Solved: REST API test of simple service returns HTTP 403

asinclair · ‎Jan 14, 2016

Hi,

I created a thing (my first) and wrote a simple service to return the current UTC date time. There is no input parameter and the only output is the datetime value. Pressing the Test button on the Service listing in the Composer seems to work okay. But when I use Postman to send a service request via an HTTP POST the service returns HTTP 403 Forbidden. The POST message has the correct URI as far as I can tell. I have included the appKey associated with my User account in the header and made sure my user account has full access to the thing and the service.

The explanation of HTTP 403 suggests the form of the service request in Postman is correct but the server is actively refusing to honor it and not because of insufficient privilege.

How do I debug this?

qn · ‎Jan 15, 2016

Hi,

You have to go to System / Subsystems / PlatformSubsystem / Configuration. Check "Allow Request Method Switch" and uncheck "Filter Content-Type".

View solution in original post

asinclair · ‎Jan 14, 2016

Just to clarify ... the thing template is Generic Thing.

qn · ‎Jan 15, 2016

Hi,

You have to go to System / Subsystems / PlatformSubsystem / Configuration. Check "Allow Request Method Switch" and uncheck "Filter Content-Type".

asinclair · ‎Jan 15, 2016

Okay, this works and my REST API service request is getting 200 OK response and correct data.

Reading the help on the Platform Subsystem | Configuration settings suggests that the new settings go against the "best practice" and expose the application to cross-site request forgery, so the solution has consequences that go beyond making a simple service request work. I'll need to research this further.

qn · ‎Jan 15, 2016

I'm agree that letting POST request open to public is dangerous for the platform.