Hi,

I'm trying to connect web service which made by the customer (CRM ON DEMAND)

When testing customer WS from Google Chrom using DHC (WS client) i need to call 3 URL for testing:
1. to connect session: https://secure-slsomxvja.crmondemand.com/OnDemand/user/Rest/Connection
2. to fetch data: https://secure-slsomxvja.crmondemand.com/OnDemand/user/Rest/latest/Contacts?fields=CustomText0&q=IndexedShortText0='035821800'
3. to close session: https://secure-slsomxvja.crmondemand.com/OnDemand/user/Rest/Connection?action=logoff

it works and I can see WS reponse data.

I tried to illustrate the same thing in OD and I created 3 rest WS.
when I'm calling the second rest WS i'm getting the following error:

14/01/2016 17:09:13:221 INFO - 8CF181FBAB6B003F4604753F33A7F1B3:/getCRM_URL : Using Basic/Digest authentication for web service call
14/01/2016 17:09:13:224 DEBUG - 8CF181FBAB6B003F4604753F33A7F1B3:/getCRM_URL : Web Service Request -> https://secure-slsomxvja.crmondemand.com/OnDemand/user/Rest/latest/Contacts?fields=CustomText0&q=IndexedShortText0='035821800'
14/01/2016 17:09:14:600 ERROR - 8CF181FBAB6B003F4604753F33A7F1B3:/getCRM_URL : HTTP TRANSPORT, 403 ERROR: FORBIDDEN
14/01/2016 17:09:14:600 ERROR - 8CF181FBAB6B003F4604753F33A7F1B3:/getCRM_URL : EXCEPTION: Transport error: 403 Error: Forbidden
14/01/2016 17:09:14:655 INFO - 8CF181FBAB6B003F4604753F33A7F1B3:/getCRM_URL : Capturing exception [org.apache.axis2.AxisFault]. Message [Transport error: 403 Error: Forbidden]
***** Saw exception, tracing before report
org.apache.axis2.AxisFault: Transport error: 403 Error: Forbidden
at org.apache.axis2.transport.http.HTTPSender.handleResponse(HTTPSender.java:310)
***** Saw exception, tracing before report
org.apache.axis2.AxisFault: Transport error: 403 Error: Forbidden


if I just call the second rest WS (without the connection phase) i'm getting the same result

Do you have any Idea what I should do in order to make it work.

Thanks,
Idan.

It could be a few things. I would think most likely a certificate issue possibly?

Try this link for some ideas:
http://stackoverflow.com/questions/370420/http-403-error-while-accessing-web-service

Reading the article it seems that it's not relevant because the first rest call works properly from the OD, the second one is not working.
From google chrome DHC rest client it works properly from the same station running OD simulator.

it seems like the session is not reserved at the second rest call and it restrict the access.

any idea ?

Idan

Do you have the app log showing it invoking the first call successfully?

Is there anything about the second call that would cause a security issue beyond just invoking it?

for the first call I'm getting response with details as shown bellow:

tarting REST web service operation [Login]
15/01/2016 08:04:46:640 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Using Basic/Digest authentication for web service call
15/01/2016 08:04:46:645 DEBUG - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Web Service Request -> https://secure-slsomxvja.crmondemand.com/OnDemand/user/Rest/Connection
15/01/2016 08:04:49:738 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Response had content type: application/vnd.oracle.adf.resource+json. Retrying call with new type...
15/01/2016 08:04:50:618 DEBUG - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Storing [{"Connection":{"apiVersion":"028","apiVersionMinimum":"026","clientHelpURL":"https://support.oracle.com/epmos/faces/DocumentDisplay?id=1663390.1","dateFormatLocale":"yyyy-MM-dd, yyyy-MM-dd'T'HH:mm:ss'Z'","languageLocale":"ENU","maximumFileSize":20,"Version":"029.015.002","ServerDate":"2016-01-14T23:04:52Z","LastLoggedIn":"2016-01-14T23:04:51Z","UserLoginId":"VERIFI/CTI","UserId":"AVJA-DJNW7W","TenantId":"AVIA-4TU2Z3","CompanyName":"Teva Verifi"}}] to: restReponse
15/01/2016 08:04:50:618 DEBUG - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Web Service Reply <- {"Connection":{"apiVersion":"028","apiVersionMinimum":"026","clientHelpURL":"https://support.oracle.com/epmos/faces/DocumentDisplay?id=1663390.1","dateFormatLocale":"yyyy-MM-dd, yyyy-MM-dd'T'HH:mm:ss'Z'","languageLocale":"ENU","maximumFileSize":20,"Version":"029.015.002","ServerDate":"2016-01-14T23:04:52Z","LastLoggedIn":"2016-01-14T23:04:51Z","UserLoginId":"VERIFI/CTI","UserId":"AVJA-DJNW7W","TenantId":"AVIA-4TU2Z3","CompanyName":"Teva Verifi"}}
15/01/2016 08:04:50:633 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Using SCESession B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL servlet : GetURL
15/01/2016 08:04:50:770 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Starting REST web service operation [GetURL]
15/01/2016 08:04:50:819 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Using Basic/Digest authentication for web service call
15/01/2016 08:04:50:819 DEBUG - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Web Service Request -> https://secure-slsomxvja.crmondemand.com/OnDemand/user/Rest/latest/Contacts?fields=CustomText0&q=IndexedShortText0='035821800'
15/01/2016 08:04:52:027 ERROR - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : HTTP TRANSPORT, 403 ERROR: FORBIDDEN
15/01/2016 08:04:52:027 ERROR - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : EXCEPTION: Transport error: 403 Error: Forbidden
15/01/2016 08:04:52:034 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Capturing exception [org.apache.axis2.AxisFault]. Message [Transport error: 403 Error: Forbidden]
15/01/2016 08:04:52:034 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Using SCESession B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL servlet : logoff
15/01/2016 08:04:52:112 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Starting REST web service operation [Logoff]
15/01/2016 08:04:52:143 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Using Basic/Digest authentication for web service call
15/01/2016 08:04:52:143 DEBUG - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Web Service Request -> https://secure-slsomxvja.crmondemand.com/OnDemand/user/Rest/Connection?action=logoff
15/01/2016 08:04:53:038 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Response had content type: text/plain. Retrying call with new type...
15/01/2016 08:04:53:270 DEBUG - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Storing [] to: restReponse
15/01/2016 08:04:53:270 DEBUG - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Web Service Reply <-
15/01/2016 08:04:53:270 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Using SCESession B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL servlet : endScript
16/01/2016 19:19:34:087 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : HTTP Session lost removing SCESession B0AC7D4242152862EE47D7166DA139FB
16/01/2016 19:19:34:999 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : SCESession Removed
16/01/2016 19:19:34:999 DEBUG - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : Removing 1 session stack frames.
16/01/2016 19:19:34:999 INFO - B0AC7D4242152862EE47D7166DA139FB:/getCRM_URL : ** Popped Stack Frame [/getCRM_URL]



from what I understand the session need to be open after connecting by the first rest call.

I understand that after connecting with first rest call the server generate Cookie which contains also jsessionid which need to be the same for the second REST call, The client must use this cookie when submitting subsequent requests, including logoff requests.

That's why when I don't use it in the second call I'm getting HTTP TRANSPORT, 403 ERROR: FORBIDDEN error message.

Any Idea how to implement it ?

Thanks,
Idan

It looks like the “open session” returns some sort of cookie or other piece of data that the second request is using to verify there is a session. The Chrome client seems to magically persist this and add to the second request.

look at the raw http request returned on request 1 (including http headers and etc) and then also look what is sent in the second request (raw request, including http headers) that should uncover what should be sent in the second request.

in the google client I can see it add cookie to the open session and the 2nd call using it.

I don't understand how to implement it with the OD ....

Can you assist with it ?

Thanks

See the attached power point.

there is no file to download

I worked for me. Attaching again.

Click on the word "download" and not the icon.

How I can get the jsessionid in your example and transfer it to the second REST call ?

On the first request add a header and make it "in" and set the value to JSESSION or jsession (no sure if it is all caps or not), and store it into a variable. Then on the second request add a header and make it "out" and select the variable you use to store the value. just like my example that picks up the header abc.

HTTP/1.1 200 OK
Date: Mon, 18 Jan 2016 16:48:25 GMT
Server: N/A
X-ORACLE-DMS-ECID: 85dbc081d93ddadc:33b3c24f:151cfb3a7a7:-8000-00000000003901ab
Content-Language: en-us
Vary: Accept-Encoding
Content-Encoding: gzip
Set-Cookie: JSESSIONID=x-NVozTv3j05LV-ti0cvM0rigOIpszABTXE6G75OVaJQObDzejqv!-1984264569; path=/OnDemand; HttpOnly; Secure
Set-Cookie: ORA_OD_CLPU=; expires=Thu, 01-Jan-1970 01:00:00 GMT; path=/OnDemand; secure
Set-Cookie: ORA_OD_OSI=$6$QF64p/8pUde0oRt+tWVt959Eu/SkIa1iPi5LWQQjTcgCg6OqA=@$6$WeeYh/jqaDWNNkYt7rAF2/5gxzqB3x95iEBSPhXgo5dhPCkos=; expires=Sat, 05-Feb-2084 20:02:32 GMT; path=/; secure
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Transfer-Encoding: chunked
Content-Type: application/vnd.oracle.adf.resource+json


when trying to add Set-Cookie to HTTP Headers i'm getting just the 3rd "Set-Cookie" property (ORA_OD_OSI) - I don't know how to get JSESSIONID.

when i'll figure it, than I guess I can solve the mystery.

Idan