401 when calling any API from Portal

Hello all.

I'm getting the following issue which I'm failing to understand, these are the steps I've taken:

• Running Bonita in a server using Docker (-p 8080:8080 and -p 8443:8443)
• Modified the configuration to allow CORS and HTPS, using the following links:
  • https://documentation.bonitasoft.com/bonita/7.12/enable-cors-in-tomcat-bundle
  • https://documentation.bonitasoft.com/bonita/7.12/ssl
• Access the Bonita Portal using the technical user

When trying to add a new user the following error is seen in the network tab (Dev Console in Chrome):

Request URL: https://mybonitaserver.com:8443/bonita/API/identity/user/
Request Method: POST
Status Code: 401 
Remote Address: mybonitaserverip:8443
Referrer Policy: strict-origin-when-cross-origin

In my BonitaServer I have added in the web.xml the following:

  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>*</param-value>
  </init-param>

And
 

  <init-param>
	<param-name>cors.support.credentials</param-name>
	<param-value>false</param-value>
  </init-param>

Disabling CORS makes the issue go away, so I'm guessing I'm missing something in the configuration.

I really appreciate any help.

Thanks,

Max

Hi MHoly

I think it is an issue on the configuration. In fact the parameter cors.support.credentials should be set to true.

Follow the documentation, and have in mind all init params required and the important notes.

Cheers

Hello,

I think the important thing is to make sure the header X-Bonita-API-Token is present in the list of headers of the filter property cors.allowed.headers in the web.xml file as well as in cors.exposed.headers

Also the issue can be that the X-Bonita-API-Token cookie that is used to set the header cannot be read in the browser. You can have a look at this article which explains why: https://community.bonitasoft.com/blog/manage-web-browsers-new-cors-behavior

HTH

Hi Pablo, thanks for answering.

Yes, that is true except when you have the allowed origin list with the * wildcard.

Anyways, I have changed that to allow a proper list of origins, and set the support credentials to true. 

What I have noticed is that in the Bonita Portal, the request header "X-Bonita-API-Token" is NOT present.

If I grab a request, take it to Postman and send it with Cookie + X-Bonita-API-Token Headers I get a 200 instead of a 401.

Example (API call - take task):

https://mybonitaserver.com:8443/bonita/API/bpm/humanTask/2

From Portal:

PUT /bonita/API/bpm/humanTask/2 HTTP/1.1
Host: mybonitaserver.com:8443
Connection: keep-alive
Content-Length: 19
sec-ch-ua: "Chromium";v="88", "Google Chrome";v="88", ";Not A Brand";v="99"
Accept: application/json, text/plain, */*
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.150 Safari/537.36
Content-Type: application/json;charset=UTF-8
Origin: https://mybonitaserver.com:8443
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://mybonitaserver.com:8443/bonita/portal.js/
Accept-Encoding: gzip, deflate, br
Accept-Language: es-ES,es;q=0.9
Cookie: JSESSIONID=1BAD0C929B2F73CAECB61502B1C40591; BOS_Locale=en

Got:

Request Method: PUT
Status Code: 401 
Remote Address: mybonitaserver_ip:8443
Referrer Policy: strict-origin-when-cross-origin

From Postman (I have added the X-Bonita-API-Token header on purpose - removing it causes 401):

curl --location --request PUT 'https://mybonitaserver.com:8443/bonita/API/bpm/humanTask/2' \
--header 'Cookie: JSESSIONID=1BAD0C929B2F73CAECB61502B1C40591; BOS_Locale=en; JSESSIONID=801BDB0A334AD8B8DEA67DAFE46BDDA2' \
--header 'Content-Type: application/json;charset=UTF-8' \
--header 'X-Bonita-API-Token: 9534d136-ab81-48cb-b603-03572cf9fd56' \
--data-raw '{"assigned_id":"2"}'

Got:

Status Code: 200 OK

Thoughts?

Thanks,

Maxi

Hi Maxi,

Then give a look to this https://documentation.bonitasoft.com/bonita/7.12/csrf-security it explain how to handle the cookie and why 

Thanks

Pablo