“The security validation for this page is invalid and might be corrupted” when trying to make a raw HTTP POST to the “getchanges” endpoint

sharepoint.stackexchange https://sharepoint.stackexchange.com/questions/238383

  •  12-01-2021
  •  | 
  •  

Domanda

I want to make a getchanges rest api request using an HTTP client. I am trying both curl and postman and unable to do this.

I'm trying to run this curl:

curl -X POST \
  http://192.16.11.133/_api/site/getchanges \
  -H 'Authorization: NTLM TlRMTVNTUAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' \
  -H 'Content-Type: application/json' \
  -d '{
    "query": {
        "ChangeTokenEnd": null,
        "ChangeTokenStart": null,
        "DeleteObject": true,
        "Web": true,
        "__metadata": {
            "type": "SP.ChangeQuery"
        }
    }
}'

But i keep getting 401 error for the getchanges endpoint:

<?xml version="1.0" encoding="utf-8"?>
<m:error xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">
    <m:code>-2130575251, Microsoft.SharePoint.SPException</m:code>
    <m:message xml:lang="en-US">The security validation for this page is invalid and might be corrupted. Please use your web browser's Back button to try your operation again.</m:message>
</m:error>

I am able to do NTLM with other rest endpoints fine. Example:

curl -X GET \
  http://192.16.11.133/_vti_bin/listdata.svc/UserInformationList \
  -H 'Accept: application/json;odata=verbose' \
  -H 'Authorization: NTLM TlRMTVxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'

So the NTLM auth is definitely authenticating me fine.

Why might I be getting this error for this HTTP Post?

The only way I can get the GetChanges api to work is from CSOM right now.

I'm guessing it wants me to go to a login endpoint, get cookies, then use the getchanges api, or to submit some other form input fields with it. or something.

È stato utile?

Soluzione

Most likely, the error:

The security validation for this page is invalid and might be corrupted. Please use your web browser's Back button to try your operation again.

occurs since X-RequestDigest header is missing in your example, it is mandatory to provide it for a POST request.

Refer, for example, Writing data by using the REST interface:

Another important consideration when creating, updating, and deleting SharePoint entities is that if you aren't using OAuth to authorize your requests, these operations require the server's request form digest value as the value of the X-RequestDigest header.

So, request form digest value needs to be requested first via the following request:

Url: http://<site url>/_api/contextinfo
Method: POST

Once d:FormDigestValue value is extracted from response, your request needs to be updated by providing header:

-H 'X-RequestDigest: <value>'
Autorizzato sotto: CC-BY-SA insieme a attribuzione
Non affiliato a sharepoint.stackexchange
scroll top