m

m
Products and Technology Groups Partners Topics Events What's New
u
ni
t
y
SAP Community  Products and Technology  Technology
 Technology Blogs by Members 19  
 Disable Authentication pop up and CSRF token for O...

Technology Blogs by Members

Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member
blogs covering SAP products, technology, and events. Get in the mix!

Blog  What are you looking for today?

Disable Authentication pop up and CSRF token

for OData calls (using SAP Netweaver Gateway)

Sharadha1
Active Contributor

‎08-05-2015 3:47 PM

 13 Kudos  53,180

Hi,
I have seen loads of threads with the same topic but none of them specify the
complete solution. They all give solutions in bits and pieces. After struggling for
the past couple of days, I managed to crack it.

Issue:

You have developed a application(which is used to modify data in the backend)

using SAP UI5 as front end (deployed in Netweaver Portal) with NetWeaver
Gateway OData services as backend. You want OData calls from UI to not
show login pop-ups when the request is sent to the SAP Gateway server.

Solution:

An obvious one, set up the user credentials in 'Logon tab' of the SICF service.

Test it. Hey it works!! No authentication pop up. But you are too quick. Test the
complete cycle until the data is saved in your UI5 application. You will find that
you are getting 'CSRF token invalid' or 'CSRF token undefined' or a error
message similar to this (along with HTTP status code 403 (Forbidden)) in the
console. This error goes away as soon as you remove the user credentials from
the logon tab of the SICF service.

Issue:

You want both the features - there must not be any authentication pop ups
when application is accessed AND application should be able to save/modify
data without any issue.
What happens:

According to the link Cross-Site Request Forgery Protection - SAP Gateway

Foundation (SAP_GWFND) - SAP Library, the framework checks for all
modifying requests the validity of the CSRF token in the request. The validation
is done by the ICF runtime that checks against the token from the "anti-XSRF
cookie". If the validation fails an HTTP status code 403 (Forbidden) is sent
back.

When you provide logon details in the ICF node, you will not be getting CSRF
token from the system. This is because CSRF will work only for services that
require authentication. But when you send a modifying request to the
framework, it expects CSRF token by default and hence the save fails.

Solution:

The only way is to disable the CSRF protection mechanism. The above CSRF
link mentions how to disable it in the SICF service node. But that alone will not
disable the CSRF token. You have to add the header('X-Requested-With' with a
value of 'X') in the ODATA request to disable the CSRF token completely.

Steps

1. Set the value of ~CHECK_CSRF_TOKEN=0 in the GUI_CONFIGURATION

of your service (steps given in the link - Cross-Site Request Forgery Protection
- SAP Gateway Foundation (SAP_GWFND) - SAP Library towards the end)
2. Maintain User credentials in the 'Logon Data' tab of your service - Remember
this is needed to avoid authentication pop up.

3. Now depending on which route you use to update data, add the headers

a. If you use OData Model to update data, make sure that you give the
following lines BEFORE the create/put/delete call.

var oEntry = {};

oEntry.Empid = sap.ui.getCore().byId("Id").getValue();

oEntry.Empname = sap.ui.getCore().byId("Name")

.getValue();

oEntry.Empadd = sap.ui.getCore().byId("Address")

.getValue();

oEntry.Empdes = sap.ui.getCore().byId("Role")

.getValue();

oModelSav.setHeaders({"X-Requested-With" : "X"});
 oModelSav.create('/EmployeeSet', oEntry, null, function(){

alert("Employee Created Successfully - ");

},function(){

alert("Employee Creation Failed ");

);

b. if you are using POST operation, use the code below.

Important Note:There is no need to issue a GET call before this since we do

not want to use the CSRF token.
 1
2 var oHeaders = {
3 'X-Requested-With': 'X',
4 'Accept' : 'application/json',
5 };
6 OData.request({ requestUri :
"http://<server>:
7 <port>/sap/opu/odata/sap/ZMM_EMPLOYEE_SRV/Emplo
8 method : "POST",
9 headers : oHeaders,
10 data:oEntry
11 },
12 function(data,request) {
13 alert("Employee Created
14 Successfully ");
15 location.reload(true);
16 },
17 function(err) {
18 alert("Employee Creation
19 Failed ");
});

SAP Managed Tags:

SAPUI5, SAP Enterprise Portal

Tags:
 Authentication csrf disable gateway invalid

odatamodel pop token UI5 undefined

Add tags

Comment

23 Comments

NagaPrakashT
Contributor

‎08-05-2015 4:11 PM

 0 Kudos

Hi Sharada,

Just have a doubt where is your SAPUi5 application is deployed ?

If SAPUI5 application is deployed in the front end/hub ABAP

server, calling the ODATA from SAPUI5 application will not show
up authentication popup.
Please correct me if i am wrong.

Thanks,

Naga

Sharadha1
Active Contributor

‎08-05-2015 4:15 PM

 0 Kudos

Naga,

This solution is for scenarios where UI5 application is called from

portal.It is not clearly mentioned in that blog. I will modify it.
Thanks.

Sharadha
 Former Member


‎10-21-2015 5:48 AM

 0 Kudos

Great research ..... Very helpful :smile:

Thanks ..

former_member210247
Explorer

‎11-05-2015 10:32 AM

 0 Kudos

Hi Sharada,

am I got you correct you solved the issue by disable the security mechanism.
I don't think that this is the best approach because there was a good reason to establish

the CSRF mechanism to avoid any "Cross-Site Request Forgery attack".

There must be a best practice to get both, no logon popup (e.g. by SSO) and
secure modification including CSRF mechnism.

Regards Klaus

Sharadha1
Active Contributor

‎11-05-2015 11:48 AM

 0 Kudos

Klaus,
Ideally there should be a way but as of now, there is no option
provided for this by SAP (as far as i know). Happy to learn if there
is an alternate solution to this issue. Let me know if you come
across any.

Many thanks,

Sharadha

Oliver_Baer
Explorer

‎10-06-2016 10:23 AM

 0 Kudos

Hi Sharada,

first I want to thank you because I had the same problem and searched the whole day

for a solution until I found your blog post. It works, but the solution is not really satisfying

and can only be a workaround until I find a better solution.

Did anyone find a better solution in the meantime?

Regards, Oliver

sandroramos
Active Participant

‎10-06-2016 1:24 PM

 0 Kudos

Excellent!!!

Few days ago i got this Forbidden error, spent a lot of time until
find out my authentication credentials saved in sicf service were
causing this error, just when i was trying to save data. After long
hours of research i just found a topic that a guy commented
something in this way.. and that worked!!! This document will be
very helpsull for future researches, congrats!!!!
Regards,

Sandro Ramos

tdangwa
Explorer

‎10-19-2016 9:45 PM

 0 Kudos

sharadha.k
i have managed to disable authentication pop up and CSRF token
for OData calls using your method above. My problem now i ma
failing to achieve the same with file uploads. i am using
sap.ui.unified.FileUploader to upload files.

Please Assist
Regards,

Terry
 maheshpalavalli
Active Contributor

‎11-04-2016 10:04 AM

 0 Kudos

Hi Oliver,

Found any better solution than this?, I am also having a similar

issue.

Best Regards, Mahesh

Former Member


‎11-07-2016 5:06 AM

 0 Kudos

Hi Oliver,

One solution to this is to use Principal

Propagation https://help.hana.ondemand.com/help/frameset.htm?
d4d3e1e9b2dd44318b49a4812cd51383.html

But I am having trouble configuring it. If you had come across it

and have implemented it, can you please guide us through.

Regards,
Anand T

Former Member


‎11-07-2016 5:07 AM

 0 Kudos

Hi Klaus,

One solution to this is to use Principal

Propagation https://help.hana.ondemand.com/help/frameset.htm?
d4d3e1e9b2dd44318b49a4812cd51383.html

But I am having trouble configuring it. If you had come across it

and have implemented it, can you please guide us through.

Regards,
Anand T

former_member208046
Explorer

‎11-21-2016 6:30 PM

 0 Kudos

I need to disable pop up authentication when I use document

service in HCP.
Please help

Oliver_Baer
Explorer

‎02-08-2017 12:13 PM

 0 Kudos
Hi Mahesh,

I'm sorry, but I didnt't find a better solution yet.

Best regards, Oliver

Oliver_Baer
Explorer

‎02-08-2017 12:17 PM

 0 Kudos

Hi Anand,

sorry, but I don't use HCP.

Best regards, Oliver

Former Member
 
‎04-05-2017 4:17 AM

 2 Kudos

Hi Sharadha,

Thanks for this useful blog. Regarding add “X-Requested-With:X”

to the odata request header, it can also be added in odata model’s
settings section under models section in manifest.json. So, you
don’t need to add it manually before call odata model.

Regards,
Nick

Former Member


‎05-09-2017 8:23 PM

 0 Kudos

Thank you! Helped me a lot!

Former Member


‎05-09-2017 8:23 PM

 0 Kudos

Thank you so much for a such detailed post about this issue! S2
 former_member663752
Explorer

‎04-28-2020 8:22 AM

 0 Kudos

Very Well explained,

I have one question, Is it possible to not to have CSRF validation

even after disabling also is it possible, client doesn't need to pass
X-requested-with value in header?

Thank You,

Sagar

vigneshwar_reddy
Active Participant

‎05-07-2021 12:25 PM

 0 Kudos
Excellent.

Perfect solution.

Thanks.

otto_frost4
Participant

‎10-18-2021 2:40 PM

 0 Kudos

I'm implementing a plain ABAP servicve with REST in SICF.

using CL_REST_HTTP_HANDLER as baseclass.

to turn off CSRF you overrride METHOD handle_csrf_token.

hempelbjr
Explorer

‎10-19-2021 4:02 PM
  0 Kudos

Thanks for the great solution. We have one Problem left:

We have to call the API first and pass all cookies with the post.

Otherwise the POST will return with HTTP Code 200 and is
handled as a GET Request.

Anyone having the same problem ?

Our API is made with RAP and CDS.

former_member768929
Discoverer

‎04-11-2023 1:24 PM

 0 Kudos

Hi Terry,

By any chance you remember on to how you fixed the above issue
for file uploader?
Thanks

Tanisha

srinivastaduka
Explorer

an hour ago

 0 Kudos

Hi All,

Please see step by step to access the GET & POST methods from
POST MAN without asking for any credentials.

1) Create a Odata service and follow regular steps to register the

service
2) redefine below methods:

2) Settings in SICF for the service:

create a user id with credentials, and user type must be 'Service'.

Maintain the user credentials in the service like below.

3) Call the GET method from Gateway client & POSTMAN.

GET from gateway

get method from postman:

2) POST method:
POST from Gateway
here we need to select '$batch' from 'ADD URI option' and change
the entityset name in HTTP request payload and add the payload
data like below and click on execute.

In my case i have considered only two fields ( Vbeln & Ernam ).

POST from POSTMAN:

pass X-Requested-With = X in header

pass payload in body:

click on send: see the results below

once click on, backend method 'crete_entity' gets triggered.

i have created a custom table with one field, in my case the table
got updated with the sales order number.

Thank You,
Srini T

Comment PREVIEW

          

    


Hint: # links to products, @ links to members
 Email me when someone replies

Cancel Post Your Comment

Blog Dashboard
New Article

View All Drafts (0)

Labels In This Area

"automatische backups" 1 "regelmäßige sicherung" 1

"TypeScript" "Development" "FeedBack" 1

505 Technology Updates​53 1

A Comprehensive Guide to Using OLE Objects in SAP ABAP 1

ABAP 28 ABAP API 1 ABAP CDS VIEW 1

ABAP CDS Views 9 ABAP CDS Views - BW Extraction 3

ABAP CDS Views - CDC (Change Data Capture) 2 ABAP class 2

ABAP Cloud 4 ABAP DDIC CDS view 1 ABAP Development 7

ABAP Environment & RAP 1 ABAP Extensibility 2

ABAP in Eclipse 3 ABAP Platform Trial 1

ABAP Programming 3 ABAP Push Channels 1 ABAP RAP 1

ABAP RESTFul API 1

ABAP RESTful Application Programming Model 1

abap technical 1 abap to xml 1 abapGit 1 absl 2

access data from SAP Datasphere directly from Snowflake 1

Access data from SAP datasphere to Qliksense 1 Accrual 1

action 1 adapter modules 1 ADDING LEAN SERVICES 2

Addon 2 Adobe Document Services 1 ADS 1

ADS Config 1 ADS with ABAP 1 ADS with Java 1 ADT 3

Advance Shipping and Receiving 1 Advanced Event Mesh 4

Advanced formula 1 Advanced SAP Techniques 1

Advanced Scripting in SAC 1 Advanced Workflow 1 AEM 1

AI 11 AI Launchpad 2 AI Optimizer 1 AI Projects 1

AIML 11 AL11 1 Alert in Sap analytical cloud 1 alm 1

ALV 1 Amazon S3 1 AMDP 3 Analytic Models 1

Analytical Dataset 1 Analytical Model 1 Analytics 2

Analyze Workload Data 1 Android 1 annotations 1

anthropic 1 API 4 API and Integration 5 API Call 2

API security 1 App Dev and Automation 1

Application Architecture 1 Application Development 6

Application Development for SAP HANA 1

Application Development for SAP HANA Cloud 3

Applications and Business Processes (AP) 1 Architecture 2

Artificial Intelligence 3 Artificial Intelligence (AI) 8

 Artificial Intelligence (AI) 1 Business Trends 363 Business Trends​… 2

Artificial Intelligence (AI) blockchain Data & Analytics 2

Artificial Intelligence (AI) blockchain Data & Analytics Intelligent… 1

Artificial Intelligence (AI) blockchain Data & Analytics Intelligent… 1

Artificial Intelligence (AI) blockchain Data & Analytics Intelligent… 2

Artificial Intelligence role in shaping the future of Energy Industry 1

AS Java 1 ASAPIO 2 ASE 1 ASR 2

ASSET MANAGEMENT 4 Associations in CDS Views 1

ASUG 1 Attachment Handling. Create Attachment 1

Attachments 1 audit trail 1 Authentication 1

Authorisations 1 Authorizations 1

Automate the Interim Account Update rule using Integration Cent… 1

Related Content
SAP Cloud Identity Services – Identity Authentication と SAP
S/4HANA の間でSAML2.0接続を行う 
in Technology Blogs by SAP 2 weeks ago

Part 1 - Prerequisites and Setup Instructions for Datasphere

BW/4HANA Model Transfer 
in Technology Blogs by SAP 2 weeks ago

Prerequisites and Setup Instructions for Datasphere BW/4HANA

Model Transfer 
in Technology Blogs by SAP 2 weeks ago

Purchase Contract Workflow Custom Development 

in Technology Blogs by SAP 2 weeks ago

SAP BTP Event Mesh — from S4 to SCI 

in Technology Blogs by Members 06-24-2024

Popular Blog Posts

SAP PI for Beginners

former_member200339
Participant

 705785  153  385

ABAP 7.40 Quick Reference

jeffrey_towell2
Explorer

 1122156  75  330

Fiori: technical installation and configuration of one app from A

-Z

mstitsel
Active Participant
Follow
Top Kudoed Authors
 198839  133  300

dylan-drummond  7

Privacy Terms of Use

pazabel  7
Copyright Legal Disclosure

ShaikAzmathulla
Trademark Support  5

Cookie Preferences
former_member737877  4