Self-managed Operate swagger-UI can not open

Hi there,

I am doing some testing and I run a self-managed cluster using the docker-compose-core.yaml. well, at the first time I can open the operate service swagger UI from browser and I can execute some api calls successfully in the browser page, but not the second try and the tries later.

From the browser I got:

http://{$HOST}:8081/swagger-ui/index.html

And from the docker logs of operate service:

If any of the configuration is wrong I would expect I can never open the swagger successfully, but it did success at the first time.

Anyone know a quick answer for this?

It seems that I can use the swagger to “try the apis” if I open another tab and login with demo. However, using curl doesn’t work any more. It worked well with 8.3.4, but not with 8.5.1. I think it was related with the OPERATE-X-CSRF-TOKEN.

Simply put:

curl -c cookie.txt -X POST ‘http://{{myhost}}:8081/api/login?username=demo&password=demo’

$ curl -v -b cookie.txt -X POST ‘http://{{myhost}}:8081/v1/process-definitions/search’ -H ‘Content-Type: application/json’ -d ‘{}’
Note: Unnecessary use of -X or --request, POST is already inferred.

  • Trying {{myhost}}:8081…
  • Connected to {{myhost}} port 8081 (#0)

POST /v1/process-definitions/search HTTP/1.1
Host: {{myhost}}:8081
User-Agent: curl/7.88.1
Accept: /
Cookie: OPERATE-X-CSRF-TOKEN=4a1cc1ec-e2c4-49c8-af46-3cf428676e8b; OPERATE-SESSION=AFC03A259FCB52BE87D9AC59FB949B4D
Content-Type: application/json
Content-Length: 2

< HTTP/1.1 403
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 0
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Pragma: no-cache
< Expires: 0
< X-Frame-Options: DENY
< Content-Security-Policy: default-src ‘self’; base-uri ‘self’; script-src ‘self’; script-src-elem ‘self’ cdn.jsdelivr.net; connect-src ‘self’ cdn.jsdelivr.net; style-src ‘self’ ‘unsafe-inline’ cdn.jsdelivr.net; img-src * data:; block-all-mixed-content; form-action ‘self’; frame-ancestors ‘none’; frame-src ‘self’ https:; object-src ‘none’; font-src ‘self’ fonts.camunda.io cdn.jsdelivr.net; worker-src ‘self’ blob:; sandbox allow-forms allow-scripts allow-same-origin allow-popups
< Content-Type: application/json
< Transfer-Encoding: chunked
< Date: Mon, 27 May 2024 07:07:47 GMT
<

  • Connection #0 to host 10.70.21.95 left intact
    {“timestamp”:“2024-05-27T07:07:47.220+00:00”,“status”:403,“error”:“Forbidden”,“message”:“Forbidden”,“path”:“/v1/process-definitions/search”}%

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.