when i post /api/engine/engine/default/process-instance/count then
reponse
{
“timestamp”: 1729762770262,
“status”: 403,
“error”: “Forbidden”,
“path”: “/workflow_admin/api/engine/engine/default/process-instance/count”
}
This a GET-request, not a POST.
1 Like
thank u for ur reply,and i will add details for the problem
i found since I use the spring security, all the post request return 403
for example the original request:
curl 'http://localhost:8082/workflow_admin/api/engine/engine/default/process-instance/count' \
-H 'Accept: application/json, text/plain, */*' \
-H 'Accept-Language: zh-CN,zh;q=0.9' \
-H 'Cache-Control: no-cache' \
-H 'Connection: keep-alive' \
-H 'Content-Type: application/json;charset=UTF-8' \
-H 'Cookie: casdoor-token=xxxx; XSRF-TOKEN=642627298E15C0F6332A1E5D858F6E40; JSESSIONID=5B34AE6E03ED09DCE9E2C51F6A03935E' \
-H 'Origin: http://localhost:8082' \
-H 'Pragma: no-cache' \
-H 'Referer: http://localhost:8082/workflow_admin/app/cockpit/default/' \
-H 'Sec-Fetch-Dest: empty' \
-H 'Sec-Fetch-Mode: cors' \
-H 'Sec-Fetch-Site: same-origin' \
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/129.0.0.0 Safari/537.36' \
-H 'X-XSRF-TOKEN: 642627298E15C0F6332A1E5D858F6E40' \
-H 'sec-ch-ua: "Google Chrome";v="129", "Not=A?Brand";v="8", "Chromium";v="129"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "macOS"' \
--data-raw '{"processDefinitionId":"6e9c60d7-9045-11ef-afb5-2ebbe41b42f7"}'
and the original request return normally:
{"count":2}
my HttpSecurity config:
@Bean
public SecurityFilterChain configure(HttpSecurity http) throws Exception {
http
.csrf(AbstractHttpConfigurer::disable)
.authorizeRequests()
.anyRequest().permitAll()
.and()
.formLogin()
.loginPage(UrlPathConst.CAS_LOGIN_CALLBACK)
.defaultSuccessUrl(UrlPathConst.LOGIN_CALL_BACK)
.permitAll()
.and()
.logout()
.logoutRequestMatcher(req -> req.getRequestURI().endsWith("/logout"))
.invalidateHttpSession(true)
.deleteCookies("JSESSIONID", "XSRF-TOKEN", "casdoor-token")
.logoutSuccessHandler(logoutSuccessHandler)
.permitAll()
;
http.addFilterBefore(redirectFilter, UsernamePasswordAuthenticationFilter.class);
return http.build();
}
and when i post /api/engine/engine/default/process-instance/count
it reponse:
{
"timestamp": 1729822773327,
"status": 403,
"error": "Forbidden",
"path": "/workflow_admin/api/engine/engine/default/process-instance/count"
}
and the Backend log:
o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@20fa5277, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@17a7d6c8, org.springframework.security.web.context.SecurityContextPersistenceFilter@2052f095, org.springframework.security.web.header.HeaderWriterFilter@6ab1f85b, org.springframework.security.web.authentication.logout.LogoutFilter@519b0f00, com.tigerbrokers.ams.workflow.admin.cas.RedirectFilter@365afe87, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@79135a38, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@55fe9c2f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2e19b30, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4f2b1e9f, org.springframework.security.web.session.SessionManagementFilter@5d8fd077, org.springframework.security.web.access.ExceptionTranslationFilter@66682e8f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@572b4072]] (1/1)
o.s.security.web.FilterChainProxy : Securing POST /workflow_admin/api/engine/engine/default/process-instance/count
o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/13)
o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/13)
o.s.security.web.FilterChainProxy : Invoking SecurityContextPersistenceFilter (3/13)
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/13)
o.s.security.web.FilterChainProxy : Invoking LogoutFilter (5/13)
o.s.s.w.a.logout.LogoutFilter : Did not match request to com.tigerbrokers.ams.workflow.admin.cas.CustomSecurityConfig$$Lambda$859/2049210129@31dbf5bb
o.s.security.web.FilterChainProxy : Invoking RedirectFilter (6/13)
o.s.security.web.FilterChainProxy : Invoking UsernamePasswordAuthenticationFilter (7/13)
w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback', POST]
o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
o.s.s.w.s.HttpSessionRequestCache : No saved request
o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A3B2559378966CF5AF7C85326DD74F39], Granted Authorities=[ROLE_ANONYMOUS]]
o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
o.s.s.w.session.SessionManagementFilter : Request requested invalid session id 5D9C0B5AE0868DD734E8909D3D3ECF7F
o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
o.s.security.web.FilterChainProxy : Invoking FilterSecurityInterceptor (13/13)
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback?error'] - [permitAll] (1/5)
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback'] - [permitAll] (2/5)
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback'] - [permitAll] (3/5)
edFilterInvocationSecurityMetadataSource : Did not match request to com.tigerbrokers.ams.workflow.admin.cas.CustomSecurityConfig$$Lambda$859/2049210129@31dbf5bb - [permitAll] (4/5)
o.s.s.w.a.i.FilterSecurityInterceptor : Did not re-authenticate AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=A3B2559378966CF5AF7C85326DD74F39], Granted Authorities=[ROLE_ANONYMOUS]] before authorizing
o.s.s.w.a.i.FilterSecurityInterceptor : Authorizing filter invocation [POST /workflow_admin/api/engine/engine/default/process-instance/count] with attributes [permitAll]
o.s.s.w.a.i.FilterSecurityInterceptor : Authorized filter invocation [POST /workflow_admin/api/engine/engine/default/process-instance/count] with attributes [permitAll]
o.s.s.w.a.i.FilterSecurityInterceptor : Did not switch RunAs authentication since RunAsManager returned null
o.s.security.web.FilterChainProxy : Secured POST /workflow_admin/api/engine/engine/default/process-instance/count
o.s.s.w.header.writers.HstsHeaderWriter : Not injecting HSTS header since it did not match request to [Is Secure]
w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
o.s.security.web.FilterChainProxy : Trying to match request against DefaultSecurityFilterChain [RequestMatcher=any request, Filters=[org.springframework.security.web.session.DisableEncodeUrlFilter@20fa5277, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@17a7d6c8, org.springframework.security.web.context.SecurityContextPersistenceFilter@2052f095, org.springframework.security.web.header.HeaderWriterFilter@6ab1f85b, org.springframework.security.web.authentication.logout.LogoutFilter@519b0f00, com.tigerbrokers.ams.workflow.admin.cas.RedirectFilter@365afe87, org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter@79135a38, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@55fe9c2f, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@2e19b30, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@4f2b1e9f, org.springframework.security.web.session.SessionManagementFilter@5d8fd077, org.springframework.security.web.access.ExceptionTranslationFilter@66682e8f, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@572b4072]] (1/1)
o.s.security.web.FilterChainProxy : Securing POST /error
o.s.security.web.FilterChainProxy : Invoking DisableEncodeUrlFilter (1/13)
o.s.security.web.FilterChainProxy : Invoking WebAsyncManagerIntegrationFilter (2/13)
o.s.security.web.FilterChainProxy : Invoking SecurityContextPersistenceFilter (3/13)
w.c.HttpSessionSecurityContextRepository : No HttpSession currently exists
w.c.HttpSessionSecurityContextRepository : Created SecurityContextImpl [Null authentication]
s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
o.s.security.web.FilterChainProxy : Invoking HeaderWriterFilter (4/13)
o.s.security.web.FilterChainProxy : Invoking LogoutFilter (5/13)
o.s.s.w.a.logout.LogoutFilter : Did not match request to com.tigerbrokers.ams.workflow.admin.cas.CustomSecurityConfig$$Lambda$859/2049210129@31dbf5bb
o.s.security.web.FilterChainProxy : Invoking RedirectFilter (6/13)
o.s.security.web.FilterChainProxy : Invoking UsernamePasswordAuthenticationFilter (7/13)
w.a.UsernamePasswordAuthenticationFilter : Did not match request to Ant [pattern='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback', POST]
o.s.security.web.FilterChainProxy : Invoking RequestCacheAwareFilter (8/13)
o.s.s.w.s.HttpSessionRequestCache : No saved request
o.s.security.web.FilterChainProxy : Invoking SecurityContextHolderAwareRequestFilter (9/13)
o.s.security.web.FilterChainProxy : Invoking AnonymousAuthenticationFilter (10/13)
o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to AnonymousAuthenticationToken [Principal=anonymousUser, Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=0:0:0:0:0:0:0:1, SessionId=null], Granted Authorities=[ROLE_ANONYMOUS]]
o.s.security.web.FilterChainProxy : Invoking SessionManagementFilter (11/13)
o.s.security.web.FilterChainProxy : Invoking ExceptionTranslationFilter (12/13)
o.s.security.web.FilterChainProxy : Invoking FilterSecurityInterceptor (13/13)
o.s.security.web.FilterChainProxy : Secured POST /error
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback?error'] - [permitAll] (1/5)
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback'] - [permitAll] (2/5)
edFilterInvocationSecurityMetadataSource : Did not match request to ExactUrl [processUrl='https://ams-cas-cn-test.tigerbrokers.net/cas/tiger/workflow/login?service=http://localhost:8081/workflow_admin/callback'] - [permitAll] (3/5)
edFilterInvocationSecurityMetadataSource : Did not match request to com.tigerbrokers.ams.workflow.admin.cas.CustomSecurityConfig$$Lambda$859/2049210129@31dbf5bb - [permitAll] (4/5)
c.t.a.w.a.filter.RequestInterceptors : >>>>>>>Method POST,url /error , request param{}
w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
c.t.a.w.a.filter.RequestInterceptors : <<<<<<<Method POST,url http://localhost:8081/error
w.c.HttpSessionSecurityContextRepository : Did not store anonymous SecurityContext
s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request