Getting the X-Bonita-API-Token

1
+3
-1

To Whom it may concern,

I am using Bonitasoft Subscription Version 7.3+.

I am trying to access Bonitasoft information from another application, on a different domain.

I am successfully using the 'loginservice' API. I am getting a status of 200. However I cannot get the X-Bonita-API-Token directly from that response.

I can see that the token is being set correctly in my browser as a cookie under the Bonitasoft server domain. However I am unable to access the cookies on that domain for the obvious reasons.

I need this token to make subsequent PUT, POST, and DELETE REST API calls. It is required in the header.

How can I get this token locally and put it in the headers of subsequent calls? I appreciate that it is being automatically put into all subsequent calls as a cookie by my browser, but it is not being put into the header.

Thank you,
Aidan

Comments

Submitted by agaughan on Fri, 07/14/2017 - 22:29

Also the server that is being used is WildFly, not Tomcat.

1 answer

1
0
-1

Someone on my team was able to solve this problem.

After the login service use 'API/system/session/unusedId' and that service will return the token.

Comments

Submitted by Lionel Palacin on Mon, 07/17/2017 - 23:02

Thanks for the answer!

Submitted by vitiellom on Wed, 02/13/2019 - 12:19

Having the same problem. After login with curl request the X-Bonita-API-Token get saved as expected, if I try to perform the same request with php no sign of that cookie. If I try to use API/system/session/unusedId as suggest I get a 404 not found error? The code of the second request looks like this:

$curl = curl_init();
# curl -v -b saved_cookies.txt --url 'http://localhost:63717/bonita/API/system/session/unusedId' --header "Content-Type: application/x-www-form-urlencoded; charset=utf-8"
$options = array(CURLOPT_RETURNTRANSFER => 1,
CURLOPT_VERBOSE => TRUE,
CURLOPT_CUSTOMREQUEST => "GET",
CURLOPT_HEADER => 1,
CURLOPT_COOKIE => $cookies,
CURLOPT_URL => 'http://localhost:63717/API/system/session/unusedid',
CURLOPT_HTTPHEADER => array('Content-type: application/x-www-form-urlencoded', 'charset: utf-8')
);
curl_setopt_array($curl, $options);
$returnData = curl_exec($curl);

Where $cookies = 'JSESSIONID=8A78E3A42644DD974546C9CF080F6B01' for example. What am I missing?

Best

Submitted by antoine.mottier on Thu, 02/14/2019 - 11:19

Make sure that your REST API call includes in the header the X-Bonita-API-Token with the value get from the loginservice call.

Also you can see a call to /bonita/API/system/session/unusedId when you load the Portal from the Studio (using your web browser developper tool in the network tab). So you can compare your call with the one performed by Bonita Portal.

Finally you can take a look at this video that explain how to do Bonita REST API call: https://www.youtube.com/watch?v=PVp5lu8EGp4&t=24s

Submitted by vitiellom on Thu, 02/21/2019 - 12:27

Thanks for the answer and the video link, I will have a look at it.

My problem is that I can't include the X-Bonita-API-Token in the header because it does not get saved in the after successfully login through API. Only the session id is saved but not trace of the Bonita token.

Edit: using Postman and following the instructions of the video, I successfully authenticate but, again, no signs of the X-Bonita-API-Token (only the JSESSIONID get saved)...

Submitted by antoine.mottier on Thu, 02/28/2019 - 11:06

Sorry I forgot X-Bonita-API-Token is related to CSRF protection and this feature was only enable dy default in version 7.4.0. In 7.3 you need to enable it manually. See: https://documentation.bonitasoft.com/bonita/7.3/csrf-security

In 7.3 usage of X-Bonita-API-Token and if I remember correctly JSESSIONID was required.

Also note that 7.3 is out of support since July 2018. So I recommend if possible to update to the latest version of Bonita.

Submitted by rev.dev on Mon, 03/04/2019 - 18:46

I can see that the X-Bonita-API-Token has been set on the browser after I do a post to 'loginservice' but I cannot access the cookie in which the token is stored via javascript because (presumably) I am trying to do so from a server other than that which set the cookie. When I tried calling 'API/system/session/unusedId' after loginservice I get a 401 error. Can somebody please provide some help as to how to get the X-Bonita-API-Token via a JS framework that is calling the bonita server remotely? Thanks much

Submitted by antoine.mottier on Thu, 03/21/2019 - 19:39

Finally I get the chance to create a fully functional example.

In order to successfully run this example with your Bonita installation you first need to configure CORs on your server: https://documentation.bonitasoft.com/bonita/7.8/enable-cors-in-tomcat-bu...

An here is an example of a page that was served by Apache installed locally on my computer and accessing a remote Bonita server installed on AWS: https://gist.github.com/amottier/aa0758d9a7e5a8a99d1afbbd655a7e0f

We actually get the X-Bonita-API-Token from the HTTP header with the same name that we can find in the answer to a call to /API/system/session API.

Submitted by sujitht on Wed, 07/22/2020 - 14:07

yes I too have the same problem in trying to access http://localhost:8080/bonita/API/system/session/unusedid and getting 401 error. I'm trying to do with java so that I can retrieve X-Bonita-API-Token for further API calls. Any sugessions here?

Submitted by cwatia_1868632 on Mon, 11/01/2021 - 13:15

I have similar problem in PHP. I can successfully generate the X-Bonita-API-Token in the authenticate function below and set the cookie on the browser. But accessing other API calls with no success.

public function authenticate(){

$url = $this->config->item('bpm_base_url')."loginservice";

$headers = array('content-type' => 'application/x-www-form-urlencoded');

$data = array('username' => 'desarrollo', 'password' => 'desarrollo');

//SEND REQUEST

$body = Unirest\Request\Body::form($data);

$response = Unirest\Request::post($url, $headers, $body);

//GET COOKIES

$cookie = $response->headers['Set-Cookie'];

//Access Bonita API Token

$new_cookie = explode('=', $cookie[2]);

$new_cookie1 = explode(' ', $new_cookie[1]);

$this->bonita_cookie = rtrim($new_cookie1[0], ';');

//Access JSESSIONID

$session_id = explode('=', $cookie[1]);

$session_id1 = explode(' ', $session_id[1]);

$this->jsession_id = rtrim($session_id1[0], ';');

//SET COOKIES

setcookie('X-Bonita-API-Token', $this->bonita_cookie, time()+3600, "/bonita");

setcookie('JSESSIONID', $this->jsession_id, time()+3600, "/bonita");

}

Calling this function which contains implementation to get all processes it fails

public function getProcesses(){

$url = $this->config->item('bpm_base_url')."API/bpm/process?c=10&p=0";

$response = Unirest\Request::get($url, $headers);

echo(json_decode($response->body));

}

Any help?

Submitted by romain.bioteau on Tue, 11/02/2021 - 09:23

Hi,

What status is returned ?
Did you enable CORS ?

Submitted by cwatia_1868632 on Tue, 11/02/2021 - 09:31

Hi bioteau,

Thank you for your response.

I was able to resolve the issue by passing the "JSESSIONID" cookie as part of my request.

Submitted by romain.bioteau on Tue, 11/02/2021 - 09:36

Great news !

Have a nice day

Notifications