Getting a 403 Forbidden error on plugin request

Question

I'm trying to fire a plugin request from my ICN plugin. The request goes as below. However, I'm getting a 403 Forbidden error from the server.

Forbidden You don't have permission to access /navigator/jaxrs/plugin on this server.

https://<icnserver.com>/navigator/jaxrs/plugin?repositoryId=Demo&query=%5B%7B%22name%22%3A%22ID%22%2C%22operator%22%3A%22LIKE%22%2C%22values%22%3A%5B%22123434234%22%2C%22%22%5D%7D%5D&className=Checks&plugin=DemoPlugin&action=DemoService&desktop=Demo

Plugin JS:

aspect.around(ecm.model.SearchTemplate.prototype, "_searchCompleted", function advisingFunction(original_searchCompleted){
    return function(response, callback, teamspace){
        var args = [];
        var templateName = response.templates[0].template_name;
        var res = response;
        var requestParams = {};
        requestParams.repositoryId = this.repository.id;
        requestParams.query = query;
        requestParams.className = templateName;
        
        Request.invokePluginService("DemoPlugin", "DemoService",
            {
                requestParams: requestParams,
                requestCompleteCallback: lang.hitch(this, function(resp) {  // success
                    res.rows = resp.rows;
                    res.num_results = resp.rows.length;
                    res.totalCount = resp.rows.length;
                    args.push(res);
                    args.push(callback);
                    args.push(teamspace);
                    original_searchCompleted.apply(this,args);
                })
            }
        ); 
    }
});

Answer 1

You need to provide a security_token to be able to call your service, so you need to login first. Then, open your browser's debug and check the requests in the network tab. There you can see that every request that targets the /navigator/jaxrs/* URI will contain it, so something like this will be among the headers:

security_token: 163594541620199174

So my bet is that you have not set it in your client (I recommend a postman to test your service, or I would add a test (ICN) feature page in the ICN plugin project in order to be able to call it properly). In your feature page, you can call your service directly using the ecm/model/Request OOTB navigator dojo/javascript class, as you can see in CheckinAction.js:

        _checkInDocument: function (item, requestData) 
    {
        var self = this;
        var payLoadObject = {requestType: "Get", id: item.id};
        
        Request.postPluginService("DocuSignPlugin", "UpdateSignedDocumentService",  "application/json", {
            requestParams: {
                repositoryId : item.repository.id,
                serverType : item.repository.type,
                docId : item.docid,
                envelopeId: item.attributes.DSEnvelopeID,
                payLoad: json.stringify(payLoadObject)
            },
            requestCompleteCallback: function(response) {
                if (response.returncode == 0)
                {
                    item.attributeDisplayValues.DSSignatureStatus = "Checkedin";
                    item.attributes.DSSignatureStatus = 4;
                    item.update(item);
                }
                else if (response.returncode == -1)
                {
                    items = [];
                    items.push(item);
                    self._showLoginDialog(items);
                }                   
            },
            backgroundRequest : false,
            requestFailedCallback: function(errorResponse) {
                // ignore handline failures
            }
        });
    },
    

As you can see, you don't have to add the security_token to the requestParams, the framework will do it for you.