cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Validation of CSRF Token

Former Member

on ‎02-20-2013 8:25 AM

0 Kudos

Hello,

we try to run the SAP CART APPROVAL App in our Systemlandscape.

We have implement an RelayServer, SUP, Gateway and Backend System.

The baskets were displayed on the device but when we try to approve or reject,

we received an error.

We receive the following information on the Android device:

[09:00] EntityManager Online request: ...ApplyDecision?WorkitemID=000006289817&DecisionKey=APPROVED&Comment=

[09:00] EntityManager onError, ...ApplyDecision?WorkitemID=000006289817&DecisionKey=APPROVED&Comment=

[09:00] EntityManager Error occured, SDM ErrorCode: 1, HTTPStatusCode: 403

[09:00] EntityManager HttpResponse Status code: 403, Reason: Forbidden

[09:00] EntityManager ParseSDMODataErrorXML() could not parse the message. Message was:

[09:00] EntityManager Validation of CSRF-Token failed

In the SUP we the follwoing Informations:

2013-02-19 09:00:20.800 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP:Returning Response from Gateway Back to Message Channel

2013-02-19 09:00:20.799 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Read response body from Gateway

2013-02-19 09:00:20.799 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]Response code is HTTP/1.1 403 Forbidden

2013-02-19 09:00:20.799 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Recieved the response from the gateway

2013-02-19 09:00:20.732 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP: Firing the request to the Gateway

2013-02-19 09:00:20.729 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWCRequestAdapter]ODP: Read the Request information

2013-02-19 09:00:20.727 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP :Recieved a request to fire to Gateway

2013-02-19 09:00:16.946 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP:Returning Response from Gateway Back to Message Channel

2013-02-19 09:00:16.945 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Read response from Gateway

2013-02-19 09:00:16.945 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]Response code is HTTP/1.1 200 OK

2013-02-19 09:00:16.945 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Recieved the response from the gateway

2013-02-19 09:00:15.859 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP: Firing the request to the Gateway

2013-02-19 09:00:15.855 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWCRequestAdapter]ODP: Read the Request information

2013-02-19 09:00:15.853 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP :Recieved a request to fire to Gateway

2013-02-19 09:00:06.234 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP:Returning Response from Gateway Back to Message Channel

2013-02-19 09:00:06.232 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Read response from Gateway

2013-02-19 09:00:06.232 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]Response code is HTTP/1.1 200 OK

2013-02-19 09:00:06.232 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Recieved the response from the gateway

2013-02-19 09:00:03.603 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP: Firing the request to the Gateway

2013-02-19 09:00:03.599 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWCRequestAdapter]ODP: Read the Request information

2013-02-19 09:00:03.597 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP :Recieved a request to fire to Gateway

2013-02-19 09:00:02.866 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP:Returning Response from Gateway Back to Message Channel

2013-02-19 09:00:02.863 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Read response from Gateway

2013-02-19 09:00:02.862 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]Response code is HTTP/1.1 200 OK

2013-02-19 09:00:02.862 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Recieved the response from the gateway

2013-02-19 09:00:02.555 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP: Firing the request to the Gateway

2013-02-19 09:00:02.553 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWCRequestAdapter]ODP: Read the Request information

2013-02-19 09:00:02.552 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP :Recieved a request to fire to Gateway

2013-02-19 09:00:01.822 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP:Returning Response from Gateway Back to Message Channel

2013-02-19 09:00:01.820 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Read response from Gateway

2013-02-19 09:00:01.820 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]Response code is HTTP/1.1 200 OK

2013-02-19 09:00:01.820 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Recieved the response from the gateway

2013-02-19 09:00:01.522 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP: Firing the request to the Gateway

2013-02-19 09:00:01.517 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWCRequestAdapter]ODP: Read the Request information

2013-02-19 09:00:01.515 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP :Recieved a request to fire to Gateway

2013-02-19 09:00:01.511 WARN Security MessageChannel Thread-380 [com.sybase.security.core.PreConfiguredUserLoginModule]Authentication failed Authentication failed due to invalid credentials.

2013-02-19 09:00:01.511 WARN Security MessageChannel Thread-380 [com.sybase.security.core.PreConfiguredUserLoginModule]Authentication failed Authentication failed due to invalid credentials.

From my point of view we have a problem with the CSRF-Token.

When we connect to the Gateway via Browser and try to retrieve an Token it works:

    Status Code: 200 OK

    Age: 0

    Cache-Control: proxy-revalidate

    Connection: Keep-Alive

    Content-Encoding: gzip

    Content-Length: 664

    Content-Type: application/xml

    Date: Wed, 20 Feb 2013 07:58:30 GMT

    Proxy-Connection: Keep-Alive

    Server: SAP NetWeaver Application Server / ABAP 731

    Set-Cookie: MYSAPSSO2=AjQxMDIBABgAQQBQAFAAUQBFAFUARABFADAAMQAgACACAAYAMQAwADADABAAQgBNAEQAIAAgACAAIAAgBAAYADIAMAAxADMAMAAyADIAMAAwAD cANQA4BQAEAAAACAYAAgBYCQACAEX%2fAPowgfcGCSqGSIb3DQEHAqCB6TCB5gIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHGMIHDAgEBMBkwDjEM MAoGA1UEAxMDQk1EAgcgEhEHFEZWMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMzAyMjAwNzU4Mjda MCMGCSqGSIb3DQEJBDEWBBQoQvYZzNAklv5z74dA2YIFgofCjDAJBgcqhkjOOAQDBC4wLAIUMhHj5Z4INdzsqEXLbvwu1jfrkmgCFCBZjFqrgT6l28odXnoG96M2FkDx; path=/; domain=ben-bmd SAP_SESSIONID_BMD_100=Caq_vzGfPjfPmBNTJQNk9VEkGjhPBhVg4QCAAKwaY30%3d; path=/

    X-CSRF-Token: Zmcy5Fs0QnaZHX6q2BhMfw==

    dataserviceversion: 2.0

When activating the Debug Mode on the Gatewayserver it seems that the App does not send an CSRF Token back to the Server.

Has anybody an Idea what we have forgotten?

The paramterer for CSRF Check is enable on the gateway.The Class /IWFND/CL_SODATA_HTTP_HANDLER is also active.

Thanks for your answer.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

AshwinDutt
Active Contributor
‎04-21-2014 11:08 AM
0 Kudos

Hello Benjamin,

Any modifying request needs CSRF token to be passed in the headers.

Perform a GET operation and get the token by setting header as below.

GET response will have the Token value :

X-CSRF-Token : Zmcy5Fs0QnaZHX6q2BhMfw==


Now pass this value as below in the header of your modifying request.


On passing Token you will be able to fire any of your Modifying request through GW.

Regards,

Ashwin

Show replies
Show replies
balaji_bodagala5
Participant
‎04-21-2014 10:46 AM
0 Kudos

can you try to call the Odata service from the browser and pass the same values as url parameter,usually it will prompt for user name and password, see http error codes.

Show replies
Show replies
former_member195242
Active Participant
‎02-21-2013 2:52 AM
0 Kudos

Hi Benjamin,

Any modify request in OData would require a CSRF token which you fetched in the GET request. You can check in the appl. if you have passed the X-CSRF-Token header in the HTTP request to approve the cart.

Best regards,

Aakash

Show replies
Show replies
Ask a Question