https://community.splunk.com/t5/Security/401-Unauthorized-Why/m-p/12839#M244 <P>The version i tested is splunk 4.1, and the root_endpoint is set to /splunk.</P> <P>I cloned an application mysearch from search, and set session timeout to 24 hours. Then i created two dashboards dashboard1 (default view of mysearch) and dashboard2.</P> <P>Because there is no login page in free license, so first time i view ｈｔｔｐ://myip/splunk/en-US/app/mysearch, the browser will be redirected to ｈｔｔｐ://myip/splunk/en-US/app/search/dashboard. Next, i relocated to ｈｔｔｐ://myip/splunk/en-US/app/mysearch, the browser was redirected to the default view ｈｔｔｐ://myip/splunk/en-US/app/mysearch/dashboard1. Next, when i drilled down from dashboard1 or changed menu to dashboard2 or other operations, i aperiodically got "401 Unauthorized" errors and was kicked back to ｈｔｔｐ://myip/splunk/en-US/app/search/dashboard many times.</P> <P>From firebug, i got the following 2 kinds of responses for "401 unauthorized":</P> <P><STRONG>1) Splunk cannot authenticate the request. CSRF validation failed.</STRONG></P> <P><STRONG>2) No permission -- see authorization schemes</STRONG></P> <P>when i requested the following addresses</P> <P>a) ｈｔｔｐ://myip/splunk/en-US/app/mysearch/flashtimeline/_current?FlashTimeline_0_5_0.minimized=false</P> <P>b) ｈｔｔｐ://myip/splunk/en-US/api/search/jobs?auto_cancel=90&amp;earliest_time=-4h%40h&amp;latest_time=now&amp;namespace=mysearch&amp;search=search%20eventtype%3D%22*-TEST-*%22%20%7C%20timechart%20count%20as%20Total&amp;status_buckets=0&amp;ui_dispatch_app=mysearch&amp;ui_dispatch_view=dashboard2</P> <P>c) ｈｔｔｐ://myip/splunk/en-US/api/messages/index.</P> <P>d) .......</P> <P>I think we should login as user "admin" in default and have all permissions in free splunk. And i got nothing about "CSRF validation failed" and "authorization schemes" in this forum and from google. Can anyone give me some suggestions about this?</P> <P>Thanks &amp; Best Regards.</P> <P>Dianbo</P> Tue, 04 May 2010 08:44:27 GMT dianbo_1 2010-05-04T08:44:27Z https://community.splunk.com/t5/Security/401-Unauthorized-Why/m-p/12839#M244 <P>The version i tested is splunk 4.1, and the root_endpoint is set to /splunk.</P> <P>I cloned an application mysearch from search, and set session timeout to 24 hours. Then i created two dashboards dashboard1 (default view of mysearch) and dashboard2.</P> <P>Because there is no login page in free license, so first time i view ｈｔｔｐ://myip/splunk/en-US/app/mysearch, the browser will be redirected to ｈｔｔｐ://myip/splunk/en-US/app/search/dashboard. Next, i relocated to ｈｔｔｐ://myip/splunk/en-US/app/mysearch, the browser was redirected to the default view ｈｔｔｐ://myip/splunk/en-US/app/mysearch/dashboard1. Next, when i drilled down from dashboard1 or changed menu to dashboard2 or other operations, i aperiodically got "401 Unauthorized" errors and was kicked back to ｈｔｔｐ://myip/splunk/en-US/app/search/dashboard many times.</P> <P>From firebug, i got the following 2 kinds of responses for "401 unauthorized":</P> <P><STRONG>1) Splunk cannot authenticate the request. CSRF validation failed.</STRONG></P> <P><STRONG>2) No permission -- see authorization schemes</STRONG></P> <P>when i requested the following addresses</P> <P>a) ｈｔｔｐ://myip/splunk/en-US/app/mysearch/flashtimeline/_current?FlashTimeline_0_5_0.minimized=false</P> <P>b) ｈｔｔｐ://myip/splunk/en-US/api/search/jobs?auto_cancel=90&amp;earliest_time=-4h%40h&amp;latest_time=now&amp;namespace=mysearch&amp;search=search%20eventtype%3D%22*-TEST-*%22%20%7C%20timechart%20count%20as%20Total&amp;status_buckets=0&amp;ui_dispatch_app=mysearch&amp;ui_dispatch_view=dashboard2</P> <P>c) ｈｔｔｐ://myip/splunk/en-US/api/messages/index.</P> <P>d) .......</P> <P>I think we should login as user "admin" in default and have all permissions in free splunk. And i got nothing about "CSRF validation failed" and "authorization schemes" in this forum and from google. Can anyone give me some suggestions about this?</P> <P>Thanks &amp; Best Regards.</P> <P>Dianbo</P> Tue, 04 May 2010 08:44:27 GMT https://community.splunk.com/t5/Security/401-Unauthorized-Why/m-p/12839#M244 dianbo_1 2010-05-04T08:44:27Z https://community.splunk.com/t5/Security/401-Unauthorized-Why/m-p/12840#M245 <P>my non-answer suggestions, hopefully someone else will know more:</P> <UL> <LI>investigate if you've got a proxy involved here somewhere. It's possible the CSRF header isn't doing what it should with providing the right values.</LI> <LI>use some sort of sniffer to see the http headers provided for the working and nonworking requests.</LI> <LI>get a baseline with splunk/en-US/debug/echo</LI> </UL> Wed, 05 May 2010 13:14:14 GMT https://community.splunk.com/t5/Security/401-Unauthorized-Why/m-p/12840#M245 jrodman 2010-05-05T13:14:14Z https://community.splunk.com/t5/Security/401-Unauthorized-Why/m-p/12841#M246 <P>Yes. This happens constantly on certain systems, on 4.1.5 as well as the new 4.2 beta. It happens to me every 5 minutes or so. I've been reporting it pretty regularly for months but I havent heard any updates. I'm still not sure what combination of factors is present to make it easier to reproduce but on some browsers/networks/splunkInstances it's REALLY easy to reproduce and on a lot of systems it's impossible. </P> <P>I've debugged and troubleshooted it quite thoroughly. Here are some answers posts from other people suffering from the bug. </P> <P><A href="http://answers.splunk.com/questions/5242/firefox-cannot-stay-logged-in-to-splunk" rel="nofollow">http://answers.splunk.com/questions/5242/firefox-cannot-stay-logged-in-to-splunk</A></P> <P><A href="http://answers.splunk.com/questions/5501/browser-session-timing-out-quickly-and-inconsistently" rel="nofollow">http://answers.splunk.com/questions/5501/browser-session-timing-out-quickly-and-inconsistently</A></P> Thu, 16 Dec 2010 05:10:40 GMT https://community.splunk.com/t5/Security/401-Unauthorized-Why/m-p/12841#M246 sideview 2010-12-16T05:10:40Z