Open-platform-demo rest api


I am trying to test the rest api.

I have cloned and I’m running the project on v5.3.0

When I run the request

POST http://localhost:8080/open-platform-demo/login.jsp
with the headers Content-Type: application/json
and the json payload { "username": "admin", "password" : "admin" }

I get the login page page and a 200.

Does the demo not support the Rest API? Should I include a module?


Reverting to v5.2.0 seems to fix the issue.

I’ve opened an issue hoping to speed up the process

rest api end points are different, might be i did not get you fully

@gilles there is a change in login flow in 5.3. You have to use /callback instead of /login.jsp and check for the CSRF-TOKEN cookie CSRF-TOKEN response header (in case of CORS). You have to send this token with every subsequent requests with X-CSRF-Token request header.

The documentation will be updated soon.

1 « J'aime »

Could you please provide an example of this ?

Somethine like:

import requests

LOGIN_URL = 'http://localhost:8080/ws/login.jsp'
headers = {
    'accept': 'text/html,application/xhtml+xml,application/xml',
    'user-agent': xxxxx

response = requests.get(LOGIN_URL, headers=headers, verify=False)

headers['cookie'] = '; '.join([ + '=' + x.value for x in response.cookies])
headers['content-type'] = 'application/x-www-form-urlencoded'
payload = {
    'username': 'admin,
    'password': 'admin'

response =, data=payload, headers=headers, verify=False)
headers['cookie'] = '; '.join([ + '=' + x.value for x in response.cookies])

and then I must send this header_cookie with all my request is that right ?

Hi there,

Could you follow up on this point when you have some time please. I currently am receiving the JSESSION cookie but not CSRF-TOKEN cookie. Any help appreciated. Thank you!

The CSRF token is required for web apps only. For other cases, make sure to enable session cookies with your http client.

Thank you for getting back so quick.

I’m using the Axelor API through a React frontend make the request using Axios.

Using postman the request can be made however I am unable to successfully make the same request in the browser. Postman adds the session cookie and CSRF token with the headers however when trying to do this in the browser a security issue is raised and the request can’t be made.

you are directly calling axelor end point or via backend?

There seems to be a regression that prevents cross origin requests because of csrf protection. We are looking in the issues and will update once resolved.

2 « J'aime »

Thats great thank you a thousand. I’ll keep a watch for an update. Thanks again.

Hi @daryl, the fix has already landed in dev branch.

While making cross origin request, you will get the CSRF token as a X-CSRF-Token response header with the login request. You should use the same header with all the sub-subsequent requests to pass the token back to the server.

Hi Am,

Thanks a mill for keeping in touch about this.
Looking forward to testing/using the update.
I’ll keep in touch.

Thanks again.

Hi Siddique,

I am directly calling the Axelor end point.

Hello @daryl , did the update solved your issue?
I am facing the same problem as you, while i am using the axelor code from November, and I would like to know if updating it will solve the problem.
Keep me in touch !

Hi Victor,

Sorry for the slow reply just seeing this.

Yes the update seemed to fix the issue. Both tokens are now received.