cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Usage of CSRF token in ABAP for POST request

Go to solution
former_member445147
Participant

on ‎2019 Nov 05 10:14 AM

9,041

Hi Experts

I have problems while using REST POST operations in ABAP report in context of the CSRF token.

Problem : here i'm getting 403 bad request , CSRF token validation is failed. even I'm passing the token and session

but same thing is working in the rest client .

Here is the report code

1) first part is getting token

2) Validating token

How to solve this issue

REPORT zcsrf_validation.





DATA lo_client                TYPE REF TO       if_http_client.

DATA lo_response              TYPE REF TO       if_rest_entity.

DATA lv_response              TYPE string.

DATA lv_token                 TYPE string.

DATA lv_session               TYPE string.

DATA lv_xcrf                  TYPE string.

DATA lv_http_status           TYPE string.

DATA  gc_content_type_form    TYPE string VALUE 'application/json; charset=utf-8'.

DATA  gc_url                  TYPE string VALUE 'https://hana.xyz.net:8081/sap/ca/gef/arcgis/rest/services/EQ_A_E/featureserver/0/applyEdits'.





"======================Getting CSRF token ==========================================



cl_http_client=>create_by_url(

    EXPORTING

      url     = gc_url

    IMPORTING

      client  = lo_client

    EXCEPTIONS

      OTHERS  = 4 ).



lo_client->request->set_content_type( content_type = gc_content_type_form ).



lo_client->request->set_method( if_http_request=>co_request_method_get ).



lo_client->authenticate(

  EXPORTING

    client               =  '100'                " R/3 system (client number from logon)

    username             =  'user'               " ABAP System, User Logon Name

    password             =  'password'            " Logon ID

   language              =  sy-langu ).              " SAP System, Current Language



lo_client->request->set_header_field(

  EXPORTING

    name  =  'X-CSRF-Token'                " Name of the header field

    value =  'Fetch'   ).



lo_client->send(

      EXCEPTIONS

        http_communication_failure = 1

        http_invalid_state         = 2

        http_processing_failed     = 3

        http_invalid_timeout       = 4

        OTHERS                     = 5  ).





lo_client->receive(

  EXCEPTIONS

    http_communication_failure = 1

    http_invalid_state         = 2

    http_processing_failed     = 3

    OTHERS                     = 4 ).





lv_token    = lo_client->response->get_header_field('X-CSRF-Token').

lv_session  = lo_client->response->get_header_field('set-cookie').



lo_client->close( ).

FREE lo_client.

"===========================end of Getting CSRF token ====================================





"=========================validation CSRF token with Post request=========================



cl_http_client=>create_by_url(

    EXPORTING

      url     = gc_url

    IMPORTING

      client  = lo_client

    EXCEPTIONS

      OTHERS  = 4 ).



lo_client->request->set_content_type( content_type = gc_content_type_form ).



lo_client->request->set_method( if_http_request=>co_request_method_post ).



lo_client->authenticate(

  EXPORTING

    client               =  '100'                " R/3 system (client number from logon)

    username             =  'user'               " ABAP System, User Logon Name

    password             =  'password'                " Logon ID

   language              =  sy-langu ).



lo_client->request->set_header_field(

  EXPORTING

    name  = 'X-CSRF-Token'                " Name of the header field

    value =    lv_token  ).



lo_client->request->set_form_field(

  EXPORTING

    name  = 'Cookie'                    " Name of form field

    value =   lv_session   ).





lo_client->send(

      EXCEPTIONS

        http_communication_failure = 1

        http_invalid_state         = 2

        http_processing_failed     = 3

        http_invalid_timeout       = 4

        OTHERS                     = 5

    ).



lo_client->receive(

  EXCEPTIONS

    http_communication_failure = 1

    http_invalid_state         = 2

    http_processing_failed     = 3

    OTHERS                     = 4 ).



lv_http_status = lo_client->response->get_header_field( '~status_code' ).

lv_response    = lo_client->response->get_header_field('~status_reason' ).

lv_xcrf        = lo_client->response->get_header_field('x-csrf-token' ).



WRITE :/ 'Satus:', lv_http_status.

WRITE :/ 'Response:', lv_response.

WRITE :/ 'CSRF-Token:', lv_xcrf .

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Sandra_Rossi
Active Contributor
‎2019 Nov 05 12:28 PM

Thank you for the feedback, but I guess it's best to place the code after correction under GK answer.

Ayyappan
Discoverer
‎2024 Aug 14 8:32 PM
0 Kudos
Its working thanks for sharing

Accepted Solutions (1)

Accepted Solutions (1)

GK817
Active Contributor
‎2019 Nov 05 10:27 AM

Hi Harish,

Can you try enabling the acceptance of cookies in your client?

lo_http_client->PROPERTYTYPE_ACCEPT_COOKIE = if_http_client=>co_enabled.

GK

Show replies
Show replies
former_member445147
Participant
‎2019 Nov 05 10:30 AM
0 Kudos

Hi Gaurav karkara

Thanks for the reply , i tried , but it not working

GK817
Active Contributor
‎2019 Nov 05 10:45 AM
0 Kudos

Where are you setting it? GET request or POST request?

GK817
Active Contributor
‎2019 Nov 05 10:48 AM

Also, can you try by not creating a new client instance while POST, but use the same client instance as GET request?

Sandra_Rossi
Active Contributor
‎2019 Nov 05 12:42 PM
0 Kudos

Solution works, as confirmed by Harish in separate answer...

former_member445147
Participant
‎2019 Nov 05 1:39 PM
0 Kudos

Hi Gaurav Karkara

Thanks a lot Yes it will work

we need add lo_http_client->PROPERTYTYPE_ACCEPT_COOKIE = if_http_client=>co_enabled. and we need remove the new client creation .

Here is the working code

*&---------------------------------------------------------------------*


*& Report ZCSRF_VALIDATION


*&---------------------------------------------------------------------*


*&


*&---------------------------------------------------------------------*


REPORT zcsrf_validation.










DATA lo_client                TYPE REF TO       if_http_client.


DATA lo_response              TYPE REF TO       if_rest_entity.


DATA lv_response              TYPE string.


DATA lv_token                 TYPE string.


DATA lv_session               TYPE string.


DATA lv_xcrf                  TYPE string.


DATA lv_http_status           TYPE string.


DATA  gc_content_type_form    TYPE string VALUE 'application/json; charset=utf-8'.


DATA  gc_url                  TYPE string VALUE 'https://hana.xyz.net:8081/sap/ca/gef/arcgis/rest/services/EQ_A_E/featureserver/0/applyEdits'.










"======================Getting CSRF token ==========================================






cl_http_client=>create_by_url(


    EXPORTING


      url     = gc_url


    IMPORTING


      client  = lo_client


    EXCEPTIONS


      OTHERS  = 4 ).






lo_client->request->set_content_type( content_type = gc_content_type_form ).






lo_client->request->set_method( if_http_request=>co_request_method_get ).






lo_client->authenticate(


  EXPORTING


    client               =  '100'                " R/3 system (client number from logon)


    username             =  'user'               " ABAP System, User Logon Name


    password             =  'password'                " Logon ID


   language              =  sy-langu ).              " SAP System, Current Language


lo_client->propertytype_accept_cookie = if_http_client=>co_enabled.




lo_client->request->set_header_field(


  EXPORTING


    name  =  'X-CSRF-Token'                " Name of the header field


    value =  'Fetch'   ).






lo_client->send(


      EXCEPTIONS


        http_communication_failure = 1


        http_invalid_state         = 2


        http_processing_failed     = 3


        http_invalid_timeout       = 4


        OTHERS                     = 5  ).










lo_client->receive(


  EXCEPTIONS


    http_communication_failure = 1


    http_invalid_state         = 2


    http_processing_failed     = 3


    OTHERS                     = 4 ).










lv_token    = lo_client->response->get_header_field('X-CSRF-Token').


lv_session  = lo_client->response->get_header_field('set-cookie').










*"===========================end of Getting CSRF token =========================================


*


*


*


*


*"=========================validation CSRF token with Post request==============================


*






*


lo_client->request->set_method( if_http_request=>co_request_method_post ).






lo_client->request->set_header_field(


  EXPORTING


    name  = 'X-CSRF-Token'                " Name of the header field


    value =    lv_token  ).






lo_client->request->set_form_field(


  EXPORTING


    name  = 'Cookie'                    " Name of form field


    value =   lv_session   ).










lo_client->send(


      EXCEPTIONS


        http_communication_failure = 1


        http_invalid_state         = 2


        http_processing_failed     = 3


        http_invalid_timeout       = 4


        OTHERS                     = 5


    ).






lo_client->receive(


  EXCEPTIONS


    http_communication_failure = 1


    http_invalid_state         = 2


    http_processing_failed     = 3


    OTHERS                     = 4 ).






lv_http_status = lo_client->response->get_header_field( '~status_code' ).


lv_response    = lo_client->response->get_header_field('~status_reason' ).


lv_xcrf        = lo_client->response->get_header_field('x-csrf-token' ).






WRITE :/ 'Satus:', lv_http_status.


WRITE :/ 'Response:', lv_response.


WRITE :/ 'CSRF-Token:', lv_xcrf .
former_member689473
Explorer
‎2020 Sep 08 9:26 AM
0 Kudos

Hi Mr.Karkara,
It works for me also. Thank you for solition.

Answers (0)

Ask a Question