Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

CSRF token validation failed

Former Member

on ‎2014 Jul 16 6:32 AM

0 Likes
1,228

Hi Experts,

I am getting "CSRF token validation failed " error in post method, in OData.request .

our architecture is

Gateway server is common for CRM and ECC

Netweaver Gateway-->CRM,ECC

The POST method is working for CRM services, and it is not working for case of ECC services.

But GET method is working for both CRM services and ECC services.

I tried by passing 'X-CSRF-Token' , but still same problem.

Note : IN SICF for corresponding all service i mentioned ~CHECK_CSRF_TOKEN = 0 in both systems CRM and ECC.

I also tried as per the index.html document in section Cross-Site Request Forgery (CSRF) of the link

Getting Started with Kapsel - Appendix D -- Security but still same problem

Daniel Van Leeuwen




Thanks in advacne

Suresh

Tags edited by: Michael Appleby

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

Former Member
‎2014 Jul 16 7:38 AM
0 Likes

Hi,

Did you try testing these services in browser rest client like postman or advanced rest client, Have you deployed these services in SMP, if yes then what is the SMP/SUP version, which native language you are using to call the services?

Regards,

Abhishek Wajge

Show replies
Show replies
Former Member
‎2014 Jul 16 8:16 AM
0 Likes

Hi Abhishek Wajge,

Thanks for input,

we are testing from disable-web-security chrome,

We are using OData.request () for post method in javascript.

I given ~CHECK_CSRF_TOKEN = 0, for all the services in SICF of Netweaver Gateway.

Then service for CRM is workinf fine, But service for ECC not working

In ECC we are getting "CSRF token validation failed" message.

Is there any settings need to be done for the same in RZ10 of ECC?


What i observed is, if i remove ~CHECK_CSRF_TOKEN = 0, then my service is working internally

If i call the service with relay server then it is nt working.

I am calling OData.request() to fetch the token, but i cant get the cookie from this method, which header we need to set to get the cookie.

When i call OData.request() with relay server URL continuously , i am getting different CSRF tocken values .

But if i call OData.request() with local URL, i am getting same URL for a while.

jitendra kansal

Midhun VP

Daniel Van Leeuwen


Thanks in advance

Suresh

jangold
Explorer
‎2014 Aug 19 12:09 PM
0 Likes

Hi,

I have no experience with realy server, but I found these problem when I was using SMP server. Are you comunicating with Netweaver Gateway through SMP?

Can you post here headers of get request and response? I would like to see the cookies in response.

Regards,

JG

Former Member
‎2014 Aug 19 7:05 PM
0 Likes

What version of the Relay Server?  Also, are you using this through SMP?

I seem to recall an issue with this combination.  I believe the later patches corrected it so you might try updating each. 

I think you want to be on SMP 2.3.4 (2.3.3 may work as well) and Relay Server 16.0.1453 or higher

Edgar

Former Member
‎2014 Aug 24 5:49 AM
0 Likes

HI Edgar,JG

Thanks for reply,

our architecture is gateway-----> ECC, CRM

For the OData services of the CRM , POST method is working,

But OData services for ECC not working.

Is there any settings, we need to do in RZ10?

What i observed is the setting ~CHECK_CSRF_TOKEN = 0 in SICF is not working , for the services  of ECC.



Thanks

Suresh Babu

jangold
Explorer
‎2014 Aug 26 8:49 AM
0 Likes

Hi Suresh,

I tried to create entiry withou x-csrf-token and the result was 201 Created ;-).

I was following the steps described in configuration for SAP NWGW:

  1. in SICF transaction i found my service and clicked GUI Configuration where i enter ~CHECK_CSRF_TOKEN = 0
  2. in my request client I set up:
  • URL with path to my service + entity set
  • method = POST
  • headers:
    • Content-Type=application/atom+xml
    • X-REQUESTED-WITH=XMLHTTPRequest
  • body with xml of created entity
  • authentication

And that is all I need to create entity without x-csrf-token.

Hope this information help you.

G.

Ask a Question