Web Socket connection forbidden (Invalid handshake response getStatus: 403)

Question

I am unable to connect as a client to WebSocket via WSO2 v4.1.0. and receive events. Directly through the URL used by Publisher for this API connection and everything is fine, but through API Manager I get "Invalid handshake response getStatus: 403" in wso2carbon.log.

Can anyone help find the cause? I can't find anything in the documentation about WebSocket permissions.

    TID: [-1234] [] [2023-01-24 10:10:18,892]  WARN {org.apache.synapse.core.axis2.AsyncCallback} - Executing fault handler due to exception encountered
    TID: [-1234] [] [2023-01-24 10:10:18,892]  INFO {org.apache.synapse.mediators.builtin.LogMediator} - {api:EventNotificationFeed-carcyayu:vv1} STATUS = Executing default 'fault' sequence, ERROR_CODE = 0, ERROR_MESSAGE = Invalid handshake response getStatus: 403 
    TID: [-1234] [] [2023-01-24 10:10:18,892]  INFO {org.apache.axis2.engine.AxisEngine} - [MessageContext: logID=728bbb294f5b69e363a7319861bb41d3f89e0c7852a44cf5] Invalid handshake response getStatus: 403 
    TID: [-1234] [] [2023-01-24 10:10:18,892] ERROR {org.apache.synapse.core.axis2.AsyncCallback} - Invalid handshake response getStatus: 403 io.netty.handler.codec.http.websocketx.WebSocketClientHandshakeException: Invalid handshake response getStatus: 403 
        at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13.verify(WebSocketClientHandshaker13.java:272)
        at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker.finishHandshake(WebSocketClientHandshaker.java:304)
        at org.wso2.carbon.websocket.transport.WebSocketClientHandler.handleHandshake(WebSocketClientHandler.java:127)
        at org.wso2.carbon.websocket.transport.WebSocketClientHandler.channelRead0(WebSocketClientHandler.java:249)
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436)
        at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:327)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:299)
        at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1371)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1234)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1283)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:722)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:658)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:584)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:829)
    
    TID: [-1234] [] [2023-01-24 10:10:18,892]  WARN {org.apache.synapse.core.axis2.AsyncCallback} - Executing fault handler due to exception encountered
    TID: [-1234] [] [2023-01-24 10:10:18,893]  INFO {org.apache.synapse.mediators.builtin.LogMediator} - {api:EventNotificationFeed-carcyayu:vv1} STATUS = Executing default 'fault' sequence, ERROR_CODE = 0, ERROR_MESSAGE = Invalid handshake response getStatus: 403 
    TID: [-1234] [] [2023-01-24 10:10:18,904] ERROR {org.apache.synapse.core.axis2.AsyncCallback} - Invalid handshake response getStatus: 403 io.netty.handler.codec.http.websocketx.WebSocketClientHandshakeException: Invalid handshake response getStatus: 403 
        at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker13.verify(WebSocketClientHandshaker13.java:272)
        at io.netty.handler.codec.http.websocketx.WebSocketClientHandshaker.finishHandshake(WebSocketClientHandshaker.java:304)
        at org.wso2.carbon.websocket.transport.WebSocketClientHandler.handleHandshake(WebSocketClientHandler.java:127)
        at org.wso2.carbon.websocket.transport.WebSocketClientHandler.channelRead0(WebSocketClientHandler.java:249)
        at io.netty.channel.SimpleChannelInboundHandler.channelRead(SimpleChannelInboundHandler.java:99)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.handler.codec.MessageToMessageDecoder.channelRead(MessageToMessageDecoder.java:103)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.channel.CombinedChannelDuplexHandler$DelegatingChannelHandlerContext.fireChannelRead(CombinedChannelDuplexHandler.java:436)
        at io.netty.handler.codec.ByteToMessageDecoder.fireChannelRead(ByteToMessageDecoder.java:327)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:299)
        at io.netty.channel.CombinedChannelDuplexHandler.channelRead(CombinedChannelDuplexHandler.java:251)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1371)
        at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1234)
        at io.netty.handler.ssl.SslHandler.decode(SslHandler.java:1283)
        at io.netty.handler.codec.ByteToMessageDecoder.decodeRemovalReentryProtection(ByteToMessageDecoder.java:510)
        at io.netty.handler.codec.ByteToMessageDecoder.callDecode(ByteToMessageDecoder.java:449)
        at io.netty.handler.codec.ByteToMessageDecoder.channelRead(ByteToMessageDecoder.java:279)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.AbstractChannelHandlerContext.fireChannelRead(AbstractChannelHandlerContext.java:357)
        at io.netty.channel.DefaultChannelPipeline$HeadContext.channelRead(DefaultChannelPipeline.java:1410)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:379)
        at io.netty.channel.AbstractChannelHandlerContext.invokeChannelRead(AbstractChannelHandlerContext.java:365)
        at io.netty.channel.DefaultChannelPipeline.fireChannelRead(DefaultChannelPipeline.java:919)
        at io.netty.channel.nio.AbstractNioByteChannel$NioByteUnsafe.read(AbstractNioByteChannel.java:166)
        at io.netty.channel.nio.NioEventLoop.processSelectedKey(NioEventLoop.java:722)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeysOptimized(NioEventLoop.java:658)
        at io.netty.channel.nio.NioEventLoop.processSelectedKeys(NioEventLoop.java:584)
        at io.netty.channel.nio.NioEventLoop.run(NioEventLoop.java:496)
        at io.netty.util.concurrent.SingleThreadEventExecutor$4.run(SingleThreadEventExecutor.java:986)
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74)
        at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
        at java.base/java.lang.Thread.run(Thread.java:829)

score 0 · Answer 1 · answered Jan 25 '23 at 19:28

0

This can be due to a TLS handshake failure with your backend endpoint. Did you import the correct certificate of your backend sever to the APIM client-truststore?

And also try to invoke the API published via APIM with -n command and see whether this connects.

wscat -n -c wss://localhost:8099/test-one/1 -H "Authorization: Bearer <token>"

answered Jan 25 '23 at 19:28

Lakshitha

1,021
1
6
15

I found the problem. This is a spring failure. API manager sends header 'origin' instead of 'sec-websocket-origin'. And this header is prohibited. Can you help fix it somehow? – Yaroslav Jan 26 '23 at 13:55
Are you sure that the origin header is set from the API manager? Usually it's being set by the client or the browser. – Lakshitha Jan 26 '23 at 16:07
If the same client works when calling the back-end directly and fails (due to this header) when calling via WSO2 then WSO2 must be adding the header – Adam Jan 27 '23 at 16:04
I don't know whether we can omit this header conversion. However there is a certain workaround that you can use to send custom headers to the backend. Can you check whether this suits your requirement? https://github.com/wso2/product-apim/issues/7318 – Lakshitha Jan 27 '23 at 17:21
And also you should be able to log the websocket headers with https://apim.docs.wso2.com/en/latest/troubleshooting/troubleshooting-websocket-api/. You can try whether this logs the headers. – Lakshitha Jan 27 '23 at 17:24

Web Socket connection forbidden (Invalid handshake response getStatus: 403)

1 Answers1