Skip to Content
0
Former Member
Aug 06, 2015 at 01:52 PM

OData update Forbidden

762 Views

Hello everyone,

I have built a Fiori Application using OData Service, which is created from the XS engine and is accessed via an .xsodata file. I am able to show the data (executing GET HTTP requests). However, I cannot do a write (PUT, POST) or delete (DELETE) on the database. It gives me the following error:

PUT https://webidetesting*****-*****.dispatcher.neo.ondemand.com/datasetcorpus/Dataset(47L) 403 (Forbidden)

The server refused to fulfill the request. More information about why the request was refused may be found in the server logs.


Now I will describe everything I have tried without any success. First thing I tried is using OData.request(), then I decided to use the update(), create(), delete() methods from sap.m.oDataModel.

In the .xsaccess file I have tried both with and without using a X-CSRF-Token header.

In the first case I have in the .xsaccess:

"prevent_xsrf" : true

Then I take the header from a GET request and pass it to a PUT request as follows:

var bindingContext = oEvent.getSource().getBindingContext();
var oModel = oView.getModel();
oModel.setHeaders({
     "X-Requested-With": "XMLHttpRequest"
      "Content-Type": "application/json",
      "DataServiceVersion": "2.0",
      "X-CSRF-Token": "Fetch"
 });
 var headerXcsrfToken;
 oModel.read(bindingContext.getPath(), null, null, true, 
      function(oData, oResponse){
           alert("Read successful");
           headerXcsrfToken = oResponse.headers['X-CSRF-Token'];
      }, 
      function() {
           alert("Read failed");
      });                 
 oModel.setHeaders({
      "X-Requested-With": "XMLHttpRequest",
      "Content-Type": "application/json",
      "DataServiceVersion": "2.0",      
      "X-CSRF-Token": headerXcsrfToken
 });                 
 oModel.update(bindingContext.getPath(), oEntry, null,
      function() {
           alert("Update successful");
      },
      function() {
           alert("Update failed");
 });


I have also tried using this instead of the oModel.read() to handle the X-CSRF token automatically:

oModel.refreshSecurityToken();


In the second case without using a X-CSRF token I have in the .xsaccess:

"prevent_xsrf" : true

And my code is then just as follows:

var oModel = oView.getModel();
oModel.update(bindingContext.getPath(), oEntry, null,
     function() {
          alert("Update successful");
      },
     function() {
           alert("Update failed");
});


None of the approaches worked. Apparently the issue is not only in the X-CSRF token. What I have also unsuccessfully tried is executing POST, PUT, DELETE using a REST client, with Basic Authentication (since we are using Basic in the .xsaccess file) and with the technical user for our database.

Then I took a look at the Server logs as suggested by the 403 Forbidden error and this is what I have found from the xsengine log:

2015-08-05 08:51:25.519895 e XSAuthentication Wire.cpp(00108) : SQL error. Code: 10, Message: invalid username or password at ptime/query/catalog/userinfo.cc:958

[2435]{2435}[-1/-1] 2015-08-05 08:51:51.388753 i TraceContext TraceContext.cpp(00827) : UserName=, ApplicationName=*****, ApplicationSource=*******/****.xsodata/, EppRootContextId=*****C3A6, EppTransactionId=*****FC81, EppConnectionId=*****3431, EppConnectionCounter=0, EppComponentName=SAP_E2E_TA_UI5LIB, EppAction=Step 2

2015-08-05 08:51:51.388717 e XSAuthentication Wire.cpp(00108) : SQL error. Code: 416, Message: user is locked; try again later: lock time is 1440 minutes; user is locked until 2015-08-06 08:51:51.3830000 (given in UTC) [1440,2015-08-06 08:51:51.3830000] at ptime/query/catalog/userinfo.cc:952

and from the HTTP log:

172.16.240.17 (172.16.240.21) - - [05/Aug/2015:13:42:59 +0000] DELETE ****/datasets/***.xsodata/Temp(1) HTTP/1.1 403 1932 9

Apparently the technical user is being locked for 1440 minutes (24 hours). I used the wrong password and that is why the technical user was locked. After these 24 hours passed I also tried updating the database this time with the correct password, but again it does not work. No log is saved in the xsengine logs, I see the entry only in the HTTP log.


Does anyone have any idea how to unlock the technical user before these 24 hours, and how this affects the whole problem that I have?


Thank you very much in advance.


Best Regards,

Elena