Skip to Content
Former Member
Dec 10, 2013 at 05:41 PM

Problems Calling HAP_DOCUMENT With New XSRF Functionality


Back in 2008, we had developed a utility in which an employee of our client could initiate a 360 Degree appraisal with appraisers that were not employees of the client (we termed them "External Reviewers") and therefore did not have access to the client's portal. When the employee invited an external reviewer, the employee would specify an email address for that External Reviewer. With that, we would send the External Reviewer an email, notifying him/her of the invitation and providing a link to a custom BSP where he/she could accept or decline the invitation. The link included an External Alias to the custom BSP, and that External Alias had a "System" user attached to it in order to avoid the login popup.

When the External Reviewer accessed the link and navigated to the BSP, the BSP provided "Accept" and "Decline" buttons. If the External Reviewer accepted, then the BSP would generate an appraisal, and set the "System" user as the appraiser. The BSP would then provide a link to the appraisal. Once again, we used an External Alias to point to BSP "HAP_DOCUMENT", page "document_portal.htm".

This has worked fine until we just installed an HRSP upgrade that included SAP's new XSRF functionality. I tried shutting off XSRF Protection in HAP_DOCUMENT, but the "document_portal.htm" page explicitly calls "runtime->get_token()" in OnInitialization. GET_TOKEN, in turn, calls

server->get_xsrf_token(). This returns with exception "CALLED_BY_PUBLIC_SERVICE", which eventually leads to an ABAP dump. I tried calling the "document.htm" page instead of "document_portal.htm", but with no luck.

Has anyone out there built appraisal functionality where you allow appraisers that are external to the company and therefore have no portal access? I believe that this is also kind of similar to having external candidates in an e-recruiting scenario?


Manny Pacheco