403ModSecurity Action

I am making a POST call to SAP using my REST API. When I am using elastic URL I am getting the data expected but when I using the ON-premise secured URL I am not getting the output instead it is saying

403 - Forbidden: Access is denied. < !-- body { margin: 0;

403 - Forbidden: Access is denied.

You do not have permission to view this directory or page using the credentials that you supplied.

" I have given the authorization as well. Can someone please suggest how to rectify or handle the error.

Are you sure the credentials you are passing into the request have permission to hit that endpoint?

Here is a great summary of 401 vs 403 from Daniel Irvine

There’s a problem with 401 Unauthorized , the HTTP status code for authentication errors. And that’s just it: it’s for authentication, not authorization. Receiving a 401 response is the server telling you, “you aren’t authenticated–either not authenticated at all or authenticated incorrectly–but please reauthenticate and try again.” To help you out, it will always include a WWW-Authenticate header that describes how to authenticate.

This is a response generally returned by your web server, not your web application.

It’s also something very temporary; the server is asking you to try again.

So, for authorization I use the 403 Forbidden response. It’s permanent, it’s tied to my application logic, and it’s a more concrete response than a 401.

Receiving a 403 response is the server telling you, “I’m sorry. I know who you are–I believe who you say you are–but you just don’t have permission to access this resource. Maybe if you ask the system administrator nicely, you’ll get permission. But please don’t bother me again until your predicament changes.”

In summary, a 401 Unauthorized response should be used for missing or bad authentication, and a 403 Forbidden response should be used afterwards, when the user is authenticated but isn’t authorized to perform the requested operation on the given resource.

So it seems like you’re passing a user with correct credentials, but maybe it might not have access to do what you’re trying to do. Is there a different user you can try to communicate to your on-prem endpoint?

Hi Allen,

Thank you so much for the reply and the analysis. One person among my team is able to get the expected output.So as you have suggested it must be an issue with the authorization.

1 Like