cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to disable x-csrf-token in SICF service (not ODATA service)

former_member678992
Member

on ‎08-19-2020 8:10 PM

0 Kudos

Hi Friends,

I have developed a simple REST service using SICF framework in ECC. Functionality of this service is to create a transaction in the SAP system. So I have implemented a POST method.

I have created a service using sicf transaction code in SAP and provided my class name in 'Handler List'. I have used super class CL_REST_HTTP_HANDLER for handler class and used CL_REST_RESOURCE for resource class. Activated service. Everything looking good. However, when I try to test the service from postman it is giving 'CSRF token validation failed'.

To fix this I have fetched the csrf token by sending x-csrf-token = fetch in the header value.

But my client doesn't want to call this service twice #1 to GET csrf token and then #2 to POST actual transaction.

I am looking for a way to disable this csrf-token so that my client can call my service only once to POST actual transaction.

I have go through many threads on this topic but all the threads talking about ODATA service.

Thanks in advance,

Krishna Yerram.

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (3)

Answers (3)

former_member425078
Explorer
‎08-24-2020 8:48 PM

Thank you Thales for your answer.

The consumer of my service is an external system. They are saying NO to csrf token because of following reasons.

#1 Call made through my company VPN

#2 The payload is digitally signed and sending a JSON web token for verification.

However, I have assigned "~CHECK_CSRF_TOKEN" parameter = 0 and provided X-Requested-With=X on POST HTTP Header requests still I am getting 'CSRF token validation failed' message.

Step 1:

Step 2:

Step 3:

Am I missing anything. Please help.

Show replies
Show replies
thalesvb
Active Contributor
‎09-08-2020 6:19 PM

Hi krishnayerram (sorry for being late, you have provided info as a answer to your question, I don't get notified, I just saw it now), my bad about that. We have one 'in-house' development that follows same OData principle to deactivate and I forgot that. Sorry about the long text too, it's important to reinforce about CSRF, some people deactivate it without thinking about the risks.

You'll need to dig a little deep on handler class to find how to deactivate. If you used ABAP REST Framework to implement your handler class (inheriting from CL_REST_HTTP_HANDLER class) should be easy to deactivate: just redefine protected method HANDLE_CSRF_TOKEN in your handler class, without any code. This is the method that does the check and raises a exception when CSRF fails. Empty method means no exception raised, therefore no CSRF validation.

I don't recall now any other standard class that could be used as base class to give other tips on how to disable.

thalesvb
Active Contributor
‎08-19-2020 10:22 PM

Hi there,

You can basically follow the same procedure for OData, just search for your REST service node on SICF instead of OData service to put that "~CHECK_CSRF_TOKEN" parameter (also provide X-Requested-With=X on POST HTTP Header requests).

I hope you already know why CRSF token exists, but your client surely doesn't. Mentioning as a client I guess you are not a direct employee from them. Explain the risks of skipping GET token, try as much as possible to convince them to keep token enabled. If they still insists to skip token procedure, protect yourself. Escalate this issue to your manager and if even that doesn't works, I would try to make this client sign a form assuming all the responsibility of this security issue (they are the ones requesting to make system vulnerable) and any damage caused by exploitation of that vulerability can not be proxyfied in any way to you/your company (like cancelling current contract without penalties). This is one of those IT things that is nice to have a lawyer involved on your side before any more steps are made, or later they will probably have a lawyer at their side (unfortunately against you).

Maybe this little lecture will motivate them to accept dual step POSTing.

Show replies
Show replies
ashishbhatt
Explorer
‎04-06-2022 12:01 PM
0 Kudos

As per thalesvb, I try it and that is working perfectly, As I work with VPN Connection Based so no major issue of security.

If you want to By Pass x-csrf-token, So you have to Redefine HANDLE_CSRF_TOKEN Method in your class without code. Then after you can POST Call without x-csrf-token. Just use in header in call "X-Requested-With = X".

You also Disable Authentication in SICF-> Logon Section

Show replies
Show replies
Ask a Question