Skip to Content

Hi,

I have seen loads of threads with the same topic but none of them specify the complete solution. They all give solutions in bits and pieces. After struggling for the past couple of days, I managed to crack it.

Issue:

You have developed a application(which is used to modify data in the backend)  using SAP UI5 as front end (deployed in Netweaver Portal) with NetWeaver Gateway OData services as backend. You want OData calls from UI to not show login pop-ups when the request is sent to the SAP Gateway server.

Solution:

An obvious one, set up the user credentials in ‘Logon tab’ of the SICF service.

Test it. Hey it works!! No authentication pop up. But you are too quick. Test the complete cycle until the data is saved in your UI5 application. You will find that you are getting ‘CSRF token invalid’ or ‘CSRF token undefined’ or a error message similar to this (along with HTTP status code 403 (Forbidden)) in the console. This error goes away as soon as you remove the user credentials from the logon tab of the SICF service.

Issue:

You want both the features – there must not be any authentication pop ups when application is accessed AND application should be able to save/modify data without any issue.

What happens:

According to the link Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library, the framework checks for all modifying requests the validity of the CSRF token in the request. The validation is done by the ICF runtime that checks against the token from the “anti-XSRF cookie”. If the validation fails an HTTP status code 403 (Forbidden) is sent back.


When you provide logon details in the ICF node, you will not be getting CSRF token from the system. This is because CSRF will work only for services that require authentication. But when you send a modifying request to the framework, it expects CSRF token by default and hence the save fails.

Solution:

The only way is to disable the CSRF protection mechanism. The above CSRF link mentions how to disable it in the SICF service node. But that alone will not disable the CSRF token. You have to add the header(‘X-Requested-With’ with a value of ‘X’)  in the ODATA request to disable the CSRF token completely.

Steps

1. Set the value of ~CHECK_CSRF_TOKEN=0 in the GUI_CONFIGURATION of your service (steps given in the link – Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library towards the end)

2. Maintain User credentials in the ‘Logon Data’ tab of your service – Remember this is needed to avoid authentication pop up.

3. Now depending on which route you use to update data, add the headers

a. If you use OData Model to update data, make sure that you give the following lines BEFORE the create/put/delete call.


var oEntry = {};

  oEntry.Empid = sap.ui.getCore().byId(“Id”).getValue();

  oEntry.Empname = sap.ui.getCore().byId(“Name”)

  .getValue();

  oEntry.Empadd = sap.ui.getCore().byId(“Address”)

  .getValue();

  oEntry.Empdes = sap.ui.getCore().byId(“Role”)

  .getValue();

  oModelSav.setHeaders({“X-Requested-With” : “X”});

  oModelSav.create(‘/EmployeeSet’, oEntry, null, function(){

      alert(“Employee Created Successfully –  “); 

  },function(){

  alert(“Employee Creation Failed   “);

  }

  );

b. if you are using POST operation, use the code below.

Important Note:There is no need to issue a GET call before this since we do not want to use the CSRF token.


   var oHeaders = {
  'X-Requested-With': 'X',
  'Accept' : 'application/json',
  };
OData.request({ requestUri : "http://<server>:<port>/sap/opu/odata/sap/ZMM_EMPLOYEE_SRV/EmployeeSet",
                method : "POST",        
                headers : oHeaders,
                data:oEntry
                },
                function(data,request) {
                  alert("Employee Created Successfully  ");      
                  location.reload(true);
                  },      
                  function(err) { 
                    alert("Employee Creation Failed  ");
                    });


To report this post you need to login first.

17 Comments

You must be Logged on to comment or reply to a post.

  1. Naga Prakash

    Hi Sharada,

    Just have a doubt where is your SAPUi5 application is deployed ?

    If SAPUI5 application is deployed in the front end/hub ABAP server, calling the ODATA from SAPUI5 application will not show up authentication popup.

    Please correct me if i am wrong.

    Thanks,

    Naga

    (0) 
    1. Sharadha K Post author

      Naga,

      This solution is for scenarios where UI5 application is called from portal.It is not clearly mentioned in that blog.  I will modify it. Thanks.

      Sharadha

      (0) 
  2. Klaus Enders

    Hi Sharada,

    am I got you correct you solved the issue by disable the security mechanism.

    I don’t think that this is the best approach because there was a good reason to establish the CSRF mechanism to avoid any “Cross-Site Request Forgery attack”.

    There must be a best practice to get both, no logon popup (e.g. by SSO) and secure modification including CSRF mechnism.


    Regards Klaus


    (0) 
    1. Sharadha K Post author

      Klaus,

      Ideally there should be a way but as of now, there is no option provided for this by SAP (as far as i know). Happy to learn if there is an alternate solution to this issue. Let me know if you come across any.

      Many thanks,

      Sharadha

      (0) 
  3. Oliver Bär

    Hi Sharada,


    first I want to thank you because I had the same problem and searched the whole day for a solution until I found your blog post. It works, but the solution is not really satisfying and can only be a workaround until I find a better solution.


    Did anyone find a better solution in the meantime?


    Regards, Oliver

    (0) 
  4. Sandro Ramos

    Excellent!!!

    Few days ago i got this Forbidden error, spent a lot of time until find out my authentication credentials saved in sicf service were causing this error, just when i was trying to save data. After long hours of research i just found a topic that a guy commented something in this way.. and that worked!!! This document will be very helpsull for future researches, congrats!!!!

    Regards,

    Sandro Ramos

    (0) 
  5. Terence Dangwa

    Hie Sharadha K

    i have managed to disable authentication pop up and CSRF token for OData calls using your method above. My problem now i ma failing to achieve the same with file uploads. i am using sap.ui.unified.FileUploader to upload files.

     

    Please Assist
    Regards,

    Terry

    (0) 
  6. Sung-Yen Yang

    Hi Sharadha,

     

    Thanks for this useful blog. Regarding add “X-Requested-With:X” to the odata request header, it can also be added in odata model’s settings section under models section in manifest.json. So, you don’t need to add it manually before call odata model.

    Regards,

    Nick

    (1) 

Leave a Reply