Jmix version 2.4.2
I am trying to show an image already uploaded using following restAPI endpoint in src property of img tag in ionic react front end:
https://xxx.xxxxxx.com/rest/files?fileRef=fs%3A%2F%2F2025%2F02%2F14%2Faeffe988-e0c2-2064-d7a7-f734bcb17b47.png%3Fname%3DScreenshot%2B2024-10-23%2B194433.png&access_token=niEBoCNrGHr0TMewry8wP8L8drgV0G50Fb4evK3DmxauzZ4tnxtOS9_fkkJ7rXP2VktNxy3xyRmNt5_p2DegmIFStEKxoIvnI8gsj0zfqnZ8UC7NVjCiq84bRcLSFb9Q
But getting error that it is unauthorised but using same access token i can query all the entities in my front end. The same restapi endpoint was working fine in earlier versions.
Please guide.
This is despite the fact that user has given the role with the specific policy of rest.fileDownload.enabled and in configuration file url pattern is provided by jmix.resource-server.authenticated-url-patterns = /rest/**
Can anyone help? Thanks
Hello.
File uploading/downloading via REST works.
There are some notes:
- When you get access token you have to use it in authorization header, not as url parameter.
- If you try to download via e.g. Postman with proper auth header - it will be successfully downloaded.
- If you just use browser to access these endpoint it will use your application (UI) authorization. So your logged-in user should have an application-level permission related to files downloading (
rest.fileDownload.enabled) alongside with baserest.enabledpermission.
So, to access it via browser your role for files management should provide specific policy for UI scope also.
It will be something like that. This resource role is applied to both scopes API and UI:
@ResourceRole(name = "RestFileManagement", code = RestFileManagementRole.CODE)
public interface RestFileManagementRole {
String CODE = "rest-file-management";
@SpecificPolicy(resources = {"rest.enabled", "rest.fileDownload.enabled"})
void specific();
}
If you login as a user with this role you should be able to show/download files.
Please check you roles and try again.
If you still have an issue or your scenario is more specific - provide additional info (and Jmix version where it works previously with the same configuration and requests).
Regards,
Ivan
Thanks,
The roles mentioned in your post has been created and assigned to user, but problem persists. The server respond request as unauthorized. I have upgraded Jmix version to 2.4.3 but still not working.
This access of files in frontend with access_token is working since i started working on frontend 2 year back and problem started since RestAPI add-on is upgraded to include various type of authorizations.
I am using authorization grant type as password as i could not get hold of other type of authorization grant type. The complete rest api configuration in my application.properties file is as follows:
spring.security.oauth2.authorizationserver.client.myclient.registration.client-id=ksqhfoxslu
spring.security.oauth2.authorizationserver.client.myclient.registration.client-secret={noop}fDgFwdbCei
spring.security.oauth2.authorizationserver.client.myclient.registration.client-authentication_methods=client_secret_basic
spring.security.oauth2.authorizationserver.client.myclient.token.access-token-format=reference
spring.security.oauth2.authorizationserver.client.myclient.token.access-token-time-to-live=24h
spring.security.oauth2.authorizationserver.client.myclient.token.refresh-token-time-to-live=24h
spring.security.oauth2.authorizationserver.client.myclient.registration.authorization-grant-types=password
jmix.rest.queries-config = rest-queries.xml
jmix.rest.services-config = rest-services.xml
jmix.core.fetch-plans-config=com/stsjpr/buildprosoft/fetch-plans.xml
jmix.resource-server.authenticated-url-patterns=/rest/**
Please guide
Regards
Hi,
- If you want to use access token - you need to pass it as a header.
- If you want to get file via browser - you need to be logged-in (via browser, not access token) as user with proper permissions.
I don’t actually understand your scenario.
Describe it step by step.
And you mentioned it somehow works before - what version of Jmix it was?
Regards,
Ivan
Thanks,
- I am logging in from frontend with admin role with roles system-full-access, rest-minimal and rest-file-management (UI & API) as suggested by you.
- First i logged in from my react frontend by getting the access token using method provided in jmix documentation using url https://xxx.xxxxxxx.xxx/oauth2/token providing it username, password, client id and client secret. I am getting the access_token successfuly.
- In next page, i am getting a list of entities, with one field as fileref, using rest query as given below using the same access token recd in step 1
“https://xxx.xxxxxxx.xxx/rest/queries/SiteDiaryEntry/siteDiaryEntryByProjectByDate?projectID=eb24099c-802f-89a3-2952-fa0551fa9ff6&lDate=2025-02-14”
I am getting the list of entities successfully. - Now, i am displaying these entities in cards in front end and showing the image file name in fileref in img tag in frontend providing src as url & token like this
<img key={index} src={https://xxx.xxxxxxx.xxx/rest/files?fileRef=${encodeURIComponent(entry.attachment)}&access_token=${location?.state?.data?.access_token}} alt=“SS”/>
All other data is properly displayed but the image download request is responded unauthorized.
I don’t exactly remember, in which version it was working as for last 3-4 months haven’t tested frontend. But it was always working.
For problem related to spaces in filename for files downloaded through restapi, i have also referred this forum discussion File downloading via REST with space in filename won't work. Here also user is downloading file using access_token in url.
Please guide.
Regards
Hi,
It looks like access_token as url parameter has been disabled by default since some version of Spring Resource Server. As a bad approach.
As a WA try to create the following bean in your project:
@Bean
public BearerTokenResolver bearerTokenResolver() {
DefaultBearerTokenResolver bearerTokenResolver = new DefaultBearerTokenResolver();
bearerTokenResolver.setAllowUriQueryParameter(true);
return bearerTokenResolver;
}
This resolver will be used to get token from request, but now it is allowed to get it from url parameters also.
Regards,
Ivan
1 Like
Thanks very much Ivan. It is working now. Thank again.