REST2 services on web module

Hi all,
I need your help again, as now I’m stuck with getting REST services to work the web module (I’m developing a little module displayed in a frame with joint.js, and I need some interaction)
I’ve got stuck at the first step, at obtaining the oauth token[Getting an OAuth token] (
First I thought it was not enabled, as the documentation states, it’s not switched on by default for the web module, but the checkbox is gone from the mentioned screen (Project properties>Edit>Advanced) However I’ve found

    <context:component-scan base-package="com.haulmont.cuba.restapi"/>

in web-dispatcher-spring.xml, so I think it’s enabled. Then I’ve created cuba-rest-services.xml(see attached) file with one service in it for now, put it into the config, and added a username/password as well in

cuba.restServicesConfig = +cuba-rest-services.xml = internal = ListenDoYouWantToKnowASecret
cuba.restApi.enabled = true

Now I’m trying to obtain the OAuth Token by calling http://localhost:8080/app/rest/v2/oauth/token
from Postman with


Authorization:Basic Y2xpZW50OnNlY3JldA==



All I get back is just

  "error": "unauthorized",
  "error_description": "Bad credentials"

I don’t really know how could I debug this, on which class the request goes through, etc.
Please help what am I missing?

cuba-rest-services.xml (226B)

web-security-spring.xml (675B)



web.xml (4.0K)

1 Like

Hi Brian,

I think if you change any of the properties files, changes will have effect only when you restart the app.
The main thing here is that you will need two set of passwords here in order to get the token one is set in and in your (web-) and the second is a live user what you put in the details. You’ll have to Base64 encode the first pair by joining them with a ‘:’ and then put it to the header int the key “Authorization”, prepended with "Basic "

Something like this should do:

String userName = 'someuser'
String password = 'somepassword'

String oauthUsername = AppContext.getProperty("")
String oauthPassword = AppContext.getProperty("")

String basicAuthToken = Base64.getEncoder().encodeToString((oauthUsername + ':' + oauthPassword).getBytes()).toString()

def url = appUrl + "/rest/v2/oauth/token"

URL obj = new URL(url);
HttpURLConnection con = (HttpURLConnection) obj.openConnection()

//add request header
con.setRequestProperty("Authorization", "Basic " + basicAuthToken)
con.setRequestProperty("Content-Type", "application/x-www-form-urlencoded")

String urlParameters = "grant_type=password&username=" + userName + "&password=" + password

Let me add my 2 cents.

The data-manipulation sample contains a working REST client with login method written in Java, see here.

1 Like

Hi Brian,
That is what I said in my answer - in the request body there must be credentials of the real user, e.g. admin/admin. and is used for basic authentication of the request.


In the Authorization header you must pass the the client id and secret, separated by a single colon (":") character, within a base64 encoded string. You changed the value for the and values, but still use the Authorization header value for the default settings.

As for the body, you must pass not the and values there, but login and password of some existing user.

1 Like

Hi Max,

that makes sense now, and it works :slight_smile:
I think it would worth mentioning this in the documentation, as your key sentence, which resolves everything is REALLY missing from there… (
“In the Authorization header you must pass the the client id and secret, separated by a single colon (”:") character, within a base64 encoded string."


Thanks for the hint. We’ll do that.

In addition to the above, I had to add grant_type, username and password to the x-www-form-urlencoded body as additional parameters. Strange thing was that for the username and password used here I had to use a standard cuba username/pwd (e.g. admin/admin) instead of the and as the docs suggest.

Nice one Konstantin! :slight_smile:
I think what would be really good, to be able to capture the currently logged-in user’s credentials and use them instead of a hardcoded one. I have tried to capture them on the loginwindow, by overriding the login function, but because of the “remember me” feature I get only the hash token as password…