Getting a 403 Forbidden error on plugin request

Question

I'm trying to fire a plugin request from my ICN plugin. The request goes as below. However, I'm getting a 403 Forbidden error from the server.

Forbidden You don't have permission to access /navigator/jaxrs/plugin on this server.

https://<icnserver.com>/navigator/jaxrs/plugin?repositoryId=Demo&query=%5B%7B%22name%22%3A%22ID%22%2C%22operator%22%3A%22LIKE%22%2C%22values%22%3A%5B%22123434234%22%2C%22%22%5D%7D%5D&className=Checks&plugin=DemoPlugin&action=DemoService&desktop=Demo

Plugin JS:

aspect.around(ecm.model.SearchTemplate.prototype, "_searchCompleted", function advisingFunction(original_searchCompleted){
    return function(response, callback, teamspace){
        var args = [];
        var templateName = response.templates[0].template_name;
        var res = response;
        var requestParams = {};
        requestParams.repositoryId = this.repository.id;
        requestParams.query = query;
        requestParams.className = templateName;
        
        Request.invokePluginService("DemoPlugin", "DemoService",
            {
                requestParams: requestParams,
                requestCompleteCallback: lang.hitch(this, function(resp) {  // success
                    res.rows = resp.rows;
                    res.num_results = resp.rows.length;
                    res.totalCount = resp.rows.length;
                    args.push(res);
                    args.push(callback);
                    args.push(teamspace);
                    original_searchCompleted.apply(this,args);
                })
            }
        ); 
    }
});

m4gic · Answer 1 · 2020-09-04T14:02:01.177

You need to provide a security_token to be able to call your service, so you need to login first. Then, open your browser's debug and check the requests in the network tab. There you can see that every request that targets the /navigator/jaxrs/* URI will contain it, so something like this will be among the headers:

security_token: 163594541620199174

So my bet is that you have not set it in your client (I recommend a postman to test your service, or I would add a test (ICN) feature page in the ICN plugin project in order to be able to call it properly). In your feature page, you can call your service directly using the ecm/model/Request OOTB navigator dojo/javascript class, as you can see in CheckinAction.js:

        _checkInDocument: function (item, requestData) 
    {
        var self = this;
        var payLoadObject = {requestType: "Get", id: item.id};
        
        Request.postPluginService("DocuSignPlugin", "UpdateSignedDocumentService",  "application/json", {
            requestParams: {
                repositoryId : item.repository.id,
                serverType : item.repository.type,
                docId : item.docid,
                envelopeId: item.attributes.DSEnvelopeID,
                payLoad: json.stringify(payLoadObject)
            },
            requestCompleteCallback: function(response) {
                if (response.returncode == 0)
                {
                    item.attributeDisplayValues.DSSignatureStatus = "Checkedin";
                    item.attributes.DSSignatureStatus = 4;
                    item.update(item);
                }
                else if (response.returncode == -1)
                {
                    items = [];
                    items.push(item);
                    self._showLoginDialog(items);
                }                   
            },
            backgroundRequest : false,
            requestFailedCallback: function(errorResponse) {
                // ignore handline failures
            }
        });
    },

As you can see, you don't have to add the security_token to the requestParams, the framework will do it for you.

Updated with code snippet. I'm calling the service as described. I'm also able to invoke services from other plugins on the desktop but just this one throws the error. Could be due to the request parameters I'm sending along? — Le_Master, Sep 04 '20 at 13:25
No, definitely not (okay, you can send back 401 deliberately). Have you checked the existence of the security_token among the headers in the browser's debug window? I am almost 100% sure that you don't have that header. — m4gic, Sep 04 '20 at 13:59
Added screenshot with request headers. It's setting the security_token as expected — Le_Master, Sep 04 '20 at 16:24
Hm it should work in this way... there can be some other (unusual) reasons, like your javascript on an iframe, you have some proxy server in front of your navigator, or maybe your user does not have access to this Demo desktop or to the configured repository. — m4gic, Sep 07 '20 at 09:13
I'm able to send requests through other plugins on the same desktop.. so I'm pretty sure it is not related to access/permissions. — Le_Master, Sep 07 '20 at 23:03
It seems for me that you are trying to run some query via defined request parameters. Does your user has the proper permission to that document/folder class? I would log in to ACCE with your test user and would try to run that FileNet SQL there to see that he/she has proper permission. And, I would definitely check the ICN sysout/syserr log for stacktraces, that should contain some additional info that should help you out. — m4gic, Sep 08 '20 at 07:19

Getting a 403 Forbidden error on plugin request

1 Answers1