2

I have created the jhipster demo app and want to check my adapted rest api with a tool like postman. I have tried with Basic Auth and user and password both set to admin, user or system. But none of them can access, getting an 401.

Would be nice if you could give me a hint what to do to access it.

Cheers Markus

Markus Oley
  • 91
  • 1
  • 9

5 Answers5

5

Because Postman is now a separate app (instead of an extension), it can't access your cookies directly. However, it's still possible to use Postman with a session-auth JHipster app.

  1. First, authenticate with the JHipster app
  2. In your browser's developer tools, inspect the response to /api/authentication for the Set-Cookie headers (JSESSIONID and X-XSRF-TOKEN). You can also find the cookies elsewhere in the browser's developer console, in Chrome they are under the Application tab.
  3. Edit the cookies in Postman to add the JSESSIONID and X-XSRF-TOKEN cookies. The "Cookies" tab for the request will look like the image below.
  4. Once the cookies are set, your requests will be authenticated as the same user you logged in with in step 1.

Sample screenshot showing where to edit cookies

For help with Postman and JWT auth, see this answer.

Community
  • 1
  • 1
Jon Ruddell
  • 6,244
  • 1
  • 22
  • 40
  • It depends on your authentication option (but that wasn't described in the question...), so you will need to adapt this answer a bit for JWT or OAuth2. – Julien Dubois Jan 30 '17 at 12:33
  • @Jon, thank you for your answer. Unfortunately, I still couldn't make it work within my environment (jHipster 2.27.1, Windows 7, Chrome, Postman 4.9.2, Postman Interceptor; both Postman components in interceptor-activated mode; Chrome and Postman restarted; all (stale) cookies flushed). In this environment, my Postman installation also does not provide the mentioned and highlighted *Cookies* tab. HTTP POSTs towards `/api/${SOME_ENTITY}` still fail with *403 Forbidden*. – Abdull Jan 30 '17 at 13:40
  • For the previous JHipster version, the XSRF cookie name is different. I believe it's called `CSRF-TOKEN` instead of `XSRF-TOKEN`. Another option is to pass that token as a header instead of a cookie with X-XSRF-TOKEN. I'm not sure why you can't see the Cookies tab, the Postman Interceptor might be handling that for you - I haven't tried it – Jon Ruddell Jan 30 '17 at 16:34
2

In file SecurityConfiguration.java changing from

.antMatchers("/api/**").authenticated()

to

.antMatchers("/api/**").permitAll()

lets you access the api without any authentication.

Note: This is unsecure and makes your API public, but may be usefull while testing via postman.

István Békési
  • 993
  • 4
  • 16
  • 27
1

If you are using Oauth2 with jhipster, you need to setup Oauth2 token config in postman and get a token before sending a request. Postman config

Once your request is successful you will get JsessionID in cookies, use cookies next time and turn the Auth to no auth. Then the cookies will work for you.

Pavan
  • 41
  • 2
0

Just a guess, but the demo app uses cookies and therefore is using CSRF. So you'd need to send the proper CSRF token along with your requests. If you generate the app using a token approach (rather than cookies) you don't need CSRF.

See https://github.com/jhipster/generator-jhipster/issues/363 and search for postman on the page.

sdoxsee
  • 4,451
  • 1
  • 25
  • 60
  • Hi, thanks for your answer. It led me to the right way. I have used Postman Packaged App, that didn't work. If I use the postman chrome extension and have logged into my restservice before, I get full access to it. That is enough for me so far. – Markus Oley Apr 02 '15 at 10:48
  • Glad you figured it out! – sdoxsee Apr 02 '15 at 11:43
0

My site allows unauthenticated users to access certain section. Thus I find the 401 error annoying.

I made a pull request to fix it, see here: https://github.com/jhipster/generator-jhipster/pull/2623

It requires access to api/account but there are also some other changes to do to avoid a NPE.

mihaisimi
  • 1,911
  • 13
  • 15