Error when saving document: 403 Forbidden when upgrading to 26 version

Having trouble deploying Oxygen XML Web Author? Got a bug to report? Post it all here.
Johann
Posts: 207
Joined: Wed Jun 17, 2015 12:46 pm

Error when saving document: 403 Forbidden when upgrading to 26 version

Post by Johann »

Hello,

We are using Web Author. We are opening and saving documents through Rest (oxygen.html?url=http://ourcms/document.dita)

Everything worked fine with version 25.1. But when I tried to upgrade to version 26.1, saving document no longer worked.
I systematically get a popup saying Error when saving document: 403 Forbidden for: http://ourcms/document.dita

Do you have an idea about this issue?

Thanks,

Johann
cosminef
Site Admin
Posts: 107
Joined: Wed Aug 30, 2023 2:33 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by cosminef »

Hello,

Thank you for contacting us.
To thoroughly investigate what could be causing the error, it is necessary to enable detailed logging of the HTTP requests [1] sent by Oxygen XML Web Author and attach them to be analyzed

[1] https://www.oxygenxml.com/doc/versions/ ... -logs.html

Best,
Cosmin
Cosmin Eftenie
www.oxygenxml.com
Johann
Posts: 207
Joined: Wed Jun 17, 2015 12:46 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by Johann »

Hello,

I've done what you recommended for the logs.
Here are the 2 logs I get when I save the file.

With oxygen 25.1 version :

Code: Select all

2024-05-21 17:05:07,778 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: standard
2024-05-21 17:05:07,779 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {}->http://host.docker.internal:9111][total kept alive: 2; route allocated: 1 of 4096; total allocated: 2 of 4096]
																																																		   
																																						
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 2][route: {}->http://host.docker.internal:9111][total kept alive: 1; route allocated: 1 of 4096; total allocated: 2 of 4096]
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-2: set socket timeout to 0
																																													
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-2: set socket timeout to 20000
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 >> PUT /contentfactory/api/v1/dita/en-GB/TPC_rail-task_000000001.dita HTTP/1.1
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 >> X-Requested-With: WebAuthor
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 >> User-Agent: ContentFactory-WebAuthor-Plugin
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 >> Content-Type: */*; charset=UTF-8
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 >> Cookie: oxy_lang=fr_FR; JSESSIONID=1CD52A4EFA8C34993B0E61A0E7F3D821; WEB-AUTHOR-JSESSIONID=2a0f2739-0b4e-4349-927e-eebfd87b2a3e; _uid=user-5599257273907507865; Idea-67f26e17=5c9681d4-aaa0-4dce-9fe6-979bd576dfd0; 
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 >> Content-Length: 295
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 >> Host: host.docker.internal:9111
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 >> Connection: Keep-Alive
2024-05-21 17:05:07,785 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 >> Accept-Encoding: gzip,deflate
2024-05-21 17:05:08,077 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << HTTP/1.1 200 
2024-05-21 17:05:08,077 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Vary: Origin
2024-05-21 17:05:08,077 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Vary: Access-Control-Request-Method
2024-05-21 17:05:08,077 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Vary: Access-Control-Request-Headers
2024-05-21 17:05:08,077 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Set-Cookie: XSRF-TOKEN=d78d8f1f-8ff2-4458-bb9a-51719f590fad; Path=/contentfactory
2024-05-21 17:05:08,077 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Set-Cookie: JSESSIONID=1CD52A4EFA8C34993B0E61A0E7F3D821; Path=/web-author-component; HttpOnly
																																	
2024-05-21 17:05:08,077 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Cache-Control: no-cache, must-revalidate
																													 
2024-05-21 17:05:08,077 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Expires: 0
2024-05-21 17:05:08,077 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << X-Content-Type-Options: nosniff
2024-05-21 17:05:08,078 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << X-XSS-Protection: 1; mode=block
2024-05-21 17:05:08,078 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << X-Frame-Options: SAMEORIGIN
2024-05-21 17:05:08,078 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Content-Length: 0
2024-05-21 17:05:08,078 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Date: Tue, 21 May 2024 15:05:08 GMT
2024-05-21 17:05:08,078 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Keep-Alive: timeout=20
2024-05-21 17:05:08,078 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-2 << Connection: keep-alive
																																																															  
2024-05-21 17:05:08,078 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 2][route: {}->http://host.docker.internal:9111] can be kept alive for 20.0 seconds
2024-05-21 17:05:08,078 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-2: set socket timeout to 0
2024-05-21 17:05:08,078 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 2][route: {}->http://host.docker.internal:9111][total kept alive: 2; route allocated: 1 of 4096; total allocated: 2 of 4096]
2024-05-21 17:05:08,079 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.client.protocol.ResponseProcessCookies - Cookie accepted [XSRF-TOKEN="d78d8f1f-8ff2-4458-bb9a-51719f590fad", version:0, domain:host.docker.internal, path:/contentfactory, expiry:null]
2024-05-21 17:05:08,079 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.client.protocol.ResponseProcessCookies - Cookie accepted [JSESSIONID="1CD52A4EFA8C34993B0E61A0E7F3D821", version:0, domain:host.docker.internal, path:/web-author-component, expiry:null]

With oxygen 26.1 version :

Code: Select all

2024-05-21 16:56:15,937 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.client.protocol.RequestAddCookies - CookieSpec selected: standard
2024-05-21 16:56:15,938 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection request: [route: {}->http://host.docker.internal:9111][total kept alive: 2; route allocated: 1 of 4096; total allocated: 2 of 4096]
2024-05-21 16:56:15,938 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.CPool - Connection [id:13][route:{}->http://host.docker.internal:9111][state:null] expired @ Tue May 21 16:50:54 CEST 2024
2024-05-21 16:56:15,938 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-13: Close connection
2024-05-21 16:56:15,938 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection leased: [id: 22][route: {}->http://host.docker.internal:9111][total kept alive: 1; route allocated: 1 of 4096; total allocated: 2 of 4096]
2024-05-21 16:56:15,940 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connecting to host.docker.internal/192.168.0.33:9111
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.DefaultHttpClientConnectionOperator - Connection established 192.168.0.33:54997<->192.168.0.33:9111
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-22: set socket timeout to 20000
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 >> PUT /contentfactory/api/v1/dita/en-GB/TPC_rail-task_000000001.dita HTTP/1.1
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 >> X-Requested-With: x
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 >> User-Agent: ContentFactory-WebAuthor-Plugin
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 >> Content-Type: */*; charset=UTF-8
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 >> Cookie: oxy_lang=fr_FR; JSESSIONID=1CD52A4EFA8C34993B0E61A0E7F3D821; WEB-AUTHOR-JSESSIONID=b7f4c2da-470f-4708-8cf9-f79a27a1bbfd; _uid=user-5599257273907507865; Idea-67f26e17=5c9681d4-aaa0-4dce-9fe6-979bd576dfd0; 
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 >> Content-Length: 296
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 >> Host: host.docker.internal:9111
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 >> Connection: Keep-Alive
2024-05-21 16:56:15,942 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 >> Accept-Encoding: gzip,deflate
2024-05-21 16:56:15,944 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << HTTP/1.1 403 
2024-05-21 16:56:15,944 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Vary: Origin
2024-05-21 16:56:15,944 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Vary: Access-Control-Request-Method
2024-05-21 16:56:15,944 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Vary: Access-Control-Request-Headers
2024-05-21 16:56:15,944 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Set-Cookie: XSRF-TOKEN=1f52d4a1-9304-441f-b7a0-8b4a431662bc; Path=/contentfactory
2024-05-21 16:56:15,944 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << X-Content-Type-Options: nosniff
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << X-XSS-Protection: 1; mode=block
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Cache-Control: no-cache, no-store, max-age=0, must-revalidate
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Pragma: no-cache
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Expires: 0
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << X-Frame-Options: SAMEORIGIN
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Content-Type: text/html;charset=utf-8
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Content-Language: en
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Content-Length: 649
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Date: Tue, 21 May 2024 14:56:15 GMT
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Keep-Alive: timeout=20
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.headers - http-outgoing-22 << Connection: keep-alive
2024-05-21 16:56:15,945 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.client.protocol.ResponseProcessCookies - Cookie accepted [XSRF-TOKEN="1f52d4a1-9304-441f-b7a0-8b4a431662bc", version:0, domain:host.docker.internal, path:/contentfactory, expiry:null]
2024-05-21 16:56:15,946 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection [id: 22][route: {}->http://host.docker.internal:9111] can be kept alive for 20.0 seconds
2024-05-21 16:56:15,946 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-22: set socket timeout to 0
2024-05-21 16:56:15,946 DEBUG [ http-nio-8092-exec-4 ] org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection released: [id: 22][route: {}->http://host.docker.internal:9111][total kept alive: 2; route allocated: 1 of 4096; total allocated: 2 of 4096]
2024-05-21 16:56:16,114 DEBUG [ Finalizer ] org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection manager is shutting down
2024-05-21 16:56:16,114 DEBUG [ Finalizer ] org.apache.http.impl.conn.DefaultManagedHttpClientConnection - http-outgoing-18: Close connection
2024-05-21 16:56:16,114 DEBUG [ Finalizer ] org.apache.http.impl.conn.PoolingHttpClientConnectionManager - Connection manager shut down
Any idea?

Regards,

Johann
cristi_talau
Posts: 501
Joined: Thu Sep 04, 2014 4:22 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by cristi_talau »

Hello,

The only difference I can see is the X-Requested-With header changed from Webauthor to "x" and the Content-Length from 295 to 296. The cookies that I guess that are related to authentication seem to be the same.

Can you make your server print more details about why it reject the request as Forbidden? Does it recognize Web Author as acting on behalf of the correct user?

Best,
Cristian
Johann
Posts: 207
Joined: Wed Jun 17, 2015 12:46 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by Johann »

Hello,

On the CMS server side, indeed, we control that X-Requested-With header is equal to "Webauthor" to authorize the URL connection.
I do not understand why the X-Requested-With header value is changed to "x" when I only upgrade oxygen dependencies from 25.1 to 26.1.
I did not change any line of code and I test on the same CMS server.

Johann
Johann
Posts: 207
Joined: Wed Jun 17, 2015 12:46 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by Johann »

Hello,

I found a difference between the code of the ro.sync.ecss.webapp.access.j#save methods (25.1 versus 26.1)
That line appeared in 26.1 version:

Code: Select all

this.pqo(var5, Collections.singletonMap("X-Requested-With", "x"));
That could explain the behaviour.
So what's the best way to transmit the header I need when saving the document?

Thank you for your help,

Johann
cosminef
Site Admin
Posts: 107
Joined: Wed Aug 30, 2023 2:33 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by cosminef »

Hello,

We registered an issue (WA-7446) on our internal issue tracker to avoid setting the X-Requested-With header on the save request made to the CMS.
In the meantime, untill the bug is fixed, you can try customizing you plugin that installs the custom UrlStreamHandler so that it returns a UrlConnection that implements java.net.URLConnection.addRequestProperty("X-Requested-With", "...") so that it allows you to override the header or forces the value to your custom value instead of "X".

Best,
Cosmin
Cosmin Eftenie
www.oxygenxml.com
Johann
Posts: 207
Joined: Wed Jun 17, 2015 12:46 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by Johann »

Hello Cosmin,

I tried to put the addRequestProperty("X-Requested-With", "...") at different locations but the "x" value is still present at the end when saving the document.
I have the impression that the override made in the save method inevitably takes over. Can you override the header value on your side? If so, I'd appreciate it if you'd send me the code snippet to get me unblocked.

Thanks,

Johann
Bogdan Dumitru
Site Admin
Posts: 145
Joined: Tue Mar 20, 2018 5:28 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by Bogdan Dumitru »

Hello Johann,

Do you have a plugin.xml with an "URLHandler" extension, right? If yes, you can fix it in the URLStreamHandler returned by this extension. Go in the URLStreamHandler.openConnection method and before returning the URLConnection, set the "X-Requested-With" header with the desired value. This way you will set your header first, before we call addRequestProperty("X-Requested-With", "x"), so your value will win.

Another thing that you may consider is that the CMS server should receive all the "X-Requested-With" headers, the one that we set and the one that you set. So, in theory, you can check in the CMS that there is at least one header with "Webauthor" value, not just the first one.
In Java there are two methods: a) javax.servlet.http.HttpServletRequest.getHeader(String) that returns only the first header and b) javax.servlet.http.HttpServletRequest.getHeaders(String) that returns all the headers.

By the way, if you call javax.servlet.http.HttpServletResponse.addHeader("X-Requested-With", "Webauthor") you may swtich to javax.servlet.http.HttpServletResponse.setHeader("X-Requested-With", "Webauthor") because "setHeader" overrides the initial value.
Bogdan Dumitru
http://www.oxygenxml.com
Johann
Posts: 207
Joined: Wed Jun 17, 2015 12:46 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by Johann »

Hello Bogdan,

I added this code inside our AuthorURLStreamHandler:

Code: Select all

    @Override
    protected URLConnection openConnectionInContext(String contextId, URL url, Proxy proxy) throws IOException {
        URLConnection urlConnection = computeUrl(url).openConnection();
        AuthorURLConnection connection = new AuthorURLConnection(contextId, urlConnection);
        connection.addRequestProperty("X-Requested-With", "WebAuthor");
        return connection;
    }
Unfortunately, apache logs still show "x" for "X-Requested-With" header.

Code: Select all

2024-05-24 12:35:44,863 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 >> PUT /contentfactory/api/v1/dita/en-GB/TPC_rail-task_000000002.dita HTTP/1.1
2024-05-24 12:35:44,863 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 >> X-Requested-With: x
2024-05-24 12:35:44,863 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 >> User-Agent: ContentFactory-WebAuthor-Plugin
2024-05-24 12:35:44,863 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 >> Content-Type: */*; charset=UTF-8
2024-05-24 12:35:44,863 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 >> Cookie: oxy_lang=fr_FR; JSESSIONID=5A17D63D6051EBDC709F68BF87A85240; WEB-AUTHOR-JSESSIONID=a3e10ca7-e54d-4671-984b-1b65f2843196; _uid=user-5599257273907507865; Idea-67f26e17=5c9681d4-aaa0-4dce-9fe6-979bd576dfd0; 
2024-05-24 12:35:44,863 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 >> Content-Length: 288
2024-05-24 12:35:44,863 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 >> Host: localhost:9111
2024-05-24 12:35:44,863 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 >> Connection: Keep-Alive
2024-05-24 12:35:44,863 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 >> Accept-Encoding: gzip,deflate
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << HTTP/1.1 403 
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Vary: Origin
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Vary: Access-Control-Request-Method
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Vary: Access-Control-Request-Headers
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Set-Cookie: XSRF-TOKEN=16134d3a-4348-425c-b43a-8730bc8e23e2; Path=/contentfactory
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << X-Content-Type-Options: nosniff
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << X-XSS-Protection: 1; mode=block
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Cache-Control: no-cache, no-store, max-age=0, must-revalidate
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Pragma: no-cache
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Expires: 0
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << X-Frame-Options: SAMEORIGIN
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Content-Type: text/html;charset=utf-8
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Content-Language: en
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Content-Length: 649
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Date: Fri, 24 May 2024 10:35:44 GMT
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Keep-Alive: timeout=20
2024-05-24 12:35:44,866 DEBUG [ http-nio-8092-exec-2 ] org.apache.http.headers - http-outgoing-7 << Connection: keep-alive
As you suggested, maybe the two values of the header are sent but I do not have easy access on our CMS code...
I'm a bit skeptical as the apache logs don't mention this new value or possibly double value.

Johann
Bogdan Dumitru
Site Admin
Posts: 145
Joined: Tue Mar 20, 2018 5:28 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by Bogdan Dumitru »

Hello Johann,

Can you try overriding AuthorURLConnection.setRequestProperty(String, String) somewhat like this:

Code: Select all

      @Override
      public void setRequestProperty(String key, String value) {
        if ("X-Requested-With".equals(key)) {
          super.setRequestProperty("X-Requested-With", "WebAuthor");
        } else {
          super.setRequestProperty(key, value);
        }
      }
      
Bogdan Dumitru
http://www.oxygenxml.com
Johann
Posts: 207
Joined: Wed Jun 17, 2015 12:46 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by Johann »

Hello Bogdan,

Ok, it's working with your last suggestion. Thank you for your help!

Nevertheless, can you let me know through this post when the patch is released so that I can remove this workaround from my code?

Thank you!

Johann
Bogdan Dumitru
Site Admin
Posts: 145
Joined: Tue Mar 20, 2018 5:28 pm

Re: Error when saving document: 403 Forbidden when upgrading to 26 version

Post by Bogdan Dumitru »

Sure!
Bogdan Dumitru
http://www.oxygenxml.com
Post Reply