Api cookie JSESSIONID httponly

Q&A
1

Hello.

I am consuming from an app in react the Bonita studio api to login using the method http://localhost:8080/bonita/loginservice as mentioned in the official documentation

I get the 4 response cookies from which I can't read the JSESSIONID as it is marked by security as httponly and this is where the problem arises

It is necessary to consume the rest of the api methods that JSESSIONID cookie since otherwise I send it in the methods header as /pretty/API/bpm/case/ it returns a 401.

The tests in postman come out ok but for react or angular I have no way to read that cookie

Has anyone in the community ever solved this? ...

Thanks for your help. Cheers

2

Hello
You dont need the JESSIONID , only the X-API token will sufficient.

PLEASE REMEMBER YOU NEED TO SET THE CORS FILTER FOR THIS METHOD TO WORK.

Please check the below code.
 

 public getAuthToken(){

    var myHeaders = new Headers();

 

    return fetch(this._loginUrl+'API/system/session/unusedId',{

      method: 'GET',

      headers:myHeaders,

      credentials: 'include',

    }).then(res=>{

      if(res.ok)

      {

        var token = res.headers.get("x-bonita-api-token");  

        if(token)

        {

           this.setToken(token)

           console.log(token);

        }

        else{

          alert('Token not found !');

        }

      }

      else{

        alert("Session not created !")

      }

      return res.ok;

    })

  }

3

Solved with axios configuration. See details here: https://community.bonitasoft.com/questions-and-answers/api-cookie-jsessionid-httponly

4

Hello
I use the Bonita X API token that is generated once you log in.
Use the session API to check if Session is active. Then read and collect the Bonita X API token .
Pass the token as part of header. It will work.

Please refer this link

https://community.bonitasoft.com/questions-and-answers/cannot-instantiate-process-axios-http

5

Good morning.
Thanks for your comment.
The example here https://community.bonitasoft.com/questions-and-answers/cannot-instantiat... uses localStorage.getItem('API-Token') to get the X-Bonita-API-Token but the pretty studio api does not save to localStorage. It saves them in the browser storage where cookies are stored.
The problem is that the JSESSIONID cookie is always required but since it is protected I cannot read it to use it.
I tried an example from the pretty studio documentation and the same thing happens.
https://documentation.bonitasoft.com/bonita/2021.1/enable-cors-in-tomcat-bundle#_add_cors_filter

The JSESSIONID cookie that is necessary in every request after login according to the official documentation of Bonita Studio

I read that after login the /API/system/tenant/unusedid method should also be called, but this does not work either, since when consuming, for example, /API/bpm/case/7002, the response is a 401 because the browser does not send JSESSIONID since it cannot be read because it is protected with httponly

Any other solution???

6

Hello

For the Above scenario, I am also using Bonita Studio.
I am manually saving the X-API token in local storage so that I can use it an all my Http calls.
As soon as the user logs in , i collect the token and save in local storage.

Please refer to below code.

7

Have you enabled CORS filter in Tomcat ??
Refer this link
https://documentation.bonitasoft.com/bonita/2022.1/security/enable-cors-in-tomcat-bundle

8

Hello Dibyajit.Roy
Yes, add the CORS filters according to the official documentation of the Bonita Studio API.
This is my code.
Do you see something wrong in this code?

<filter-name>CorsFilter</filter-name>

  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>

  <init-param>

    <param-name>cors.allowed.origins</param-name>

    <param-value>http://localhost</param-value>

  </init-param>

  <init-param>

    <param-name>cors.support.credentials</param-name>

    <param-value>true</param-value>

  </init-param>

  <init-param>

    <param-name>cors.allowed.methods</param-name>

    <param-value>GET,HEAD,POST,PUT,DELETE,OPTIONS</param-value>

  </init-param>

My frontend runs on http://localhost
Cheers

9

Hello Dibyajit.Roy. Is your code for a front end or a back end? I am consuming the Bonita api from a front end developed with react. Do you have any comments?

10
Hello
this is my code for front end..
I am using Angular + Bonita. The above code is written in Angular project and backend is Bonita.
please see the below code for complete CORS script that I am using
 

  <!-- Error pages -->
    <error-page>
        <error-code>500</error-code>
        <location>/error/500</location>
    </error-page>
    <error-page>
        <error-code>403</error-code>
        <location>/error/403</location>
    </error-page>
    <error-page>
        <error-code>404</error-code>
        <location>/error/404</location>
    </error-page>


  <filter>
  <filter-name>CorsFilter</filter-name>
  <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
  <init-param>
    <param-name>cors.allowed.origins</param-name>
    <param-value>' * '</param-value>
  </init-param>

  <init-param>
    <param-name>cors.support.credentials</param-name>
    <param-value>true</param-value>
  </init-param>

  <init-param>
    <param-name>cors.allowed.methods</param-name>
    <param-value>GET,HEAD,POST,PUT,DELETE,OPTIONS</param-value>
  </init-param>

  <!-- List of the response headers other than simple response headers that the browser should expose to
    the author of the cross-domain request through the XMLHttpRequest.getResponseHeader() method.
    The CORS filter supplies this information through the Access-Control-Expose-Headers header. -->
  <init-param>
    <param-name>cors.exposed.headers</param-name>
    <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials,X-Bonita-API-Token</param-value>
  </init-param>

  <!-- The names of the supported author request headers. These are advertised through the Access-Control-Allow-Headers header.
    The CORS Filter implements this by simply echoing the requested value back to the browser.
  -->
  <init-param>
    <param-name>cors.allowed.headers</param-name>
    <param-value>Content-Type,X-Requested-With,accept,Origin,Access-Control-Request-Method,Access-Control-Request-Headers,X-Bonita-API-Token</param-value>
  </init-param>

</filter>
...
<filter-mapping>
  <filter-name>CorsFilter</filter-name>
  <url-pattern>/*</url-pattern>
</filter-mapping>

    <!-- No Cache Filter -->
 

11

Hello
We can connect online using Zoom meetings. We can discuss in detail online.
Let me know if you want to connect ?? What time are you available ??
Which country / timezone are you based out of ?

Regards

12

I am in Argentina
My english speaking is too bad to have a chat.
you speak Spanish?
Now in Argentina it's 1:11 p.m.
what is your schedule now?

13

Sorry I dont speak Spanish. 
We can communicate in English. Dont worry .

We can connect after 1 hour from now ( around 2:10 pm your time ).

I can send you a meeting invite.
Can you share your email id ?

14

 

yes ... weglineduardo@gmail.com

15

Is your issue resolved ? Is it working ??

16

solved, thanks to all