REST API invocation - authorization issue


#1

Hi Team,

I am trying to invoke REST API through firefox REST client.
Once i login successfully to cockpit url on one tab, any subsequent REST API access calls are successful.
if i try to invoke REST Api directly with same login credentials But REST is responding “HTTP 401” - "You must be authenticated in order to use this resource.

I have tried invoke by simple REST client java program, get same HTTP 401.
please help me any programmatic way to invoke REST API


#2

Hello @Naveen_Makineni,

it depends which rest api from the distro you call: with /engine-rest the authentication is disabled. If you enable it like written here: https://docs.camunda.org/manual/7.7/reference/rest/overview/authentication/ it’s just HTTP-Basic-Authentification.

If you call the reast api from the camuda webapp /camunda/api/, you have to login once and send the cookie afterwards with each request.

A login from a rest client looks like this one:

POST http://localhost:8080/camunda/api/admin/auth/user/default/login/cockpit

-H "Content-Type: application/x-www-form-urlencoded"
-H "Accept: application/json" 
-d 'username=demo&password=demo'

Hope this helps, Ingo


#3

Thank you Ingo for quick response.
i have tried example like below.

package org.mak.camunda.rest;

import java.io.BufferedReader;
import java.io.InputStreamReader;

import org.apache.commons.codec.binary.Base64;
import org.apache.http.HttpHost;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.AuthCache;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.impl.auth.BasicScheme;
import org.apache.http.impl.client.BasicAuthCache;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.HttpClientBuilder;

public class CamundaRestClient {

public static void main(String a[]){
             
    CredentialsProvider credentialsProvider = new BasicCredentialsProvider();
    credentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials("demo", "demo"));

    AuthCache authCache = new BasicAuthCache();
    // Generate BASIC scheme object and add it to the local auth cache
    authCache.put(new HttpHost("scdevapp05", 8080, "http"), new BasicScheme());

    HttpClientContext context = HttpClientContext.create();
    context.setCredentialsProvider(credentialsProvider);
    context.setAuthCache(authCache);

    HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
    HttpClient client = httpClientBuilder.build();
    String name = "demo";
    String password = "demo";
    String authString = name + ":" + password;     
    String encoding = Base64.encodeBase64String((authString).getBytes());
    HttpPost hp = new HttpPost("http://scdevapp05:8050/camunda/api/admin/auth/user/default/login/cockpit");
    hp.setHeader("Accept", "application/json");
    hp.setHeader("Content-type", "application/x-www-form-urlencoded");
    hp.setHeader("Authorization", "Basic " + encoding);

    try{
      HttpResponse processResponse = client.execute(hp, context);
      BufferedReader br = new BufferedReader(
          new InputStreamReader((processResponse.getEntity().getContent())));

      String output;
      System.out.println("Output from Server .... \n");
      while ((output = br.readLine()) != null) {
        System.out.println(output);
      }
    }
    catch(Exception e){
      e.printStackTrace();
    }
    
}

}

i got same authorization issue :
HTTP/1.1 401 Unauthorized [Connection: keep-alive, X-Powered-By: Undertow/1, Set-Cookie: JSESSIONID=rLtl-p_GgnmOgPMLdGyDCrBZJTG-c3Etn0v9eRa6.scdevapp05; path=/camunda, Server: JBoss-EAP/7, Content-Length: 0, Date: Tue, 15 Aug 2017 05:25:53 GMT]

Please help me on this


#4

Hi @Naveen_Makineni,

The login rest call response with a cookie including a token. This cookie has to be sent with every follow up call to authenticate the caller.

You can check this in the development tool of your browser by inspecting the network calls.

But I don’t know how to code this in a Java client…

Cheers, Ingo


#5

If you can, use the standalone REST API available at context path /engine-rest like Ingo explained. Is there any specific reason you call the webapp’s backend?


#6

Thank you Thorben for your response.

I am trying to do simple test in order to find the status of process and few details. which can help to do automation testing.


#7

Okay, isn’t using the standalone REST API simpler in terms of authentication, though?


#8

Thanks Thorben for quick response , for now Camunda implementation service provided by another team, It is not having standalone REST API access.
only option given to use cockpit UI for automation. Trying to see any way using java client.

Thanks


#9

As suggested from client side I made the below changes
var formData = new FormData();
formData.append(‘username’, ‘demo’);
formData.append(‘password’, ‘demo’);

$http({
method : “POST”,
url : “http://msobpel-console.mtcnj.aic.cip.att.com:8080/camunda/api/admin/auth/user/default/login/cockpit”,
headers : {
‘Content-Type’ : undefined,
‘Accept’ : ‘application/json’,
‘Access-Control-Allow-Headers’ : ‘Content-Type,Cache-Control’,
‘Access-Control-Allow-Methods’ : ‘GET, POST, OPTIONS’,
‘Access-Control-Allow-Origin’ : ‘*’,
},
data : formData
}).success(function(response,status,xhr) {
console.log(xhr.getResponseHeader(“Set-Cookie”));
alert(“In success”);
}).error(function() {
alert(“In failure”);
});

But getting the below exception in the console.

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://msobpel-console.mtcnj.aic.cip.att.com:8080/camunda/api/admin/auth/user/default/login/cockpit. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing).

Can you please help me here


#10

Was any one able to do this successfully? And which client tool are you guys using to test API? I am using POSTMAN but am getting 401 even there