401 when calling any API from Portal
Hello all.
I'm getting the following issue which I'm failing to understand, these are the steps I've taken:
- Running Bonita in a server using Docker (-p 8080:8080 and -p 8443:8443)
- Modified the configuration to allow CORS and HTPS, using the following links:
- Access the Bonita Portal using the technical user
When trying to add a new user the following error is seen in the network tab (Dev Console in Chrome):
Request URL: https://mybonitaserver.com:8443/bonita/API/identity/user/
Request Method: POST
Status Code: 401
Remote Address: mybonitaserverip:8443
Referrer Policy: strict-origin-when-cross-origin
In my BonitaServer I have added in the web.xml the following:
<param-name>cors.allowed.origins</param-name>
<param-value><strong>*</strong></param-value>
</init-param>
And
<param-name>cors.support.credentials</param-name>
<param-value><strong>false</strong></param-value>
</init-param>
Disabling CORS makes the issue go away, so I'm guessing I'm missing something in the configuration.
I really appreciate any help.
Thanks,
Max
Hello,
I think the important thing is to make sure the header X-Bonita-API-Token
is present in the list of headers of the filter property cors.allowed.headers
in the web.xml file as well as in cors.exposed.headers
Also the issue can be that the X-Bonita-API-Token cookie that is used to set the header cannot be read in the browser. You can have a look at this article which explains why: https://community.bonitasoft.com/blog/manage-web-browsers-new-cors-behavior
HTH
Comments
Hi Pablo, thanks for answering.
Yes, that is true except when you have the allowed origin list with the * wildcard.
Anyways, I have changed that to allow a proper list of origins, and set the support credentials to true.
What I have noticed is that in the Bonita Portal, the request header "X-Bonita-API-Token" is NOT present.
If I grab a request, take it to Postman and send it with Cookie + X-Bonita-API-Token Headers I get a 200 instead of a 401.
Example (API call - take task):
https://mybonitaserver.com:8443/bonita/API/bpm/humanTask/2
From Portal:
PUT /bonita/API/bpm/humanTask/2 HTTP/1.1
Host: mybonitaserver.com:8443
Connection: keep-alive
Content-Length: 19
sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99"
Accept: application/json, text/plain, */*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: https://mybonitaserver.com:8443
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://mybonitaserver.com:8443/bonita/portal.js/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Cookie: JSESSIONID=1BAD0C929B2F73CAECB61502B1C40591; BOS_Locale=en
Got:
Request Method: PUT
Status Code: 401
Remote Address: mybonitaserver_ip:8443
Referrer Policy: strict-origin-when-cross-origin
From Postman (I have added the X-Bonita-API-Token header on purpose - removing it causes 401):
curl --location --request PUT 'https://mybonitaserver.com:8443/bonita/API/bpm/humanTask/2' \
--header 'Cookie: JSESSIONID=1BAD0C929B2F73CAECB61502B1C40591; BOS_Locale=en; JSESSIONID=801BDB0A334AD8B8DEA67DAFE46BDDA2' \
--header 'Content-Type: application/json;charset=UTF-8' \
--header 'X-Bonita-API-Token: 9534d136-ab81-48cb-b603-03572cf9fd56' \
--data-raw '{"assigned_id":"2"}'
Got:
Status Code: 200 OK
Thoughts?
Thanks,
Maxi
Hi Maxi,
Then give a look to this https://documentation.bonitasoft.com/bonita/7.12/csrf-security it explain how to handle the cookie and why
Thanks
Pablo