Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

401 Unauthorized! Why?

dianbo_1
Path Finder
‎05-04-2010 01:44 AM

The version i tested is splunk 4.1, and the root_endpoint is set to /splunk.

I cloned an application mysearch from search, and set session timeout to 24 hours. Then i created two dashboards dashboard1 (default view of mysearch) and dashboard2.

Because there is no login page in free license, so first time i view http://myip/splunk/en-US/app/mysearch, the browser will be redirected to http://myip/splunk/en-US/app/search/dashboard. Next, i relocated to http://myip/splunk/en-US/app/mysearch, the browser was redirected to the default view http://myip/splunk/en-US/app/mysearch/dashboard1. Next, when i drilled down from dashboard1 or changed menu to dashboard2 or other operations, i aperiodically got "401 Unauthorized" errors and was kicked back to http://myip/splunk/en-US/app/search/dashboard many times.

From firebug, i got the following 2 kinds of responses for "401 unauthorized":

1) Splunk cannot authenticate the request. CSRF validation failed.

2) No permission -- see authorization schemes

when i requested the following addresses

a) http://myip/splunk/en-US/app/mysearch/flashtimeline/_current?FlashTimeline_0_5_0.minimized=false

b) http://myip/splunk/en-US/api/search/jobs?auto_cancel=90&earliest_time=-4h%40h&latest_time=now&namespace=mysearch&search=search%20eventtype%3D%22*-TEST-*%22%20%7C%20timechart%20count%20as%20Total&status_buckets=0&ui_dispatch_app=mysearch&ui_dispatch_view=dashboard2

c) http://myip/splunk/en-US/api/messages/index.

d) .......

I think we should login as user "admin" in default and have all permissions in free splunk. And i got nothing about "CSRF validation failed" and "authorization schemes" in this forum and from google. Can anyone give me some suggestions about this?

Thanks & Best Regards.

Dianbo

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎12-15-2010 09:10 PM

Yes. This happens constantly on certain systems, on 4.1.5 as well as the new 4.2 beta. It happens to me every 5 minutes or so. I've been reporting it pretty regularly for months but I havent heard any updates. I'm still not sure what combination of factors is present to make it easier to reproduce but on some browsers/networks/splunkInstances it's REALLY easy to reproduce and on a lot of systems it's impossible.

I've debugged and troubleshooted it quite thoroughly. Here are some answers posts from other people suffering from the bug.

http://answers.splunk.com/questions/5242/firefox-cannot-stay-logged-in-to-splunk

http://answers.splunk.com/questions/5501/browser-session-timing-out-quickly-and-inconsistently

Reply

jrodman
Splunk Employee
Splunk Employee
‎05-05-2010 06:14 AM

my non-answer suggestions, hopefully someone else will know more:

  • investigate if you've got a proxy involved here somewhere. It's possible the CSRF header isn't doing what it should with providing the right values.
  • use some sort of sniffer to see the http headers provided for the working and nonworking requests.
  • get a baseline with splunk/en-US/debug/echo
0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...