Update Variable API Gives 403

Hi Everyone, I’m pretty new to Camunda. I have deployed a bpmn to camunda and then start the process. On start I set a variable “state” using inline script as:

execution.setVariable(“state”, “open”)

Now I want to update the value of this variable to in-progress, declined, etc using Rest API.
For this I’m using /task/{task-id}/variables/{variable-name} API.
so my curl request is :

curl -X PUT ‘http://localhost:8080/engine-rest/task/4031c7cf-f8e7-11eb-b8e7-024288e19427/variables/state/’ -H ‘authorization: Basic ZGVtbzpkZW1v’ -H ‘content-type: application/json’ -d ‘{“value”: “declined”,“type”: “String”}’

this is working fine but when I hit this API using postman/js/jquery then it gives me 403 response.

I’m using Camunda-bpm-tomcat-7.15

Please help me. Thank you in advance

Can you post the exact Postman and/or js POST request? I suspect that it has to do with how the JSON is being encoded.

Best Regards,

This is the js code I’m using

var oReq = new XMLHttpRequest();
var data = JSON.stringify({
“value”: “in_progress”,
“type”: “String”
oReq.open(“PUT”, “http://localhost:8080/engine-rest/task/4031c7cf-f8e7-11eb-b8e7-024288e19427/variables/state”);
oReq.setRequestHeader(“content-type”, “application/json”);
oReq.setRequestHeader(‘Authorization’, ‘Basic GVtbzpkZW1v’);

where do you found this endpoint? Not seen in docs, or I’m missing that.

For updating task variables using built-in REST api, the endpoints reference can be found here:

Yes you are right. I’m using the Put Task Variable API

PUT /task/{task-id}/variables/{varName}

my varName is state and task-is is 4031c7cf-f8e7-11eb-b8e7-024288e19427
so the resulting endpoint becomes

PUT /task/4031c7cf-f8e7-11eb-b8e7-024288e19427/variables/state/

Yeah correct. Do you have set Authorizations for users like allow or deny rules on certain resources?

Could you provide the complete exception stack trace?

The I’m using have all the permissions.
I’m using the default user “demo”

Moreover I have removed the Basic authentication, even then I’m getting the same response 403

@Sumit_Singh How does your camunda server setup looks like?

If possible to provide minimal project in github or here which can reproduce this would be better to analyze it.

So here is the github link

@Sumit_Singh Thanks for the link. If you see the below config, auth is still enabled.

If you are not passing auth header, then you can remove this property.

I commented out this line even then it’s not working

      <property name="history">full</property>
      <property name="databaseSchemaUpdate">true</property>
      <!--<property name="authorizationEnabled">true</property>-->
      <property name="jobExecutorDeploymentAware">true</property>
      <property name="historyCleanupBatchWindowStartTime">00:01</property>


What I’m thinking is, Authorization has no effect on this, there is something else that I’m missing.
‘Options’ request is also working fine, which means there is no cors error. but the PUT request gives 403. Is there something that stops camunda engine-rest to serve PUT request?

@Sumit_Singh Disabling that property requires server restart in order to reflect that changes.

@aravindhrs I checked post restart the server. But the error is still same 403

Hi @Sumit_Singh,

Is your calling application hosted on a different port?

If yes then CORS needs to be enabled.

Please have a look at below conversation.

Hi @hassang ,
I have already done CORS settings, every request is working fine except the PUT request.
Is there anything specific for PUT request?
This is my request.

var data = JSON.stringify({
“password”: “john@123”,
“authenticatedUserPassword”: “demo”

var xhr = new XMLHttpRequest();
xhr.withCredentials = true;

xhr.addEventListener(“readystatechange”, function () {
if (this.readyState === 4) {

xhr.open(“PUT”, “http://localhost:8080/engine-rest/user/jonny/credentials”);
xhr.setRequestHeader(“authorization”, “Basic ZGVtbzpkZW1v”);
xhr.setRequestHeader(“content-type”, “application/json”);
xhr.setRequestHeader(“cache-control”, “no-cache”);
xhr.setRequestHeader(“postman-token”, “6f49887a-e20d-ef8f-ef50-7b1591a77b5b”);


I got the solution

just added the corsMethods in corsFilters

     <param-value>GET, POST, PUT, HEAD, OPTIONS, DELETE </param-value>

Now works fine


Hi @Sumit_Singh,

Glad to hear that you managed to solve your issue.

An example of advanced CORS conf is shown in below link shared in above conversation