Topic
  • 2 replies
  • Latest Post - ‏2015-01-22T15:09:18Z by sree_ibm
lin-zhao
lin-zhao
28 Posts

Pinned topic Using cookies in REST API (7.2.3)

‏2015-01-22T00:38:09Z |

I'm trying to use basic authentication to get the session, then use the session token for subsequent calls. But keep getting 401 response. Please assist.

Example:

>curl -v --user user:pass -k -d "query_expression=SELECT * from events" https://qrdemo3/restapi/api/ariel/searches

* Adding handle: conn: 0x7fb5b9003a00

* Adding handle: send: 0

* Adding handle: recv: 0

* Curl_addHandleToPipeline: length: 1

* - Conn 0 (0x7fb5b9003a00) send_pipe: 1, recv_pipe: 0

* About to connect() to qrdemo3 port 443 (#0)

*   Trying 192.168.3.175...

* Connected to qrdemo3 (192.168.3.175) port 443 (#0)

* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

* Server certificate: IBM Corp

* Server auth using Basic with user 'admin'

> POST /restapi/api/ariel/searches HTTP/1.1

> Authorization: Basic YWRtaW46bDB2MzJkM20w

> User-Agent: curl/7.30.0

> Host: qrdemo3

> Accept: */*

> Content-Length: 88

> Content-Type: application/x-www-form-urlencoded

* upload completely sent off: 88 out of 88 bytes

< HTTP/1.1 201 Created

< Date: Thu, 22 Jan 2015 00:26:15 GMT

< Set-Cookie: JSESSIONID=32298EF091F1604AFEFAB47D8537B1CD; Path=/; Secure; HttpOnly

< Set-Cookie: SEC=8c3ec62c-3944-442c-b422-2f629de12d95; Path=/; Secure

< Cache-Control: no-cache, no-store, must-revalidate

< Pragma: no-cache

< Expires: 0

< Location: https://qrdemo3/console/restapi/api/ariel/searches/488b391a-5918-41a9-85ea-912d410aa93f

< Set-Cookie: SEC=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=//console; Secure

< Content-Type: application/json

< Content-Length: 171

< X-Frame-Options: SAMEORIGIN

* Connection #0 to host qrdemo3 left intact

{"status":"WAIT","query_execution_time":0,"processed_record_count":0,"search_id":"488b391a-5918-41a9-85ea-912d410aa93f","progress":0,"record_count":0,"save_results":false}

 

> curl -v -k --header "SEC: 8c3ec62c-3944-442c-b422-2f629de12d95" --cookie "SEC=8c3ec62c-3944-442c-b422-2f629de12d95; JSESSIONID=32298EF091F1604AFEFAB47D8537B1CD" https://qrdemo3/restapi/api/ariel/searches/ab294fda-708a-401d-9505-8653e28c6a1f

* Adding handle: conn: 0x7f940b803a00

* Adding handle: send: 0

* Adding handle: recv: 0

* Curl_addHandleToPipeline: length: 1

* - Conn 0 (0x7f940b803a00) send_pipe: 1, recv_pipe: 0

* About to connect() to qrdemo3 port 443 (#0)

*   Trying 192.168.3.175...

* Connected to qrdemo3 (192.168.3.175) port 443 (#0)

* TLS 1.2 connection using TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

* Server certificate: IBM Corp

> GET /restapi/api/ariel/searches/ab294fda-708a-401d-9505-8653e28c6a1f HTTP/1.1

> User-Agent: curl/7.30.0

> Host: qrdemo3

> Accept: */*

> Cookie: SEC=8c3ec62c-3944-442c-b422-2f629de12d95; JSESSIONID=32298EF091F1604AFEFAB47D8537B1CD

> SEC: 8c3ec62c-3944-442c-b422-2f629de12d95

< HTTP/1.1 401 Unauthorized

< Date: Thu, 22 Jan 2015 00:27:02 GMT

< Set-Cookie: JSESSIONID=35484486379EEE3F9DCC15D5BC332E54; Path=/; Secure; HttpOnly

< Content-Type: application/json

< Content-Length: 396

< Cache-Control: max-age=1209600

< Expires: Thu, 05 Feb 2015 00:27:02 GMT

< X-Frame-Options: SAMEORIGIN

{

"http_response": 

{

"code": 401,

"message": "You are unauthorized to access the requested resource."

},

"code": 25,

"message": "Invalid SEC token. Please ensure it is correct, or authenticate using BASIC http authentication. Your Authorization header should be the base 64 encoding of username:password. e.g. 'Authorization: Basic base64Encoding'",

"description": "",

"details": {}

* Connection #0 to host qrdemo3 left intact

}

  • sree_ibm
    sree_ibm
    21 Posts
    ACCEPTED ANSWER

    Re: Using cookies in REST API (7.2.3)

    ‏2015-01-22T15:09:18Z  

    Hi Lin-zhao,

    This is very similar to another question on the forum. Since you are using curl, use the -basic option. That automatically converts it to the Base 64 format required. Like so.

    curl -v --user user:pass -basic -k -d "query_expression=SELECT * from events" https://qrdemo3/restapi/api/ariel/searches.

    It may be more secure if you mentioned only the user in the call and then entered the password when prompted. However Authorized tokens generated by QRadar are the preferred methodology as mentioned by Taylor.

    Regards,

    Sree

  • Taylor.Osmun (IBM)
    Taylor.Osmun (IBM)
    55 Posts

    Re: Using cookies in REST API (7.2.3)

    ‏2015-01-22T14:18:47Z  

    Hi lin-zhao,

    Cookies are not supported by restapi. Any calls to /restapi/* must provide either a security token (via SEC header), or basic authorization (via Authorization header). This is to prevent CXRF attacks. You might notice that cookies are provided with your response, even though they are not supported. This is to make the API documentation page easy to use; the documentation page still passes in the token as a header.

    However, the problem you are hitting is different. When you provide basic authorization, you are allocated a single-use security token (as shown by your first request). This session is single-use to prevent from an overflow. If you wish to use basic auth, you must pass in the credentials each time.

    If you wish to use a security token (which is the recommended approach), you must create a new Authorized Service token in the Admin tab. After doing so, pass that token in with the SEC header. It will be valid as long as you've specified (which can be perpetual).

    -Taylor

  • sree_ibm
    sree_ibm
    21 Posts

    Re: Using cookies in REST API (7.2.3)

    ‏2015-01-22T15:09:18Z  

    Hi Lin-zhao,

    This is very similar to another question on the forum. Since you are using curl, use the -basic option. That automatically converts it to the Base 64 format required. Like so.

    curl -v --user user:pass -basic -k -d "query_expression=SELECT * from events" https://qrdemo3/restapi/api/ariel/searches.

    It may be more secure if you mentioned only the user in the call and then entered the password when prompted. However Authorized tokens generated by QRadar are the preferred methodology as mentioned by Taylor.

    Regards,

    Sree