Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

401 Unauthorized! Why?

dianbo_1
Path Finder
‎05-04-2010 01:44 AM

The version i tested is splunk 4.1, and the root_endpoint is set to /splunk.

I cloned an application mysearch from search, and set session timeout to 24 hours. Then i created two dashboards dashboard1 (default view of mysearch) and dashboard2.

Because there is no login page in free license, so first time i view http://myip/splunk/en-US/app/mysearch, the browser will be redirected to http://myip/splunk/en-US/app/search/dashboard. Next, i relocated to http://myip/splunk/en-US/app/mysearch, the browser was redirected to the default view http://myip/splunk/en-US/app/mysearch/dashboard1. Next, when i drilled down from dashboard1 or changed menu to dashboard2 or other operations, i aperiodically got "401 Unauthorized" errors and was kicked back to http://myip/splunk/en-US/app/search/dashboard many times.

From firebug, i got the following 2 kinds of responses for "401 unauthorized":

1) Splunk cannot authenticate the request. CSRF validation failed.

2) No permission -- see authorization schemes

when i requested the following addresses

a) http://myip/splunk/en-US/app/mysearch/flashtimeline/_current?FlashTimeline_0_5_0.minimized=false

b) http://myip/splunk/en-US/api/search/jobs?auto_cancel=90&earliest_time=-4h%40h&latest_time=now&namespace=mysearch&search=search%20eventtype%3D%22*-TEST-*%22%20%7C%20timechart%20count%20as%20Total&status_buckets=0&ui_dispatch_app=mysearch&ui_dispatch_view=dashboard2

c) http://myip/splunk/en-US/api/messages/index.

d) .......

I think we should login as user "admin" in default and have all permissions in free splunk. And i got nothing about "CSRF validation failed" and "authorization schemes" in this forum and from google. Can anyone give me some suggestions about this?

Thanks & Best Regards.

Dianbo

Tags (1)
Reply

sideview
SplunkTrust
SplunkTrust
‎12-15-2010 09:10 PM

Yes. This happens constantly on certain systems, on 4.1.5 as well as the new 4.2 beta. It happens to me every 5 minutes or so. I've been reporting it pretty regularly for months but I havent heard any updates. I'm still not sure what combination of factors is present to make it easier to reproduce but on some browsers/networks/splunkInstances it's REALLY easy to reproduce and on a lot of systems it's impossible.

I've debugged and troubleshooted it quite thoroughly. Here are some answers posts from other people suffering from the bug.

http://answers.splunk.com/questions/5242/firefox-cannot-stay-logged-in-to-splunk

http://answers.splunk.com/questions/5501/browser-session-timing-out-quickly-and-inconsistently

Reply

jrodman
Splunk Employee
Splunk Employee
‎05-05-2010 06:14 AM

my non-answer suggestions, hopefully someone else will know more:

  • investigate if you've got a proxy involved here somewhere. It's possible the CSRF header isn't doing what it should with providing the right values.
  • use some sort of sniffer to see the http headers provided for the working and nonworking requests.
  • get a baseline with splunk/en-US/debug/echo
0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...