DSpace REST API access denied

[Lewatle Johannes Phaladi]

Hi DSpace Team,

I am integrating DSpace 7 with external site using REST API, I am getting the following error, site will be pushing items to DSpace 7 repository, I have created collection and added user as admin user to push items to that collection using REST API any advise is appreciated :

 

Also please see the following bottom part of log file:

2023-02-08 14:12:34,633 WARN  8b8d2fb9-8569-4973-9168-b9fbaa0b6015 4be5c62f-c00d-459a-aa19-5e7bc1a3c971 org.dspace.app.rest.exception.DSpaceApiExceptionControllerAdvice @ Authentication is required (status:401 exception: Access is denied at: org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73))
2023-02-08 14:12:34,927 INFO  8b8d2fb9-8569-4973-9168-b9fbaa0b6015 566dfe1c-97c9-478a-a7e5-9ed952bfeedf org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /xmlui/browse?type=subject&value=protein%2Bfolding
2023-02-08 14:12:34,927 INFO  8b8d2fb9-8569-4973-9168-b9fbaa0b6015 6988db4c-67d2-421c-a5dd-8c17ed903092 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /xmlui/browse?type=subject&value=protein%2Bfolding
2023-02-08 14:12:34,927 INFO  8b8d2fb9-8569-4973-9168-b9fbaa0b6015 37aaec75-a8ab-4025-a03e-4e7bb9b403a7 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /xmlui/browse?type=subject&value=protein%2Bfolding
2023-02-08 14:12:34,928 INFO  8b8d2fb9-8569-4973-9168-b9fbaa0b6015 06d1084e-3458-44ed-a3cf-b5672829feda org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /xmlui/browse?type=subject&value=protein%2Bfolding
2023-02-08 14:12:34,931 INFO  8b8d2fb9-8569-4973-9168-b9fbaa0b6015 932de25e-437b-48ed-a6f4-7bbdfe783320 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /xmlui/browse?type=subject&value=protein%2Bfolding
2023-02-08 14:12:38,192 INFO  unknown fd90964e-63aa-403f-a1d7-3aa408894d59 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api] originated from /
2023-02-08 14:12:38,208 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 914c9aea-0a8b-41f6-9fd3-b33912d212fd org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authn/status] originated from /
2023-02-08 14:12:38,220 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 95337709-2af1-4791-997b-e799d22c2e2f org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api] originated from /
2023-02-08 14:12:38,232 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 c87c18c7-ff99-40a2-b085-a2bfe5f7b610 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api] originated from /
2023-02-08 14:12:38,259 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 0c08261b-df34-4985-8eaa-3838b66bd616 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/pid/find] originated from /
2023-02-08 14:12:38,274 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 a9a14e04-2565-4e5a-aa0e-c0995d0863e5 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/core/items/a237481f-6f19-4ebf-ba71-cc3d28ef7905] originated from /
2023-02-08 14:12:38,316 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 616f08b5-7fb8-46d1-9c1a-d3251c2a4f51 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api] originated from /
2023-02-08 14:12:38,329 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 d514e9d5-1162-4d9e-9fa9-d6dfba06142b org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api] originated from /
2023-02-08 14:12:38,340 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 6b23926e-4ff3-4508-b5e7-4f67421c6a8b org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api] originated from /
2023-02-08 14:12:38,895 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 35240db7-2438-4a2a-9d6c-0dcbc40a0d9f org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/system/scripts/metadata-export] originated from /
2023-02-08 14:12:38,895 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 805d66ed-f6b6-46d9-8a88-4a21bb639c70 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/discover/browses] originated from /
2023-02-08 14:12:38,895 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 5506289b-d6c6-45a1-9c09-7dc5207abeea org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/core/sites] originated from /
2023-02-08 14:12:38,897 WARN  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 35240db7-2438-4a2a-9d6c-0dcbc40a0d9f org.dspace.app.rest.exception.DSpaceApiExceptionControllerAdvice @ Authentication is required (status:401 exception: Access is denied at: org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73))
2023-02-08 14:12:38,899 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 39e901a0-0d78-4812-b685-5568c65c5b34 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/system/scripts/metadata-import] originated from /
2023-02-08 14:12:38,900 WARN  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 39e901a0-0d78-4812-b685-5568c65c5b34 org.dspace.app.rest.exception.DSpaceApiExceptionControllerAdvice @ Authentication is required (status:401 exception: Access is denied at: org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:73))
2023-02-08 14:12:38,901 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 328de12c-c307-4800-b7d9-f2903bddb6b4 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/core/items/a237481f-6f19-4ebf-ba71-cc3d28ef7905/owningCollection] originated from /
2023-02-08 14:12:38,901 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 a58b2de9-6b39-43b7-9f67-07ff385c1a9f org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/core/items/a237481f-6f19-4ebf-ba71-cc3d28ef7905/relationships] originated from /
2023-02-08 14:12:38,901 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 bacc164c-20a7-4e27-9336-d0faebe94270 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/core/items/a237481f-6f19-4ebf-ba71-cc3d28ef7905/bundles] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905
2023-02-08 14:12:38,902 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 ece5b50f-c86c-4a98-bcab-41a49bfffca5 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/core/items/a237481f-6f19-4ebf-ba71-cc3d28ef7905/thumbnail] originated from /
2023-02-08 14:12:38,904 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 7084d45b-1d70-44d7-b5c8-561ffc2a43cb org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/core/items/a237481f-6f19-4ebf-ba71-cc3d28ef7905/mappedCollections] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905
2023-02-08 14:12:38,904 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 2aa581fb-9690-46cd-8de3-02cbb2654005 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/core/items/a237481f-6f19-4ebf-ba71-cc3d28ef7905/version] originated from /
2023-02-08 14:12:38,905 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 fa9ab109-0646-4d93-9bc4-c411dbbb1289 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905
2023-02-08 14:12:38,906 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 f6fbc375-07c4-4c2d-9c28-476e29ba2e1f org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905
2023-02-08 14:12:39,353 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 4eb28278-4807-4f0e-9d3a-ad2d759b45d8 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905
2023-02-08 14:12:39,360 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 67fc1742-5367-489c-b7c7-09356ceed776 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905
2023-02-08 14:12:39,362 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 e4f9d40f-7953-4f73-9374-1c9e2b7ffd5f org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905
2023-02-08 14:12:39,363 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 51004632-295b-4f27-b602-a0c7810a249c org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/core/communities/212142a8-a40c-4557-84fa-9db056fbee63/parentCommunity] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905
2023-02-08 14:12:39,363 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 72f964a1-c6d4-44bc-ad68-6a1ebf9764ef org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905
2023-02-08 14:12:39,363 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 e5899287-7550-41e8-8fd5-b1927af3b892 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905
2023-02-08 14:12:39,366 INFO  b1dc80ab-3b96-4980-b77c-8f5ab83f4724 a1cefbb1-8a52-467f-9f22-8d019f8e8849 org.dspace.app.rest.utils.DSpaceAPIRequestLoggingFilter @ Before request [GET /server/api/authz/authorizations/search/object] originated from /items/a237481f-6f19-4ebf-ba71-cc3d28ef7905

Regards,

Lewatle 

[Tim Donohue]

Hi Lewatle,

When interacting with the DSpace 7 REST API, a CSRF token is *required* to be sent with any modifying requests (POST, PUT, etc).  See the documentation in our REST contract about this: https://github.com/DSpace/RestContract/blob/main/csrf-tokens.md

The error you are seeing is noting that the CSRF token was either invalid or missing from the request.

Tim

[Lewatle Johannes Phaladi]

Hello Tim,

Thanks very much I will read and see if this can be resolved.

Regards,

Lewatle 

[Lewatle Johannes Phaladi]

I have gone through that link and we would like to find the following :

• We need to know when we authenticate to what endpoint to use and what it is expecting.
• When retrieving the collection what endpoint to use and what it is expecting.
• When uploading a document what endpoint to use and what it is expecting.

[Tim Donohue]

Hi,

My general advice when learning about the REST API is to do the following:
* First, look in the REST API documentation at https://github.com/DSpace/RestContract/ for related documentation.

* If you cannot find the endpoint that is used, you can *discover it* easily by using the User Interface.  Our DSpace UI uses the REST API for everything.  So, if you open up the UI and perform an action (like login), you can see in your browser's DevTools (Network tab) which REST API calls it has made.  You can then look for the docs on those endpoints in our documentation at  https://github.com/DSpace/RestContract/

For Authentication, use this endpoint: https://github.com/DSpace/RestContract/blob/main/authentication.md

For Collection info, use this endpoint: https://github.com/DSpace/RestContract/blob/main/collections.md

For Uploading, you need to first create a submission, see https://github.com/DSpace/RestContract/blob/main/submission.md

Tim

[Lewatle Johannes Phaladi]

Hi Tim,

Much appreciated, I am new to API definitely I will follow documentation 

Regards,

Lewatle