[Bonita 7] REST API Extensions always responds with HTTP 403



I'm currently experimenting with the extensions examples provided with Bonita 7.0.0. When I send a GET request on ../API/extension/demo/getExample I always get a HTTP 403 response. Of course, I've logged in before performing the request (I got HTTP 401 when I'm not logged). I'm testing it using Postman, a Chrome extension for testing REST API. I'm pretty sure it's a problem with the REST API authorization settings in Bonita, but I don't understand how it works.


2 answers

This one is the BEST answer!

Thank you all for your help ! For those who run into the same issue, here is how to solve it.

In my case, the problem came from the REST API permissions settings. I am using a custom permission for my API extension. It looks like this in the page.properties file :


When you deploy an extension from the portal, Bonita automatically map the extension resources with the custom permission defined in the page.properties. But it doesn't map the permission to any user. Which is logical because it doesn't know who should be allowed to access your extension. So you have to do the mapping yourself by editing the custom-permissions-mapping.properties file. In my case, I granted the permission to any user with the User profile. It looks like this :


You can also map permissions to specific users, like this :


Be aware that restarting Bonita Studio will reset your configuration files. To avoid that you can uncheck the option "On exit clean database" in the menu "Preferences > Database", or edit the configuration files locate in the folder ..bonita/client/platform/tenant-template. (Thanks to elias and claudio for these)

Hope that will help someone with the same issue !


Hi Quentin,

thanks for testing REST API Extension.

while using your chrome extension, you by-pass security checks, since required cookies & headers may be lost.

Then you have 2 options:

1/ login as platform admin (default is install/install) in a separate tab to your chrome extension in order to skip those security checks. 2/ create a living application using the provided REST API extension viewer page. Then logout/login in order to deploy new credentials to your user's profile




Submitted by Quentin Choulet on Thu, 07/16/2015 - 09:18

Hi Laurent,

Thank you for your answer. The chrome extension acts like a web browser and seems to manage cookies and sessions automatically. I had no problems when I was testing the native REST API functionalities.

I finally managed to make it work. I solved the problem by adding a custom mapping in custom-permissions-mapping.properties to grant the demoPermission to users with the User profile. It works but the file is reset each time I close Bonita Studio

Submitted by elias.ricken on Thu, 07/16/2015 - 15:02

Hi Quentin,

you can uncheck the option "On exit clean database" in the menu "Preferences > Database" to avoid the file reset.

Regards, Elias

Submitted by Quentin Choulet on Fri, 07/17/2015 - 09:04

Thanks !

Submitted by cldrzdz on Thu, 07/23/2015 - 02:20

Hello Quentin,

Could you please cut and paste the lines added in custom-permissions-mapping.properties

By the way I think you can do the same thing but in the folder ..bonita/client/platform/tenant-template in the same file. It has the configuration used each time a new tenant is created when Bonita Studio is lunched. It would be a way to make your changes persists.


Submitted by Quentin Choulet on Thu, 07/23/2015 - 09:24

Hello Claudio,

I just posted a new answer explaining the problem and how to solve it with samples of the config file


Submitted by ansoumana.cisse on Sun, 08/02/2015 - 13:30

I am trying to test my [Bonita 7] REST API Extensions. but I face a problem. I still get the code 403. I followed the solutions proposed above, but its still not work.Soes anyone know what's the problem ? Thank you!

Submitted by Quentin Choulet on Mon, 08/03/2015 - 10:23

Hi !

Did you restart the web server after editing the configuration files ?

Submitted by ansoumana.cisse on Tue, 08/04/2015 - 10:08

Hi ! Thanks for your reply! Yes i did. But its working now since i had in the conf file : compound-permissions-mapping.properties the line : custompage_agenda=[agenda_permission] But im not sure that's recommended to modify this file, can i ? if i referred to this comment :


List of permissions used for each pages.

The content of this file is handled by the portal, it should not be modified


Submitted by Quentin Choulet on Tue, 08/04/2015 - 11:47

The portal is supposed to update this file automatically when you import your API extension. You should not modify it manually but I noticed that sometimes it doesn't work. Restarting Bonita Studio or redeploying the API extension usually solve the issue for me.

Submitted by laurent.leseigneur on Thu, 10/29/2015 - 21:20

In fact, it is not when you import API extension that file is updated, but when you deploy a page resource that uses the api extension url, notified by the "resources" entry in page.properties file