Question

403 - Forbidden when using POST on custom service

13:07 Dec 20, 2018

I created a custom service following this guide: https://academy.bpmonline.com/documents/technic-sdk/7-12/how-create-custom-configuration-service. The GET method works as expected but when I created a POST endpoint, the only response I get is 403. Actually sending POST request to any endpoint ends up with this error. My class looks like this:

[ServiceContract]
[AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Required)]
public class UsrCustomService: BaseService
{
	[OperationContract]
	[WebInvoke(Method = "POST", RequestFormat = WebMessageFormat.Json, BodyStyle = WebMessageBodyStyle.Wrapped, ResponseFormat = WebMessageFormat.Json)]
	public bool PostTest()
	{
		return true;
	}
 
	[OperationContract]
	[WebInvoke(Method = "GET", RequestFormat = WebMessageFormat.Json, BodyStyle = WebMessageBodyStyle.Wrapped, ResponseFormat = WebMessageFormat.Json)]
	public string GetTest()
	{
		return "Hello world";
	}
}

Do you know how can I fix it?

7 comments

Anastasia Botezat

15:52 Dec 20, 2018

Dear Carlos,

This error indicated that you are forbidden to insert into the object. This usually happens, when the user, whose login details you are using to connect does not have rights to write to the indicated object.

Please double check the rights for the object per user you are authenticating with.

Regards,

Anastasia

Carlos Zaldivar Batista

16:01 Dec 20, 2018

Anastasia Botezat,

Hm, I'm not inserting into any objects here, the service just returns constant values (for now). I'm also authenticating with Supervisor account.

Anastasia Botezat

16:19 Dec 20, 2018

Carlos,

Please check the CSRF header in your request. Probably, you don't pass CSRF cookie and therefore get the error - https://academy.bpmonline.com/documents/technic-sdk/7-12/protection-csrf-attacks-during-integration-bpmonline

If this won't help. please contact our support at support@bpmonline.com, since it's hard to say what's wrong with the request as we don't see the request body and the request headers. Please, use Fiddler as a proxy and send us a full text of the request from Fiddler. This way we will be able to find the cause of issue.

Regards,

Anastasia

Ryan Farley

16:27 Dec 20, 2018

Carlos Zaldivar Batista,

How are you calling the configuration service? Is it from within a client schema or from externally using code or something like postman?

Ryan

Carlos Zaldivar Batista

16:37 Dec 20, 2018

Ryan Farley,

Postman. And before making request to UsrCustomService I first make a request to /ServiceModel/AuthService.svc/Login to obtain authentication cookies.

Ryan Farley

03:58 Dec 21, 2018

Carlos Zaldivar Batista,

Are you also copying the contents of the BPMCSRF cookie on the call to AuthService.svc/Login to the CSRF header for the request to the config service?

This article in the academy outlines the steps for making this call via Postman https://academy.bpmonline.com/documents/technic-sdk/7-13/how-call-confi…

Carlos Zaldivar Batista

12:17 Dec 21, 2018

Ryan Farley,

Nope, that's what I was missing. Thanks!

Show all comments