"The security validation for this page is invalid" when calling the SharePoint Web Services

When working with the out-of-the-box SharePoint web services, it may have happened to you that the Web Service response contained the following exception embedded in the XML:

Exception of type 'Microsoft.SharePoint.SoapServer.SoapServerException' was thrown.
The security validation for this page is invalid. Click Back in your Web browser, refresh the page, and try your operation again.
Error code: 0x8102006d

Undoubtedly this exception is quite strange in the context of a web service call; there is no Back button you can click. But in my cases the exception was just plain wrong, the issue had nothing to do with security whatsoever. It turned out that when you make a web service call to the SharePoint web services, in some cases you need to set the SOAPAction header  in the HTTP Request, in other cases it’s not necessary to do this (but it won’t do any bad if you do). When you consume web services from .NET code, you probably have Visual Studio generated proxies; they pass the correct header so you don’t need to do anything special. But if you construct your own HTTP Request to make the Web Service call, for example using Javascript and jQuery, you need to think about this. Check out following Javascript code for example, which creates a new List item by using the Lists.asmx web service (discussed in more detail in my previous post):

var soapEnv =
    "<?xml version=\"1.0\" encoding=\"utf-8\"?> \
    <soap:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" \
        xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\" \
        xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\"> \
      <soap:Body> \
        <UpdateListItems xmlns=\"http://schemas.microsoft.com/sharepoint/soap/\"> \
          <listName>Tasks</listName> \
          <updates> ... Updates XML ... </updates> \
        </UpdateListItems> \
      </soap:Body> \
    </soap:Envelope>";

$.ajax({
    url: "http://yoursite/_vti_bin/lists.asmx",
    type: "POST",
    dataType: "xml",
    data: soapEnv,
    complete: processResult,
    contentType: "text/xml; charset=utf-8"
});

This code will cause the Security Validation exception, because the SOAPAction Header is not correct. How do you know what value you need to set the SOAPAction Header to? Well, that’s very easy to figure out! Just navigate the the Lists.asmx web service (or UserGroup.asmx, Webs.asmx, Sites.asmx, SiteData.asmx or any Web Service you want to call of course) in your browser, and drill down to the Web Method you want to invoke.

 

As you can see, the required value of the SOAPAction value is displayed in the generated web page for the Web Method, so you can just copy and paste it in your code. When using the jQuery ajax function, you can use the beforeSend option so set additional Headers:

$.ajax({
    url: wsURL,
    beforeSend: function(xhr) {
        xhr.setRequestHeader("SOAPAction",
        "http://schemas.microsoft.com/sharepoint/soap/UpdateListItems");
    },

    type: "POST",
    dataType: "xml",
    data: soapEnv,
    complete: processResult,
    contentType: "text/xml; charset=utf-8"
});

That’s it, now the Web Service call will work without the irrelevant Security Validation exception.

2 Comments

  • Awesome post. This helped me solve my problem quickly.

  • The SOAPAction header is actually pretty common - I have a feeling it may even be required for SOAP 1.2, if not expected for SOAP 1.1 (asmx) it;s certainly pervasive in WCF when using the wsHttpBinding which is SOAP 1.2 (the basicHttpBinding is SOAP 1.1). Not strictly sharepoint related, but important to raise, since the services that don't require it are possibly not SOAP compliant. I say possibly because I'm not an authority on the subject and I don't know the spec for sure, I just know I've been caught out by this a lot when learning WCF.

Comments have been disabled for this content.