Getting 403 Forbidden error while testing webApi internally

Hi guruprakashk As per my understanding, 403 errors are almost always caused by issues where you're trying to access something that you don't have access to.

Before i proceed further and discuss about the resolution step, i would like to know, following:
1. The Service which you are trying to consume, are they using SSL?

However You can try following steps to resolve this issue, mention below:

1. Clear Your Browser Cache(sometime browser caches also may cause 403). Issues with a cached version of the page you're viewing could be causing 403 Forbidden issues

2. It will be useful if you obtain the information on HTTP response headers. If you are using Mozilla Firefox, you can download an 'add-ons' (extension) called LiveHTTPHeaders which will allow you to capture this information. If you are using Internet Explorer, you can use DebugBar instead, to see what headers the browser is sending, then emulate them in your code using a!httpHeader() function.

Hope the step-2 will give you clear picture about what are the headers you need to send while making a request to this Service.

Also please do remember, if the API uses SSL, in such case you need to configure the same in Appian as well. However you can have a try on above mention steps, hope this will work for you.

Hi guruprakashk As per my understanding, 403 errors are almost always caused by issues where you're trying to access something that you don't have access to.

Before i proceed further and discuss about the resolution step, i would like to know, following:
1. The Service which you are trying to consume, are they using SSL?

However You can try following steps to resolve this issue, mention below:

1. Clear Your Browser Cache(sometime browser caches also may cause 403). Issues with a cached version of the page you're viewing could be causing 403 Forbidden issues

2. It will be useful if you obtain the information on HTTP response headers. If you are using Mozilla Firefox, you can download an 'add-ons' (extension) called LiveHTTPHeaders which will allow you to capture this information. If you are using Internet Explorer, you can use DebugBar instead, to see what headers the browser is sending, then emulate them in your code using a!httpHeader() function.

Hope the step-2 will give you clear picture about what are the headers you need to send while making a request to this Service.

Also please do remember, if the API uses SSL, in such case you need to configure the same in Appian as well. However you can have a try on above mention steps, hope this will work for you.

Hi Alok,

Thanks for the workarounds. The service is using "TLS 1.0, AES with 128 bit encryption (High); RSA with 2048 bit exchange" connection and may be some firewall settings since bank network(I am not sure about it).

Also I tried to clear cache and checked the debugs but nothing helped me.

My confusion is while testing internally , it is giving the expected output.

But with the same environment and after providing admin access to the webApi , when I try to test to it through expression rule , it is giving me forbidden error.

Kindly help me out...

May I know, is both the url same , as mention in above 2 screenshots.

I believe the first url is your own web API url
Whereas the second one is, the one where you want to interact.

Am I right?

Also I would like to say, TLS 1.0 is legacy, and Appian is going to stop the support for this in upcoming version.

I understand that you are working with old version of Appian i.e. 16.x but I wouldn't recommend you to go for this.

In fact java 7 also stopped the direct support for TLS 1.0.

But still if you want to proceed, I think you need to import the client certificate in Appian, which will be provided by the service provider. Third party credentials will not help you in such case, this is specially introduced for HTTP BASIC AUTHENTICATION.

Yes, the URL remains the same. If we create a webApi with GET method , the URL gets generated automatically in the Test Inputs column and you can see the same in the first snapshot. I am using the same URL to test it from a expression rule. In addition I am providing the credentials and pre-emptive as true. The URL remains same in both the snapshots.

Ya Alok I can understand . But I am in a bank network and there is no information about updates since many applications are running on it. But even for testing it from my admin id do I need client certificates ? If so what certificate should I need to update ?

If i am not wrong, Yes you need the Client Certificate. Basically that is required, when the you are trying to integrate a 3rd Party System which requires TLS/SSL Authentication to interact