Disable Authentication pop up and CSRF token for OData calls (using SAP Netweaver Gateway)
Hi,
I have seen loads of threads with the same topic but none of them specify the complete solution. They all give solutions in bits and pieces. After struggling for the past couple of days, I managed to crack it.
Issue:
You have developed a application(which is used to modify data in the backend) using SAP UI5 as front end (deployed in Netweaver Portal) with NetWeaver Gateway OData services as backend. You want OData calls from UI to not show login pop-ups when the request is sent to the SAP Gateway server.
Solution:
An obvious one, set up the user credentials in ‘Logon tab’ of the SICF service.
Test it. Hey it works!! No authentication pop up. But you are too quick. Test the complete cycle until the data is saved in your UI5 application. You will find that you are getting ‘CSRF token invalid’ or ‘CSRF token undefined’ or a error message similar to this (along with HTTP status code 403 (Forbidden)) in the console. This error goes away as soon as you remove the user credentials from the logon tab of the SICF service.
Issue:
You want both the features – there must not be any authentication pop ups when application is accessed AND application should be able to save/modify data without any issue.
What happens:
According to the link Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library, the framework checks for all modifying requests the validity of the CSRF token in the request. The validation is done by the ICF runtime that checks against the token from the “anti-XSRF cookie”. If the validation fails an HTTP status code 403 (Forbidden) is sent back.
When you provide logon details in the ICF node, you will not be getting CSRF token from the system. This is because CSRF will work only for services that require authentication. But when you send a modifying request to the framework, it expects CSRF token by default and hence the save fails.
Solution:
The only way is to disable the CSRF protection mechanism. The above CSRF link mentions how to disable it in the SICF service node. But that alone will not disable the CSRF token. You have to add the header(‘X-Requested-With’ with a value of ‘X’) in the ODATA request to disable the CSRF token completely.
Steps
1. Set the value of ~CHECK_CSRF_TOKEN=0 in the GUI_CONFIGURATION of your service (steps given in the link – Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library towards the end)
2. Maintain User credentials in the ‘Logon Data’ tab of your service – Remember this is needed to avoid authentication pop up.
3. Now depending on which route you use to update data, add the headers
a. If you use OData Model to update data, make sure that you give the following lines BEFORE the create/put/delete call.
var oEntry = {};
oEntry.Empid = sap.ui.getCore().byId(“Id”).getValue();
oEntry.Empname = sap.ui.getCore().byId(“Name”)
.getValue();
oEntry.Empadd = sap.ui.getCore().byId(“Address”)
.getValue();
oEntry.Empdes = sap.ui.getCore().byId(“Role”)
.getValue();
oModelSav.setHeaders({“X-Requested-With” : “X”});
oModelSav.create(‘/EmployeeSet’, oEntry, null, function(){
alert(“Employee Created Successfully – “);
},function(){
alert(“Employee Creation Failed “);
}
);
b. if you are using POST operation, use the code below.
Important Note:There is no need to issue a GET call before this since we do not want to use the CSRF token.
var oHeaders = {
'X-Requested-With': 'X',
'Accept' : 'application/json',
};
OData.request({ requestUri : "http://<server>:<port>/sap/opu/odata/sap/ZMM_EMPLOYEE_SRV/EmployeeSet",
method : "POST",
headers : oHeaders,
data:oEntry
},
function(data,request) {
alert("Employee Created Successfully ");
location.reload(true);
},
function(err) {
alert("Employee Creation Failed ");
});
Hi Sharada,
Just have a doubt where is your SAPUi5 application is deployed ?
If SAPUI5 application is deployed in the front end/hub ABAP server, calling the ODATA from SAPUI5 application will not show up authentication popup.
Please correct me if i am wrong.
Thanks,
Naga
Naga,
This solution is for scenarios where UI5 application is called from portal.It is not clearly mentioned in that blog. I will modify it. Thanks.
Sharadha
Great research ..... Very helpful 🙂
Thanks ..
Hi Sharada,
am I got you correct you solved the issue by disable the security mechanism.
I don't think that this is the best approach because there was a good reason to establish the CSRF mechanism to avoid any "Cross-Site Request Forgery attack".
There must be a best practice to get both, no logon popup (e.g. by SSO) and secure modification including CSRF mechnism.
Regards Klaus
Klaus,
Ideally there should be a way but as of now, there is no option provided for this by SAP (as far as i know). Happy to learn if there is an alternate solution to this issue. Let me know if you come across any.
Many thanks,
Sharadha
Hi Klaus,
One solution to this is to use Principal Propagation https://help.hana.ondemand.com/help/frameset.htm?d4d3e1e9b2dd44318b49a4812cd51383.html
But I am having trouble configuring it. If you had come across it and have implemented it, can you please guide us through.
Regards,
Anand T
Hi Sharada,
first I want to thank you because I had the same problem and searched the whole day for a solution until I found your blog post. It works, but the solution is not really satisfying and can only be a workaround until I find a better solution.
Did anyone find a better solution in the meantime?
Regards, Oliver
Hi Oliver,
Found any better solution than this?, I am also having a similar issue.
Best Regards, Mahesh
Hi Mahesh,
I'm sorry, but I didnt't find a better solution yet.
Best regards, Oliver
Hi Oliver,
One solution to this is to use Principal Propagation https://help.hana.ondemand.com/help/frameset.htm?d4d3e1e9b2dd44318b49a4812cd51383.html
But I am having trouble configuring it. If you had come across it and have implemented it, can you please guide us through.
Regards,
Anand T
Hi Anand,
sorry, but I don't use HCP.
Best regards, Oliver
Excellent!!!
Few days ago i got this Forbidden error, spent a lot of time until find out my authentication credentials saved in sicf service were causing this error, just when i was trying to save data. After long hours of research i just found a topic that a guy commented something in this way.. and that worked!!! This document will be very helpsull for future researches, congrats!!!!
Regards,
Sandro Ramos
Hie Sharadha K
i have managed to disable authentication pop up and CSRF token for OData calls using your method above. My problem now i ma failing to achieve the same with file uploads. i am using sap.ui.unified.FileUploader to upload files.
Please Assist
Regards,
Terry
I need to disable pop up authentication when I use document service in HCP.
Please help
Hi Sharadha,
Â
Thanks for this useful blog. Regarding add “X-Requested-With:X” to the odata request header, it can also be added in odata model’s settings section under models section in manifest.json. So, you don’t need to add it manually before call odata model.
Regards,
Nick
Thank you! Helped me a lot! =)
Thank you so much for a such detailed post about this issue! S2
Very Well explained,
I have one question, Is it possible to not to have CSRF validation even after disabling also is it possible, client doesn't need to pass X-requested-with value in header?
Thank You,
Sagar
Excellent.
Perfect solution.
Thanks.
I'm implementing a plain ABAP servicve with REST in SICF.
using CL_REST_HTTP_HANDLER as baseclass.
to turn off CSRF you overrride METHODÂ handle_csrf_token.
Thanks for the great solution. We have one Problem left:
We have to call the API first and pass all cookies with the post.
Otherwise the POST will return with HTTP Code 200 and is handled as a GET Request.
Anyone having the same problem ?
Our API is made with RAP and CDS.