on 09-04-2020 11:30 AM
Hi Experts,
I have one Odata service with POST method and json input/request. The external app ( Mule) calls the SAP odata service with GET to fetch the token and when making POST call it supplies the same token fetched via the GET call. Surprising SAP gives a 403 Forbidden error , Error message - CSRF token validation failed.
I debugged SAP internal code and looks like it gives this error is due to mismatch of the token code.
SAP internally calls the security context class/method and gets the token for that call and tries to match it with the token which came during the API call.
Security context is not the correct token and does not match with GET call token.
From Postman it works fine as expected i.e GET and POST but when calling API from Mulesoft it gives 403 error.
Any idea on this issue ?
I can have this working by disabling the x-csrf-token but that not the ideal approach .
Thanks
Govind Parmar
Govind Parmar
Hi Govind,
Try this in your postman testing:
1. Execute GET request to fetch the Token
2. Delete the cookies that was set by the GET response (cookie is just below the send button)
3. Lastly, execute the POST request
The result is you will get:
CSRF token validation failed
In short, you need to send cookies as well during POST request.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Jhodel,
Thanks for your reply. When the Mulesoft app does the GET call , SAP does not return the cookie back to Mule.
When I try to simulate the API in SEGW / SAP Gateway Client I can see the cookie in the response header. When Mule triggers the GET Call, in the SAP trace I don't see the cookie being returned in the response header.
Do we have any issue in API/Odata service.
Thnaks
Govind
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
68 | |
8 | |
7 | |
6 | |
6 | |
5 | |
5 | |
5 | |
5 | |
5 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.