Skip to Content
Author's profile photo Sharadha Krishnamoorthy

Disable Authentication pop up and CSRF token for OData calls (using SAP Netweaver Gateway)

Hi,

I have seen loads of threads with the same topic but none of them specify the complete solution. They all give solutions in bits and pieces. After struggling for the past couple of days, I managed to crack it.

Issue:

You have developed a application(which is used to modify data in the backend)  using SAP UI5 as front end (deployed in Netweaver Portal) with NetWeaver Gateway OData services as backend. You want OData calls from UI to not show login pop-ups when the request is sent to the SAP Gateway server.

Solution:

An obvious one, set up the user credentials in ‘Logon tab’ of the SICF service.

Test it. Hey it works!! No authentication pop up. But you are too quick. Test the complete cycle until the data is saved in your UI5 application. You will find that you are getting ‘CSRF token invalid’ or ‘CSRF token undefined’ or a error message similar to this (along with HTTP status code 403 (Forbidden)) in the console. This error goes away as soon as you remove the user credentials from the logon tab of the SICF service.

Issue:

You want both the features – there must not be any authentication pop ups when application is accessed AND application should be able to save/modify data without any issue.

What happens:

According to the link Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library, the framework checks for all modifying requests the validity of the CSRF token in the request. The validation is done by the ICF runtime that checks against the token from the “anti-XSRF cookie”. If the validation fails an HTTP status code 403 (Forbidden) is sent back.


When you provide logon details in the ICF node, you will not be getting CSRF token from the system. This is because CSRF will work only for services that require authentication. But when you send a modifying request to the framework, it expects CSRF token by default and hence the save fails.

Solution:

The only way is to disable the CSRF protection mechanism. The above CSRF link mentions how to disable it in the SICF service node. But that alone will not disable the CSRF token. You have to add the header(‘X-Requested-With’ with a value of ‘X’)  in the ODATA request to disable the CSRF token completely.

Steps

1. Set the value of ~CHECK_CSRF_TOKEN=0 in the GUI_CONFIGURATION of your service (steps given in the link – Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library towards the end)

2. Maintain User credentials in the ‘Logon Data’ tab of your service – Remember this is needed to avoid authentication pop up.

3. Now depending on which route you use to update data, add the headers

a. If you use OData Model to update data, make sure that you give the following lines BEFORE the create/put/delete call.


var oEntry = {};

  oEntry.Empid = sap.ui.getCore().byId(“Id”).getValue();

  oEntry.Empname = sap.ui.getCore().byId(“Name”)

  .getValue();

  oEntry.Empadd = sap.ui.getCore().byId(“Address”)

  .getValue();

  oEntry.Empdes = sap.ui.getCore().byId(“Role”)

  .getValue();

  oModelSav.setHeaders({“X-Requested-With” : “X”});

  oModelSav.create(‘/EmployeeSet’, oEntry, null, function(){

      alert(“Employee Created Successfully –  “); 

  },function(){

  alert(“Employee Creation Failed   “);

  }

  );

b. if you are using POST operation, use the code below.

Important Note:There is no need to issue a GET call before this since we do not want to use the CSRF token.


   var oHeaders = {
  'X-Requested-With': 'X',
  'Accept' : 'application/json',
  };
OData.request({ requestUri : "http://<server>:<port>/sap/opu/odata/sap/ZMM_EMPLOYEE_SRV/EmployeeSet",
                method : "POST",        
                headers : oHeaders,
                data:oEntry
                },
                function(data,request) {
                  alert("Employee Created Successfully  ");      
                  location.reload(true);
                  },      
                  function(err) { 
                    alert("Employee Creation Failed  ");
                    });


Assigned Tags

      21 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Naga Prakash
      Naga Prakash

      Hi Sharada,

      Just have a doubt where is your SAPUi5 application is deployed ?

      If SAPUI5 application is deployed in the front end/hub ABAP server, calling the ODATA from SAPUI5 application will not show up authentication popup.

      Please correct me if i am wrong.

      Thanks,

      Naga

      Author's profile photo Sharadha K
      Sharadha K
      Blog Post Author

      Naga,

      This solution is for scenarios where UI5 application is called from portal.It is not clearly mentioned in that blog.  I will modify it. Thanks.

      Sharadha

      Author's profile photo Former Member
      Former Member

      Great research  ..... Very helpful 🙂

      Thanks ..

      Author's profile photo Klaus Enders
      Klaus Enders

      Hi Sharada,

      am I got you correct you solved the issue by disable the security mechanism.

      I don't think that this is the best approach because there was a good reason to establish the CSRF mechanism to avoid any "Cross-Site Request Forgery attack".

      There must be a best practice to get both, no logon popup (e.g. by SSO) and secure modification including CSRF mechnism.


      Regards Klaus


      Author's profile photo Sharadha K
      Sharadha K
      Blog Post Author

      Klaus,

      Ideally there should be a way but as of now, there is no option provided for this by SAP (as far as i know). Happy to learn if there is an alternate solution to this issue. Let me know if you come across any.

      Many thanks,

      Sharadha

      Author's profile photo Former Member
      Former Member

      Hi Klaus,

      One solution to this is to use Principal Propagation https://help.hana.ondemand.com/help/frameset.htm?d4d3e1e9b2dd44318b49a4812cd51383.html

      But I am having trouble configuring it. If you had come across it and have implemented it, can you please guide us through.

      Regards,
      Anand T

       

      Author's profile photo Oliver Bär
      Oliver Bär

      Hi Sharada,


      first I want to thank you because I had the same problem and searched the whole day for a solution until I found your blog post. It works, but the solution is not really satisfying and can only be a workaround until I find a better solution.


      Did anyone find a better solution in the meantime?


      Regards, Oliver

      Author's profile photo Mahesh kumar palavalli
      Mahesh kumar palavalli

      Hi Oliver,

      Found any better solution than this?, I am also having a similar issue.

      Best Regards, Mahesh

      Author's profile photo Oliver Bär
      Oliver Bär

      Hi Mahesh,

      I'm sorry, but I didnt't find a better solution yet.

      Best regards, Oliver

       

      Author's profile photo Former Member
      Former Member

      Hi Oliver,

      One solution to this is to use Principal Propagation https://help.hana.ondemand.com/help/frameset.htm?d4d3e1e9b2dd44318b49a4812cd51383.html

      But I am having trouble configuring it. If you had come across it and have implemented it, can you please guide us through.

      Regards,
      Anand T

      Author's profile photo Oliver Bär
      Oliver Bär

      Hi Anand,

      sorry, but I don't use HCP.

      Best regards, Oliver

      Author's profile photo Sandro Ramos
      Sandro Ramos

      Excellent!!!

      Few days ago i got this Forbidden error, spent a lot of time until find out my authentication credentials saved in sicf service were causing this error, just when i was trying to save data. After long hours of research i just found a topic that a guy commented something in this way.. and that worked!!! This document will be very helpsull for future researches, congrats!!!!

      Regards,

      Sandro Ramos

      Author's profile photo Terence Dangwa
      Terence Dangwa

      Hie Sharadha K
      i have managed to disable authentication pop up and CSRF token for OData calls using your method above. My problem now i ma failing to achieve the same with file uploads. i am using sap.ui.unified.FileUploader to upload files.

       

      Please Assist
      Regards,

      Terry

      Author's profile photo Beni Madhab Kayal
      Beni Madhab Kayal

      I need to disable pop up authentication when I use document service in HCP.
      Please help

      Author's profile photo Sung-Yen Yang
      Sung-Yen Yang

      Hi Sharadha,

       

      Thanks for this useful blog. Regarding add “X-Requested-With:X” to the odata request header, it can also be added in odata model’s settings section under models section in manifest.json. So, you don’t need to add it manually before call odata model.

      Regards,

      Nick

      Author's profile photo Former Member
      Former Member

      Thank you! Helped me a lot! =)

      Author's profile photo Former Member
      Former Member

      Thank you so much for a such detailed post about this issue! S2

      Author's profile photo Sagar Dhange
      Sagar Dhange

      Very Well explained,

      I have one question, Is it possible to not to have CSRF validation even after disabling also is it possible, client doesn't need to pass X-requested-with value in header?

       

      Thank You,

      Sagar

      Author's profile photo vigneshwar reddy
      vigneshwar reddy

      Excellent.

      Perfect solution.

      Thanks.

      Author's profile photo Otto Frost
      Otto Frost

      I'm implementing a plain ABAP servicve with REST in SICF.

      using CL_REST_HTTP_HANDLER as baseclass.

      to turn off CSRF you overrride METHOD handle_csrf_token.

      Author's profile photo Björn Hempel
      Björn Hempel

      Thanks for the great solution. We have one Problem left:
      We have to call the API first and pass all cookies with the post.

      Otherwise the POST will return with HTTP Code 200 and is handled as a GET Request.

      Anyone having the same problem ?
      Our API is made with RAP and CDS.