cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11801
Views
35
Helpful
9
Replies

vManage API - GET works, POST fails

garrettc134
Level 1
Level 1

Hello,

 

With 19.2 I'm having trouble with the API calls, in my python scripts and POSTMAN.

For a GET with BasicAuth I get the expected results. For example with 

"viptela.net:443/dataservice/device/action/software/vedge/version?api_key=version" I get the expected output as generated with the apidocs
 
For a PUT, for example 
"viptela.net:443/dataservice/alarms"
I get the below. Any ideas?
My requests work on the sandbox and apidocs... However Its supper sluggish and I'm unable to login to the gui to verify version etc.
I also included the body of the POST below.
 
<html>

<head>
	<title>Error</title>
</head>

<body>SessionTokenFilter: Token provided via HTTP Header does not match the token generated by the server.</body>

</html>
{

  "query": {

    "condition": "AND",

    "rules": [

      {

        "value": [

          "3"

        ],

        "field": "entry_time",

        "type": "date",

        "operator": "last_n_hours"

      },

                  {"value": ["major"], "field": "severity_level", "type": "string", "operator": "in"},

                  {"value": ["App-Route"], "field": "component", "type": "string", "operator": "in"},

                  {"value": ["100.90.3.4"], "field": "system_ip", "type": "string", "operator": "in"},

                  {"value": ["sla-change","sla-violation","sla-violation-pkt-drop"],"field": "eventname","type": "string","operator": "in"}

    ]

  },

  "size": 10000

}
 
1 Accepted Solution

Accepted Solutions

msuchand
Cisco Employee
Cisco Employee

Hi, 

 

With 19.2 vManage version, API authentication is enhanced to include token in the POST/PUT/DELETE request Headers.

 

 

Once login(/j_security_check) is successful run GET request to retrieve token and add it to session headers of subsequent POST/PUT/DELETE requests. 

Method: GET

Request URL: https://vmanage-ip:vmanage-port/dataservice/client/token

Store the response XSRF-TOKEN in session headers using “sess.headers['X-XSRF-TOKEN'] = login_token.content”

 

Sample python code:

 

def login(self):
        
        base_url = 'https://%s:%s/'%(self.vmanage_host,self.vmanage_port)
        login_action = '/j_security_check'

        #Format data for loginForm

        login_data = {'j_username' : username, 'j_password' : password}

        #URL for posting login data

        login_url = base_url + login_action

        #URL for retrieving client token
        token_url = base_url + 'dataservice/client/token'

        sess = requests.session()
        
        #If the vmanage has a certificate signed by a trusted authority change verify to True
        login_response = sess.post(url=login_url, data=login_data, verify=False)
        if b'<html>' in login_response.content:
            print ("Login Failed")
            exit(0)
            
        #update token to session headers
        
        login_token = sess.get(url=token_url, verify=False)

        if login_token.status_code == 200:
            if b'<html>' in login_token.content:
                print ("Login Token Failed")
                exit(0)
            
            sess.headers['X-XSRF-TOKEN'] = login_token.content
            self.session[vmanage_host] = sess

 

 

View solution in original post

9 Replies 9

msuchand
Cisco Employee
Cisco Employee

Hi, 

 

With 19.2 vManage version, API authentication is enhanced to include token in the POST/PUT/DELETE request Headers.

 

 

Once login(/j_security_check) is successful run GET request to retrieve token and add it to session headers of subsequent POST/PUT/DELETE requests. 

Method: GET

Request URL: https://vmanage-ip:vmanage-port/dataservice/client/token

Store the response XSRF-TOKEN in session headers using “sess.headers['X-XSRF-TOKEN'] = login_token.content”

 

Sample python code:

 

def login(self):
        
        base_url = 'https://%s:%s/'%(self.vmanage_host,self.vmanage_port)
        login_action = '/j_security_check'

        #Format data for loginForm

        login_data = {'j_username' : username, 'j_password' : password}

        #URL for posting login data

        login_url = base_url + login_action

        #URL for retrieving client token
        token_url = base_url + 'dataservice/client/token'

        sess = requests.session()
        
        #If the vmanage has a certificate signed by a trusted authority change verify to True
        login_response = sess.post(url=login_url, data=login_data, verify=False)
        if b'<html>' in login_response.content:
            print ("Login Failed")
            exit(0)
            
        #update token to session headers
        
        login_token = sess.get(url=token_url, verify=False)

        if login_token.status_code == 200:
            if b'<html>' in login_token.content:
                print ("Login Token Failed")
                exit(0)
            
            sess.headers['X-XSRF-TOKEN'] = login_token.content
            self.session[vmanage_host] = sess

 

 

Hi msuchand,


"With 19.2 vManage version, API authentication is enhanced to include token in the POST/PUT/DELETE request Headers."
From my understanding, it would mean that GET routes aren't affected if the token is missing

My problem is:
GET - /dataservice/client/about doesn't work without the token
GET- /dataservice/device/vedgeinventory/detail?status=deployed works without the token

 

Finally, when is this token required?
I thougth all GET would get their way through without it...

Thanks for the help,
Laurent.

Hi Laurent, 

 

GET request should work without token. 

 

I tried https://{{vmanage}}:{{port}}/dataservice/client/about on my lab vManage running 19.2 release and didn't see any issue. 

 

Could you please let me know the error you are seeing. 

 

Thanks,
Sai

Hello,

the only time I got a response was when using POSTMAN.

https://10.48.x.y/dataservice/client/about

 

response.png

Do we have some examples in cURL ?

Regards,

Danny

 

Hello, 

 

I have tested the below sequence of curl commands and it works. 

 

curl --request POST -k -c 'cookies.txt' --url https://vmanage-ip-address/j_security_check --data 'j_username=username&j_password=password'

 

curl-k -b 'cookies.txt' --url https://vmanage-ip-address/dataservice/client/about

 

Thanks,
Sai

Hi Sai,

I tried the curl command as you said and got this:

 

 

curl --request POST -k -c 'cookies.txt' --url https://vmanage-ip-address/dataservice/j_security_check --data 'j_username=admin&j_password=admin'


curl -k -b 'cookies.txt' --url https://vmanage-ip-address/dataservice/client/about
<html><head><title>Error</title></head><body>SessionTokenFilter: Token provided via HTTP Header does not match the token generated by the server.</body></html>

 

Or more precisely:

curl -i -k -b 'cookies.txt' --url https://vmanage-ip-address/dataservice/client/about
HTTP/1.1 403 Forbidden
Cache-Control: no-cache, no-store, must-revalidate
X-XSS-Protection: 1; mode=block
X-Frame-Options: DENY
Date: Wed, 25 Sep 2019 12:40:33 GMT
Connection: keep-alive
Vary: Accept-Encoding
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
Content-Type: text/html;charset=UTF-8
Content-Length: 159

<html><head><title>Error</title></head><body>SessionTokenFilter: Token provided via HTTP Header does not match the token generated by the server.</body></html>

 

 

However if I add the X-XSRF-TOKEN header it works:

curl -k -b 'cookies.txt' -H "X-XSRF-TOKEN:XXXX" --url https://vmanage-ip-address/dataservice/client/about
{"header":{},"data":{"title":"Cisco vManage","version":"Platform Version: 19.2.0","applicationVersion":"Application Version: 19.2R-vbamboo-14-Aug-2019 19:54:05 PDT","applicationServer":"Server: vmanage","copyright":"Copyright (c) 2019, Cisco. All rights reserved.","time":"2019-09-25 12:33:32,813","timeZone":"UTC","logo":"/dataservice/client/logo.png"}}


Is this normal that we need token for a GET request?

I'd like to avoid this token as much as possible since I only use GET methods of VManage api...

Thanks for the help,

Laurent.

One can always look at the logfiles on the vManage to see which errors get generated.

I got the same error Token provided via HTTP Header does not match the token generated by the server using cURL.

The vmanage-server-rest.log show error.

 

25-Sep-2019 23:34:40,172 CEST WARN [vmanage] [DataServiceLoggingFilter] (default task-11) Unable to process request = /client/about from client = 10.24.23.107/admin!: java.io.IOException: UT010029: Stream is closed

 With the token cURL example you gave it works indeed.

 

M-82HC:~ dderidde$ curl -s -k -b 'cookies.txt' -H "X-XSRF-TOKEN:AB4C1C8F02AC42DCE1B672C86C23C8F5AE1211A976CC6589226D41829EBD022C84548390B351BA4CB22642AD16747D77C0A5" --url https://10.48.x.y/dataservice/client/about | python -m json.tool
{
"data": {
"applicationServer": "Server: vmanage",
"applicationVersion": "Application Version: 19.2R-vbamboo-14-Aug-2019 19:54:05 PDT",
"copyright": "Copyright (c) 2019, Cisco. All rights reserved.",
"logo": "/dataservice/client/logo.png",
"time": "2019-09-26 00:20:54,980",
"timeZone": "Europe/Brussels",
"title": "Cisco vManage",
"version": "Platform Version: 19.2.0"
},
"header": {}
}
M-82HC:~ dderidde$

 

 

Hi Laurent, 

 

Sorry I missed that I had enabled whitelist on my lab vManage to skip token requirement. 

 

For whitelisting please reach out to TAC as suggested at link: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/software/configuration/sdwan-xe-gs-book/sdwan-xe-gs-book_chapter_011.html

 

Thanks,
Sai

Could you point documentation, where it is copied from?

I wasn't able to find documentation in any configuration guide about authorisation steps used by sd-wan.

There is quite well documented guide in devnet site, but I think we wouldn't have access to that resource during the CCIE EI lab exam.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco