Rest API Post and Put methods get unauthorized errorcode 401

Q&A
1

when i send request get with
username and password
to login service
i get 200 ok

when i send request get
to ip:port /bonita/API/bpm/process?p=0&c=100
i get response and get all processes

when i send any post request
like ip:port /bonita/API/bpm/case/
and in body
{“processDefinitionId”: “6397493661701515732”,“variables”:[{ “name”:“pp”,“value”:“87874”
}
]}

i get unauthorized eror 401

and this error appear for any post/put request
My Bonita version 7.4.2 with wildfly server

2

Hi,

Since version 7.4, CSRF security is activated by default.
(http://documentation.bonitasoft.com/7.4?page=csrf-security )

So if you want to perform any POST, PUT or DELETE method, you need to add the “X-Bonita-API-Token” header.

You can get it on the login call response (with the JSessionId cookie you also need to copy).

Example :
Login response :
HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Set-Cookie: bonita.tenant=1
Set-Cookie: JSESSIONID=9C16C7E9CAB169BCD94BCD81A78A1E74; Path=/bonita/; HttpOnly
Set-Cookie: X-Bonita-API-Token=cfdd4369-a618-4222-a40f-02b6980e9b59; Path=/
Content-Length: 0
Date: Mon, 27 Feb 2017 09:46:59 GMT

The cookie value you need to copy looks like “JSESSIONID=9C16C7E9CAB169BCD94BCD81A78A1E74” (including “JSESSIONID=” )
and the X-Bonita-API-Token value is “cfdd4369-a618-4222-a40f-02b6980e9b59”

3
  • how are you calling the REST methods ?
    If it is from an external client, you need to call the login method, parse the response, get the cookies, and then, for the POST/PUT methods, you need to add theses cookies to the method headers

If it from a form page, the user is allready logged on the Bonita server so you don’t have to worry, just call the POST or PUT method

  • And no, the cookies are not added as method parameter, they need to be added as headers
4

hello

I have the good parameter X-Bonita-API-Token in the cookie
I’ve tried to disable the CSRF protection changing properties and pulling files but nothing change
I always have 401 error…

how to activate a trace to see where is the problem?

5

you mean i send in cookie in request

cookie:{string[2]}

and this array of string will be

ar[0]=“JSESSIONID=9C16C7E9CAB169BCD94BCD81A78A1E74; Path=/bonita/”

ar[1]=“X-Bonita-API-Token=cfdd4369-a618-4222-a40f-02b6980e9b59”

6

Hello, I have the same problem, I’m using angular2 to call loginservice, i got the status 200 ok but the site don’t return cookies, how can i do?

Thank you.

7

Why would I be getting this error using the bonita portal?

Request Headers
DELETE /bonita/API/portal/profileMember/24 HTTP/1.1
Host: localhost:8080
Connection: keep-alive
Origin: http://localhost:8080
User-Agent: Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.72 Mobile Safari/537.36
Content-Type: text/plain; charset=utf-8
Accept: /
Referer: http://localhost:8080/bonita/portal/homepage

Request URL:http://localhost:8080/bonita/API/portal/profileMember/24
Request Method:DELETE
Status Code:401 Unauthorized
Remote Address:[::1]:8080
Referrer Policy:no-referrer-when-downgrade

8

How did you get this error? Are you logged in in the Portal with an administrator account and trying to remove a user from a profile? Or did you build the REST request in your own application?

9

Yes. I was logged in using administrator account, walter.bates on the Portal and trying to edit, or remove a user I get this error while on Chrome browser. However, on Firefox it does not error.

10

I did a test with Chrome and cannot reproduce the issue. Can you open a ticket on the issue tracker and put as much details as you can to reproduce the issue?

Following information would be useful:

  • step by step instruction to reproduce the issue
  • did you use the Tomcat server embedded in Bonita Studio
  • or did you install a bundle
  • type of database used
  • from your requests log files it seems that you are using a mobile web browser. Is that correct?

Thanks