Skip to Content

Disable Authentication pop up and CSRF token for OData calls (using SAP Netweaver Gateway)


I have seen loads of threads with the same topic but none of them specify the complete solution. They all give solutions in bits and pieces. After struggling for the past couple of days, I managed to crack it.


You have developed a application(which is used to modify data in the backend)  using SAP UI5 as front end (deployed in Netweaver Portal) with NetWeaver Gateway OData services as backend. You want OData calls from UI to not show login pop-ups when the request is sent to the SAP Gateway server.


An obvious one, set up the user credentials in ‘Logon tab’ of the SICF service.

Test it. Hey it works!! No authentication pop up. But you are too quick. Test the complete cycle until the data is saved in your UI5 application. You will find that you are getting ‘CSRF token invalid’ or ‘CSRF token undefined’ or a error message similar to this (along with HTTP status code 403 (Forbidden)) in the console. This error goes away as soon as you remove the user credentials from the logon tab of the SICF service.


You want both the features – there must not be any authentication pop ups when application is accessed AND application should be able to save/modify data without any issue.

What happens:

According to the link Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library, the framework checks for all modifying requests the validity of the CSRF token in the request. The validation is done by the ICF runtime that checks against the token from the “anti-XSRF cookie”. If the validation fails an HTTP status code 403 (Forbidden) is sent back.

When you provide logon details in the ICF node, you will not be getting CSRF token from the system. This is because CSRF will work only for services that require authentication. But when you send a modifying request to the framework, it expects CSRF token by default and hence the save fails.


The only way is to disable the CSRF protection mechanism. The above CSRF link mentions how to disable it in the SICF service node. But that alone will not disable the CSRF token. You have to add the header(‘X-Requested-With’ with a value of ‘X’)  in the ODATA request to disable the CSRF token completely.


1. Set the value of ~CHECK_CSRF_TOKEN=0 in the GUI_CONFIGURATION of your service (steps given in the link – Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library towards the end)

2. Maintain User credentials in the ‘Logon Data’ tab of your service – Remember this is needed to avoid authentication pop up.

3. Now depending on which route you use to update data, add the headers

a. If you use OData Model to update data, make sure that you give the following lines BEFORE the create/put/delete call.

var oEntry = {};

  oEntry.Empid = sap.ui.getCore().byId(“Id”).getValue();

  oEntry.Empname = sap.ui.getCore().byId(“Name”)


  oEntry.Empadd = sap.ui.getCore().byId(“Address”)


  oEntry.Empdes = sap.ui.getCore().byId(“Role”)


  oModelSav.setHeaders({“X-Requested-With” : “X”});

  oModelSav.create(‘/EmployeeSet’, oEntry, null, function(){

      alert(“Employee Created Successfully –  “); 


  alert(“Employee Creation Failed   “);



b. if you are using POST operation, use the code below.

Important Note:There is no need to issue a GET call before this since we do not want to use the CSRF token.

   var oHeaders = {
  'X-Requested-With': 'X',
  'Accept' : 'application/json',
OData.request({ requestUri : "http://<server>:<port>/sap/opu/odata/sap/ZMM_EMPLOYEE_SRV/EmployeeSet",
                method : "POST",        
                headers : oHeaders,
                function(data,request) {
                  alert("Employee Created Successfully  ");      
                  function(err) { 
                    alert("Employee Creation Failed  ");

You must be Logged on to comment or reply to a post.
  • Hi Sharada,

    Just have a doubt where is your SAPUi5 application is deployed ?

    If SAPUI5 application is deployed in the front end/hub ABAP server, calling the ODATA from SAPUI5 application will not show up authentication popup.

    Please correct me if i am wrong.



    • Naga,

      This solution is for scenarios where UI5 application is called from portal.It is not clearly mentioned in that blog.  I will modify it. Thanks.


  • Hi Sharada,

    am I got you correct you solved the issue by disable the security mechanism.

    I don't think that this is the best approach because there was a good reason to establish the CSRF mechanism to avoid any "Cross-Site Request Forgery attack".

    There must be a best practice to get both, no logon popup (e.g. by SSO) and secure modification including CSRF mechnism.

    Regards Klaus

  • Hi Sharada,

    first I want to thank you because I had the same problem and searched the whole day for a solution until I found your blog post. It works, but the solution is not really satisfying and can only be a workaround until I find a better solution.

    Did anyone find a better solution in the meantime?

    Regards, Oliver

  • Excellent!!!

    Few days ago i got this Forbidden error, spent a lot of time until find out my authentication credentials saved in sicf service were causing this error, just when i was trying to save data. After long hours of research i just found a topic that a guy commented something in this way.. and that worked!!! This document will be very helpsull for future researches, congrats!!!!


    Sandro Ramos

  • Hie Sharadha K
    i have managed to disable authentication pop up and CSRF token for OData calls using your method above. My problem now i ma failing to achieve the same with file uploads. i am using sap.ui.unified.FileUploader to upload files.


    Please Assist


  • Hi Sharadha,


    Thanks for this useful blog. Regarding add “X-Requested-With:X” to the odata request header, it can also be added in odata model’s settings section under models section in manifest.json. So, you don’t need to add it manually before call odata model.



  • Very Well explained,

    I have one question, Is it possible to not to have CSRF validation even after disabling also is it possible, client doesn't need to pass X-requested-with value in header?


    Thank You,