Handling CSRF tokens in SAP Cloud Platform Integration
What is a CSRF token?
CSRF or Cross-Site Request Forgery is a type of attack that occurs when a malicious web site or any program causes a user’s web browser to perform an unwanted action on a trusted site for which the user is currently authenticated.
Enabling the website or program to require CSRF tokens to invoke it, is one of the ways of preventing this attack.
How it works
Services which are hosted on SAP Gateway require CSRF token validation. In this example, we’ve used a gateway URL for testing.
-
Fetch the CSRF token
Use the metadata URL of the gateway service to fetch the CSRF token.
(The URL for fetching the csrf token differs from application to application. For workflow services, append ‘xsrf-token’ to the URL.
Eg: https://bpmworkflowruntimexxx.hana.ondemand.com/workflow-service/rest/v1/xsrf-token)
Perform a GET call and pass the following header:
Key: X-CSRF-Token Value: fetch
In response, you will get the CSRF token as a header.
-
Invoke the service with the CSRF token obtained from the previous call
Copy the CSRF token obtained from the previous call and paste it in the header of the post call, as shown below.
If the validation is unsuccessful, you will get a 403 – forbidden error, which means that the CSRF token validation failed. In such cases, check if the user has roles to trigger the URL and make sure you’ve copied the CSRF token from the previous call, properly. If there are no errors, you will get a 200 or 201 response.
Implementing it in SAP Cloud Platform Integration
Now let’s see how to implement the above in SAP Cloud Platform Integration.
Here, just passing headers will not be enough. We will also have to take care of the session cookies, which are internally handled by any REST client.
In the above example, we can view the session cookies being created, by adding the interceptor add-on in Postman.
We’ll be implementing this logic of retrieving the cookies using a groovy script.
IFLOW
Components used:
SL. No. | COMPONENT | DESCRIPTION |
1 | Sender Channel | HTTPs Sender channel to trigger the Iflow |
2 | Content Modifier 1 | Set the header ‘x-csrf-token’ to fetch the CSRF token |
3 | Request Reply 1 | Uses an HTTP channel to perform a get call to the gateway metadata URL. |
4 | Script | Fetches and set the session cookies |
5 | Content Modifier 2 | Sets the content type and the payload for the post call |
6 | Request Reply 2 | Uses an HTTP channel to perform the final POST call |
-
HTTPs Sender Channel
2. Content Modifier 1
-
Request Reply 1 – HTTP Receiver Channel
-
Script
import com.sap.gateway.ip.core.customdev.util.Message;
import groovy.xml.*;
import java.io.*;
def Message processData(Message message)
{
def headers = message.getHeaders();
def cookie = headers.get("Set-Cookie");
StringBuffer bufferedCookie = new StringBuffer();
for (Object item : cookie)
{
bufferedCookie.append(item + "; ");
}
message.setHeader("Cookie", bufferedCookie.toString());
def messageLog = messageLogFactory.getMessageLog(message);
if(messageLog != null)
{
messageLog.setStringProperty("Logging_Cookie", bufferedCookie.toString());
}
return message;
}
-
Content Modifier 2
For testing purposes, I’ve set the payload in the content modifier
-
Request Reply 2 – HTTP Receiver Channel
Once the IFLOW is deployed and triggered, you can see the cookie being set in the POST call, in the MPL logs and also in the response header in Postman.
Well done. It is great to see this from you. Very neat and explanatory stuff with lot of screenshots make this a very good resource for reference.
Great Blog post, very clearly explained. Thank you
Please don't use this script when you have Session Handling enabled in your integration flow. The flow itself will take care that cookies with the same scope are re-used across calls.
Excellent point!
Does session handling takes care of CSRF Token fetching part as well?
no Praveen. Some adapters are doing this automatically if configured, for other adapters you have to do this yourself. The session handling is independent on that.
Thanks for your reply. What is the retry mechanism used by supporting adapters? Sometimes I am seeing 403 issue with Stale cookies and CSRF Tokens in POSTMAN. Does it ever happen with Integration flows?
Great post. This helped alot in understanding the process
Thanks for highlighting the cookies part.
Very clear! Thank you!
Thank you so much Axel Albrecht for highlighting it. Attaching the related screenshot for other's reference.
Hi Nikhil Walsetwar
Thank you for the screenshot. Is there a way to pass the body which comes from the client / postman to request reply 2.
Thanks,
Thamizharasan.