Jump to content
  • Checkout
  • Login
  • Get in touch


The e-commerce.

worldpay payment gateway 403 forbidden hosted integration


Recommended Posts

I googled worldpay forums and this forum showed up with a decent covering of worldpay pg issues.

I have my server certificate signed(SHA2) by the required root authority (digicert global G2).  When I send a GET to the worldpay test url https://secure-test.worldpay.com with Authorization header and an empty body - I get a 200 OK with partial/truncated message body. When I send the full xml for an imaginary order per the DTD here, LiveDTD: paymentService_v1.dtd (worldpay.com) - I get a 403 Forbidden. I have the installation id, merchant code in the right locations as per the schema. I dont know what in the TLS handshake to look for. any pointers on how to get past the 403 is hugely appreciated.


GET /jsp/merchant/xml/paymentService.jsp HTTP/1.1
Content-Type: text/xml
Authorization: Basic Base64-Encoded-Username-Password
User-Agent: PostmanRuntime/7.29.0
Accept: */*
Cache-Control: no-cache
Host: secure-test.worldpay.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 1929
Cookie: ak_bmsc=CA534BF110140D7AB367CE78F764B8C8~000000000000000000000000000000~YAAQZpYRYKAaCC6AAQAAhJZWQQ+JkRXUZ2HR+r4y/J7q+CIdVZ1scpFM8swDkvLD56CDcmfB/qybPDJ9wbMH4CwbowVFNEvOmetiAl2Q132rdGDgh4zmPKo9UDof2tV0aW9cYFud5kPe8OUiVI1xnRGa5TGrXb0iacr+21gPxrZPtHCfXIH4vCsxGSdAWVNDRnN1ejxmutMhGzk3/sCpCVkK8mJlZ4EMdwMBoJgE65eVpYvxHYlvk+wlaX/p0mdLiztkyoCyiFbEhUvKfSAHDUJ6mbSFZW1yCsGIavCvx6GkwbCkeR7N6GycFHiRk5xTl1psLfkZcQWAIo33IhCuXHptZNBJkKejEX4gUycGOlqAq4LycB4LQck9tjR6hfI=; machine=0a844015
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN" "http://dtd.worldpay.com/paymentService_v1.dtd">
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE paymentService PUBLIC "-//WorldPay//DTD WorldPay PaymentService v1//EN" "http://dtd.worldpay.com/paymentService_v1.dtd">
<paymentService version="1.4" merchantCode="XXXXXX">
<order orderCode="jsxml353135552341234" installationId="xxxxxx">
<description>test order</description>
<amount value="100" currencyCode="EUR" exponent="2"/>
<include code="ALL"/>
<shopperEmailAddress>[email protected]</shopperEmailAddress>
<street>The Science Park</street>
<postalCode>CB4 0WE</postalCode>
<address2>Queensbridge Road</address2>
HTTP/1.1 403 Forbidden
Mime-Version: 1.0
Content-Type: text/html
Content-Length: 327
Expires: Tue, 19 Apr 2022 11:27:35 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 19 Apr 2022 11:27:35 GMT
Connection: close
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
<TITLE>Access Denied</TITLE>
<H1>Access Denied</H1>
You don't have permission to access "http&#58;&#47;&#47;secure&#45;test&#46;worldpay&#46;com&#47;jsp&#47;merchant&#47;xml&#47;paymentService&#46;jsp" on this server.<P>
What is really odd aabout the HTML in 403 Forbidden response is the presence of the HTTP scheme in the URL. I used HTTPS to make the GET request. I dont know if I must read too much into the unsecure http scheme or whether it is indicative of any cause
Edited by kalidasa
Link to comment
Share on other sites

I agree that returning a different schema in the error message is weird but may not be meaningful.

The 403 return usually means an authentication problem but may also relate to trying to do something that's not permitted. Try submitting an order value in GBP - maybe the account doesn't handle euros.

I have found the worldpay technical team quite helpful in the past, though remote working has made them harder to get hold of.

Contact me for work on updating existing stores - whether to Phoenix or the new osC when it's released.

Looking for a payment or shipping module? Maybe I've already done it.

Working on generalising bespoke solutions for Quickbooks integration, Easify integration and pay4later (DEKO) integration at 2.3.x

Link to comment
Share on other sites

It is the wierdest of things - with Worldpay support I discovered that using POST instead of GET method solved the problem. The documentation never goes into detail about this basic info and being a total noob to web applications, I could not spot it (relying heavily on our software vendor who does this day in and day out)

Thanks Brockey John for the message, but I had to run around worldpay team for a month now and I got a bad apple from the bunch who just sent me off on rock fetching exercises. Ultimately, it turned out to be such a trivial issue that is embarassing to report

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Unfortunately, your content contains terms that we do not allow. Please edit your content to remove the highlighted words below.
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...