403 Forbidden for /rest/v2/applications/settings/appName API, while other user-related APIs work fine

[CheSauRie]

Hi Ant Media Team,

I'm experiencing an issue with the /rest/v2/applications/settings/{appName} API. Here's the situation:

I have successfully used the following two APIs without any issues:
/rest/v2/users/initial
/rest/v2/users/authenticate
However, when I attempt to use the settings API (/rest/v2/applications/settings/{appName}), I receive a 403 Forbidden error.
Here is a summary of my setup:

API endpoint: http://localhost:5080/rest/v2/applications/settings/{appName}
Server setup: Running on Apache Tomcat, using Ant Media version [specify version].
Authentication seems to work fine for user-related APIs, but the settings API is blocked.
The log output shows:

bash
Sao chép mã
Configure settings for app failed. Detail: 403 Forbidden from POST http://localhost:5080/rest/v2/applications/settings/LiveApp
What I've tried:

Ensured that the application name is correct.
Confirmed that authentication succeeds for the user APIs.
Checked permissions and roles associated with the authenticated user.
Any help or guidance on resolving this issue would be greatly appreciated.

Here is the corresponding code for making the API request:

public boolean authenticate(String email, String password) {
    try {
        Map<String, Object> request = new HashMap<>();
        request.put("email", email);
        request.put("password", password);

        JsonNode response = webClient.post()
            .uri("/rest/v2/users/authenticate")
            .body(Mono.just(request), Map.class)
            .retrieve()
            .bodyToMono(JsonNode.class)
            .block();

        if (response != null && response.get("success").asBoolean()) {
            log.info("Login succeeded");
            return true;
        } else {
            log.info("Login failed. Response: {}", response);
            return false;
        }
    } catch (WebClientException e) {
        return false;
    }
}

public void configAppSettings(String appName) {
    ObjectNode settings = Utils.MAPPER.createObjectNode();
    settings.put("mp4MuxingEnabled", true);
    settings.put("vodFolder", ".");
    settings.put("hlsMuxingEnabled", true);
    settings.put("hlsListSize", 5);
    settings.put("hlsTime", 2);
    settings.put("remoteAllowedCIDR", "0.0.0.0/0");

    try {
        JsonNode response = webClient.post()
            .uri(uriBuilder -> uriBuilder
                .path("/rest/v2/applications/settings/{appName}")
                .build(appName))
            .body(Mono.just(settings), ObjectNode.class)
            .retrieve()
            .bodyToMono(JsonNode.class)
            .block();

        log.info("Configured {} settings. Status: {}, settings: {}, response: {}",
                 appName, settings, response);
    } catch (WebClientException e) {
        log.error("Configure settings for app failed. Detail: {}", e.getMessage());
    }
}

[lastpeony]

You need to pass the httpCookieStore to your HTTP requests. This way /settings/appName route will know that you are authenticated. Example code snippet for java:

		String url = ROOT_SERVICE_URL + "/applications/settings/" + appName;
		HttpClient client = HttpClients.custom().setRedirectStrategy(new LaxRedirectStrategy())
				.setDefaultCookieStore(httpCookieStore).build();


		HttpUriRequest post = RequestBuilder.post().setUri(url)
				.setHeader(HttpHeaders.CONTENT_TYPE, "application/json")
				.setEntity(new StringEntity(gson.toJson(appSettingsModel))).build();

		HttpResponse response = client.execute(post);

		StringBuffer result = readResponse(response);

You must pass httpCookieStore(BasicCookieStore httpCookieStore = new BasicCookieStore();
) to all your related requests, including the previous authenticate one.

By the way username password authentication is for testing purposes. I highly recommend you to enable REST API JWT Filter through app settings and using it. Generate a long term JWT, put it to your server .env and pass it to the HTTP reqs.
https://antmedia.io/docs/guides/developer-sdk-and-api/rest-api-guide/jwt-rest-api-filter/