-
Re: HTTP 403 / "An authenticated API accessor is required in order to access this endpoint"?
jiviliu Mar 14, 2013 6:23 AM (in response to it2000)Hello,
we are trying to access the actions and notifications from our Jive installation via REST API.
We are using Jive 5.0.4 and have no problems accessing other services e.g. the activity stream (GET /api/core/v2/activity).
When we try to access either the actions (GET /api/core/v2/inbox/actions) or notifications (GET /api/core/v2/inbox/notifications) we also get the following error message:
HTTP 403 Forbidden throw 'allowIllegalResourceCall is false.'; { "message" : "An authenticated API accessor is required in order to access this endpoint", "code" : 4089 }
Every request was made as an authenticated Jive user (either via authentication service (/api/core/v2/authentication/formlogin), session cookie or HTTP basic auth). The error occurs everytime.
Is this a bug in the API? Is there another way required to authenticate the user calling the service to access the inbox?
Thanks & kind regards
-
Re: HTTP 403 / "An authenticated API accessor is required in order to access this endpoint"?
steve_heine Mar 14, 2013 1:35 PM (in response to jiviliu)pretty sure you need to be passing the header
X-J-Token
I've found this in debugging, but didn't find much documentation on it.
-
Re: Re: HTTP 403 / "An authenticated API accessor is required in order to access this endpoint"?
jiviliu Mar 15, 2013 2:07 AM (in response to steve_heine)Hi Steven,
thanks for your reply. If we take a look at our cookies an X-JCAPI-Token (X-JCAPI-Token: fwt1YG01) has already been set.
Our request header for /inbox/notifications/ looks as follows:
- Cache-Control →no-cache, no-store, no-cache, must-revalidate, private, max-age=0
- Connection →keep-alive
- Content-Encoding →gzip
- Content-Length →147
- Content-Type →application/json
- Date →Fri, 15 Mar 2013 09:01:10 GMT
- Expires →Fri, 15 Mar 2013 09:01:09 GMT
- P3P →CP="CAO PSA OUR"
- Server →Apache-Coyote/1.1
- Vary →Accept-Encoding
- X-Frame-Options →SAMEORIGIN
- X-JIVE-USER-ID →2002
- X-JSL →D=8479 t=1363338069979606
- X-Jive-Flow-Id →e13441c1-8d4e-11e2-ac36-0050568b22db
- X-Jive-Request-Id →e13441c0-8d4e-11e2-ac36-0050568b22db
Is the X-J-Token you mentioned included in our header ? If not, what do we have to do to add the required X-J-Token or what should be the value?
Thanks a lot in advance.
Regards,
Peter
-
Re: HTTP 403 / "An authenticated API accessor is required in order to access this endpoint"?
it2000 Mar 16, 2013 6:12 AM (in response to steve_heine)I did test it with the "X-J-Token" header with the same 403 error.
When using only Basic Auth one does not have a X-J-Token ...
-
-
-
Re: HTTP 403 / "An authenticated API accessor is required in order to access this endpoint"?
Nils DrewsJul 2, 2013 3:37 AM (in response to it2000)
Hello all,
I'm just investigating this for another customer but want to share my findings with you all. The error you are getting is due to the fact that you need to have an APIAccessor here. The recommended way of getting such an accessor is to use OAuth2 and is described here:
To use OAuth2 tokens to authenticate request to the core API, there are four steps:
- Use a Jive mechanism (such as the mobile client manager) to create a Jive OAuth2 activation code
- Activate the code to receive your client id and secret, as well as your refresh token
- Request an access token using the client id, secret and refresh token
- Access protected resources using the access token
The easiest way would be to write an OpenSocial widget that pulls in all the data and use that for communicating with Jive. Essentially a Jive App, but not within Jive. We then use the whole Opensocial/Jive Apps infrastructure to authenticate here.
Alternatively there is the possibility to just overlay the "com/jivesoftware/api/core/v2/services/communications/InboxService.java" and remove the "accessor = true" parameter from the RequiresAuthentication annotation, As far as I can see this is the only service that requires this yet. In the future there may be more but even in the latest cloud code of today I couldn't find another one yet.
This infrastructure is used to protect certain areas of the code against unlimited API access. The InboxService can put heavy strain on the server, so you should not pull this for all users too often.
Within Jive 6 the recommended way would be to use the V3 API which is not protected in this way.
Bye, Nils
FYI: Janko Zehe (Christian does not seem to be in the Community!?), Guido Becker
-
Re: HTTP 403 / "An authenticated API accessor is required in order to access this endpoint"?
Nils DrewsJul 9, 2013 2:52 AM (in response to Nils Drews)
The way I described above does not work and is wrong. The issue we have here at hand is that this Framework with the API Accessors was put in pace to:
To properly service such external facing APIs, an ApiAccessor is used to identify which external system is accessing these Jive features. The ApiAccessor provides a security mechanism through entitlements and may be extended to provide additional metadata suitable to be presented to Jive users. This extended capability allows a Jive user to see which external system produced activity entries in a standardized way.
So to get a proper ApiAccessor you must make your "external system" known to Jive. And that could be doen for example by a plugin. The far easier way would be to use an own webservice to get all this data from the instance in a way that you prefer.
Overlaying the InboxService does not work as straight forward as I said, you also need to patch the com.jivesoftware.api.core.v2.providers.communications.InboxProvider#getActionsPredicate as this checks the same code as well. and that can then easily affect for example mobile and other different existing external systems. You have been warned.
Within Jive 6 the recommended way would still be to use the V3 API which is not protected in this way.
Bye, Nils
FYI: Janko Zehe, Christian Zehe, Guido Becker