cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CSRF-Token validation failed in an Odata / GW / SAPUI5 szenario

Former Member

on ‎06-18-2014 8:17 AM

0 Kudos

Hello experts!

We encounter a strange behavior in one of our developments and I wonder if of you can help me out:

On our development system (D) We set up a SAPUI5 application that communicates with our SAP-backend system via a gateway. It contains of GET and UPDATE methods.

Everything went fine on our development system - we did not enable or disable any CSRF-parameters in the SICF-nodes... it just went fine!

Now as we transfer our application to the quality-system (Q), the CSRF-token-validation failed!

We have checked the network-resources in the chrome browser and in fact no token is returned!

At this point we started to amend a couple of things, we set the parameter ~CHECK_CSRF_TOKEN in our service and our bsp to '1', we explicitly request the token in the GET method and provide it at POST (but this does not work as we didn't get a token at all  ....!), we changed the service URL from HTTP to HTTPS. Nothing worked in Q but everything worked in D!

Now comes the funny thing:

For testing reasons we have entered user and pw credentials at the bsp in SICF. As we tried to figure out if it could be a problem of authorization, we removed the user and entered it directly in the chrome-prompt that poped up as the system requests the page and then it works fine... even with the same user we entered at SICF!!!

Can anyone say anything to this?

Thanks a lot in advance!

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

Former Member
‎04-27-2016 2:19 PM
0 Kudos

Is any one help me out how to resolve this error

PUT............405(method not allowed)

CSRF token validation failed

Show replies
Show replies
Former Member
‎06-18-2014 3:08 PM
0 Kudos

It looks like the system treats the service as "public" as long as we have entered credentials, the service is not entered in a public SICF node though!

Show replies
Show replies
Andre_Fischer
Product and Topic Expert
Product and Topic Expert
‎06-19-2014 9:16 AM
0 Kudos

Hi Jörn,

when you enter user credentials in an ICF node the underlying HTTP framework will not create a CSRF token and as a result you cannot create a service with hard-coded user credentials to perform updates via SAP Gateway.

If you want to perform updates OData client has to use one of the supported authentication methods.

Best Regards,

Andre

Former Member
‎06-19-2014 10:19 AM
0 Kudos

Thanks Andre,

the funny thing is that it worked on our D environment, but not our Q....

What do you suggest to do to solve this? Can you tell me what you mean by "use one of the supported authentication methods"?

Regards

Jörn

kjyothiraditya
Participant
‎08-12-2021 6:07 AM
0 Kudos

Hi,

Even i have a similar issue wherein in Quality system, getting CSRF oken validation failed. Can you please guide how to resolve this ?

ChandraMahajan
Active Contributor
‎06-18-2014 8:53 AM
0 Kudos

Hi,

from your sapui5 application, you can try to use OData API method setTokenHandlingEnabled and set it to false to disable token handling.

JsDoc Report - SAP UI development Toolkit for HTML5 - API Reference - sap.ui.model.odata.ODataModel

Regards,

Chandra

Show replies
Show replies
Former Member
‎06-18-2014 11:29 AM
0 Kudos

Hi Chandrashekhar,

thanks for your answer. We already tried that - without success... although we did a lot of things and probably it requires the right combination of it .

ChandraMahajan
Active Contributor
‎06-24-2014 7:29 AM
0 Kudos

Hi,

Check with this SAP note 1800109 - "CSRF token validation failed" when using Gateway Client and see if this is applicable to your system.

Regards,

Chandra

Ask a Question