INVALID_CSRF_TOKEN in Widget SDP
Hello everyone, probably someone can help me to fix the issue with SDP widgrets.
I have a widget, whch succesfully get information through API and provide a list of equipment of currently logged on user.
Also i created button for this user in same widget, which changeing state of equipment, it should work through PUT API request.
I have tested this request on REST API documentation and it's succefull:
{
"asset": {
"state": {
"name": "In Use"
},
}
}
But when i implement this API request to widget with SDAdmin Role API key, it fails:
XHRPUT
[HTTP/1.1 400 17ms]
response_status Object { status_code: 4000, status: "failed", messages: […] }
status_code 4000
messages [ {…} ]
0 Object { status_code: 4001, type: "failed", message: "Unknown error occurred while processing your request." }
status_code 4001
type "failed"
message "Unknown error occurred while processing your request."
status "failed"
i have checked serverout0 log and found that it's INVALID_CSRF_TOKEN:
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[66]: ****************** Inside of SdpSecurityFilter class ******************|
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[66]: RequestURI ::: /api/v3/assets/60248|
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[66]: URLRule :: path = "/api/v3/assets/(\d+)" urlInRegex = "true"|
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[66]: actionParamName ::: null; actionParamValue ::: null|
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[66]: ActionRule :: Path : "/api/v3/assets/(\d+)" method :"PUT"" isCSRFProtected : "false" internal : "false" trusted : "false" roles : "ModifyInventoryWS" dynamicParams : "false" api : "true" isc : "false" authentication : "required" throwAllErrors : "false" urlXSSValidation : "true" ipBlockCheck : "false" loginThrowError : "false "" iscScope : "null" runAsGroupIdParam : "null" runAsGroupTypeParam : "null "isThrottlesConfigured : "true "dynamic-throttles : "false|
[16:54:45:918]|[05-19-2023]|[com.adventnet.iam.security.URLRule]|[WARNING]|[66]: Ignored Extra parameter List : [input_data] for the URI : PUT : /Error|
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.v3api.utils.SDPAPIUtil]|[SEVERE]|[66]: INVALID_CSRF_TOKEN|
com.adventnet.iam.security.IAMSecurityException: INVALID_CSRF_TOKEN
at com.adventnet.iam.security.ZSecAuthenticationProviderImpl.validateCSRFTokenForWebApiURL(ZSecAuthenticationProviderImpl.java:215)
at com.adventnet.iam.security.ZSecAuthenticationProviderImpl.authenticate(ZSecAuthenticationProviderImpl.java:52)
at com.adventnet.iam.security.SecurityFilter.doFilter(SecurityFilter.java:399)
at com.manageengine.servicedesk.filter.SdpSecurityFilter.doFilter(SdpSecurityFilter.java:229)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at com.adventnet.servicedesk.filter.RememberMe.doFilter(RememberMe.java:190)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at com.adventnet.filters.ParamFilter.doFilter(ParamFilter.java:30)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at com.adventnet.authentication.filter.AssociateCredential.doFilter(AssociateCredential.java:122)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at com.manageengine.mdh.MDHFilter.doFilter(MDHFilter.java:305)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at com.manageengine.mdh.MDHThreadLocalFilter.doFilter(MDHThreadLocalFilter.java:40)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.tuckey.web.filters.urlrewrite.UrlRewriteFilter.doFilter(UrlRewriteFilter.java:350)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:189)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:162)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:197)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:97)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:659)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:135)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:687)
at org.apache.catalina.authenticator.SingleSignOn.invoke(SingleSignOn.java:312)
at com.manageengine.servicedesk.valves.MethodFilterValve.invoke(MethodFilterValve.java:73)
at org.apache.catalina.valves.StuckThreadDetectionValve.invoke(StuckThreadDetectionValve.java:206)
at com.manageengine.servicedesk.valves.SDPStuckThreadDetectionValve.invoke(SDPStuckThreadDetectionValve.java:103)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:78)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:357)
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:382)
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:895)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1722)
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
at org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
at org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[66]:
************************** SECURITY EXCEPTION **************************
|
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[66]: =======================================================|
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[66]: ZOHO Security Error Message : Session Expired.. Please reload the page!|
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[66]: =======================================================|
[16:54:45:918]|[05-19-2023]|[com.manageengine.servicedesk.filter]|[INFO]|[66]:
***************************************************************************************
Function which update STATE of equipment:
function confirmAsset(assetId) {
let input_data = {
"asset": {
"state": {
"name": "Confirmed"
}
}
};
let url = serverUrl + "/api/v3/assets/" + assetId;
let headers = {
"Content-Type": "application/x-www-form-urlencoded",
"X-Api-Key": technicianKey
};
let formData = new URLSearchParams();
formData.append('input_data', JSON.stringify(input_data));
fetch(url, {
method: "PUT",
headers: headers,
body: formData
})
.then(response => {
if (response.ok) {
console.log("Asset state changed to Confirmed");
} else {
throw new Error("Failed to change asset state");
}
})
.catch(error => {
console.log("Error: " + error.message);
});
}
Can someone please help on it? I think that it's because i'm tring to send PUT request with another user rights, but how to workaround it?
Thanks in advance...