I try to make connexion to Magento Web service from a Java code
The Magento API used for connexion is Magento.Mage_Api_Model_Server_V2_HandlerBindingStub
The version of Magento is running over SSL
When trying to connect , i have this security exception :
CSRF verification failed. Request aborted. You are seeing this message because this HTTPS site requires a 'Referer header' to be sent by your Web browser, but none was sent. This header is required for security reasons, to ensure that your browser is not being hijacked by third parties. If you have configured your browser to disable 'Referer' headers, please re-enable them, at least for this site, or for HTTPS connections, or for 'same-origin' requests. (403) FORBIDDEN at org.apache.axis.transport.http.HTTPSender.readFromSocket(HTTPSender.java:744) at org.apache.axis.transport.http.HTTPSender.invoke(HTTPSender.java:144) at org.apache.axis.strategies.InvocationStrategy.visit(InvocationStrategy.java:32) at org.apache.axis.SimpleChain.doVisiting(SimpleChain.java:118) at org.apache.axis.SimpleChain.invoke(SimpleChain.java:83) at org.apache.axis.client.AxisClient.invoke(AxisClient.java:165) at org.apache.axis.client.Call.invokeEngine(Call.java:2784) at org.apache.axis.client.Call.invoke(Call.java:2767) at org.apache.axis.client.Call.invoke(Call.java:2443) at org.apache.axis.client.Call.invoke(Call.java:2366) at org.apache.axis.client.Call.invoke(Call.java:1812) at Magento.Mage_Api_Model_Server_V2_HandlerBindingStub.login(Mage_Api_Model_Server_V2_HandlerBindingStub.java:2143)
Any idea please of the cause or of an alternative API ?
According to the error message, you should only add HTTP_REFERER field into the header of the request, and then you'll satisfy Magento's protection against CSRF (Cross Site Request Forgery).
Think you for your reply
Effectively I added HTTP_REFERER, Then i have a new exception
CSRF verification failed Request canceled, You see This message because this page requires a CSRF cookie when processing form data. This cookie is necessary for security reasons to ensure that your web browser is not abused by third parties.
You're missing CSRF cookie, it could be "csrftoken", depends. Still, it looks like you're doing something wrong, you should not experience those stuff during communication with Magento API. What is exactly API endpoint you're using, and what API call you're trying to make? I need more information about your implementation.