Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

401 Unauthorized! Why?

dianbo_1
Path Finder
‎05-04-2010 01:44 AM

The version i tested is splunk 4.1, and the root_endpoint is set to /splunk.

I cloned an application mysearch from search, and set session timeout to 24 hours. Then i created two dashboards dashboard1 (default view of mysearch) and dashboard2.

Because there is no login page in free license, so first time i view http://myip/splunk/en-US/app/mysearch, the browser will be redirected to http://myip/splunk/en-US/app/search/dashboard. Next, i relocated to http://myip/splunk/en-US/app/mysearch, the browser was redirected to the default view http://myip/splunk/en-US/app/mysearch/dashboard1. Next, when i drilled down from dashboard1 or changed menu to dashboard2 or other operations, i aperiodically got "401 Unauthorized" errors and was kicked back to http://myip/splunk/en-US/app/search/dashboard many times.

From firebug, i got the following 2 kinds of responses for "401 unauthorized":

1) Splunk cannot authenticate the request. CSRF validation failed.

2) No permission -- see authorization schemes

when i requested the following addresses

a) http://myip/splunk/en-US/app/mysearch/flashtimeline/_current?FlashTimeline_0_5_0.minimized=false

b) http://myip/splunk/en-US/api/search/jobs?auto_cancel=90&earliest_time=-4h%40h&latest_time=now&namespace=mysearch&search=search%20eventtype%3D%22*-TEST-*%22%20%7C%20timechart%20count%20as%20Total&status_buckets=0&ui_dispatch_app=mysearch&ui_dispatch_view=dashboard2

c) http://myip/splunk/en-US/api/messages/index.

d) .......

I think we should login as user "admin" in default and have all permissions in free splunk. And i got nothing about "CSRF validation failed" and "authorization schemes" in this forum and from google. Can anyone give me some suggestions about this?

Thanks & Best Regards.

Dianbo

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎12-15-2010 09:10 PM

Yes. This happens constantly on certain systems, on 4.1.5 as well as the new 4.2 beta. It happens to me every 5 minutes or so. I've been reporting it pretty regularly for months but I havent heard any updates. I'm still not sure what combination of factors is present to make it easier to reproduce but on some browsers/networks/splunkInstances it's REALLY easy to reproduce and on a lot of systems it's impossible.

I've debugged and troubleshooted it quite thoroughly. Here are some answers posts from other people suffering from the bug.

http://answers.splunk.com/questions/5242/firefox-cannot-stay-logged-in-to-splunk

http://answers.splunk.com/questions/5501/browser-session-timing-out-quickly-and-inconsistently

Reply

jrodman
Splunk Employee
Splunk Employee
‎05-05-2010 06:14 AM

my non-answer suggestions, hopefully someone else will know more:

  • investigate if you've got a proxy involved here somewhere. It's possible the CSRF header isn't doing what it should with providing the right values.
  • use some sort of sniffer to see the http headers provided for the working and nonworking requests.
  • get a baseline with splunk/en-US/debug/echo
0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...