAN>You can use proxy servlet in share directly to call site WebScript API and don't need to reauthenticate again</SPAN></BODY></HTML> Tue, 07 Oct 2014 02:03:46 GMT https://connect.hyland.com/t5/alfresco-archive/authentication-woes-on-share-rest-api/m-p/302840#M255970 kaynezhang 2014-10-07T02:03:46Z https://connect.hyland.com/t5/alfresco-archive/authentication-woes-on-share-rest-api/m-p/302841#M255971 <HTML><HEAD></HEAD><BODY><SPAN>Could you explain this more please?</SPAN></BODY></HTML> Wed, 15 Oct 2014 12:40:42 GMT https://connect.hyland.com/t5/alfresco-archive/authentication-woes-on-share-rest-api/m-p/302841#M255971 jocylincouch 2014-10-15T12:40:42Z https://connect.hyland.com/t5/alfresco-archive/authentication-woes-on-share-rest-api/m-p/302842#M255972 <HTML><HEAD></HEAD><BODY><SPAN>I don't get the proxy stuff mentioned above, however if the decoded CSRF token is added in to header of the create-site POST request, then you will have a site successfully created. Don't forget all the other cookies, including the CSRF token cookie (but don't decode that one – leave it alone!).</SPAN></BODY></HTML> Tue, 21 Oct 2014 11:02:35 GMT https://connect.hyland.com/t5/alfresco-archive/authentication-woes-on-share-rest-api/m-p/302842#M255972 jocylincouch 2014-10-21T11:02:35Z