Skip to Content
author's profile photo Former Member
Former Member

OData update Forbidden

Hello everyone,

I have built a Fiori Application using OData Service, which is created from the XS engine and is accessed via an .xsodata file. I am able to show the data (executing GET HTTP requests). However, I cannot do a write (PUT, POST) or delete (DELETE) on the database. It gives me the following error:

PUT https://webidetesting*****-*****.dispatcher.neo.ondemand.com/datasetcorpus/Dataset(47L) 403 (Forbidden)

The server refused to fulfill the request. More information about why the request was refused may be found in the server logs.


Now I will describe everything I have tried without any success. First thing I tried is using OData.request(), then I decided to use the update(), create(), delete() methods from sap.m.oDataModel.

In the .xsaccess file I have tried both with and without using a X-CSRF-Token header.

In the first case I have in the .xsaccess:

"prevent_xsrf" : true

Then I take the header from a GET request and pass it to a PUT request as follows:

var bindingContext = oEvent.getSource().getBindingContext();
var oModel = oView.getModel();
oModel.setHeaders({
     "X-Requested-With": "XMLHttpRequest"
      "Content-Type": "application/json",
      "DataServiceVersion": "2.0",
      "X-CSRF-Token": "Fetch"
 });
 var headerXcsrfToken;
 oModel.read(bindingContext.getPath(), null, null, true, 
      function(oData, oResponse){
           alert("Read successful");
           headerXcsrfToken = oResponse.headers['X-CSRF-Token'];
      }, 
      function() {
           alert("Read failed");
      });                 
 oModel.setHeaders({
      "X-Requested-With": "XMLHttpRequest",
      "Content-Type": "application/json",
      "DataServiceVersion": "2.0",      
      "X-CSRF-Token": headerXcsrfToken
 });                 
 oModel.update(bindingContext.getPath(), oEntry, null,
      function() {
           alert("Update successful");
      },
      function() {
           alert("Update failed");
 });


I have also tried using this instead of the oModel.read() to handle the X-CSRF token automatically:

oModel.refreshSecurityToken();


In the second case without using a X-CSRF token I have in the .xsaccess:

"prevent_xsrf" : true

And my code is then just as follows:

var oModel = oView.getModel();
oModel.update(bindingContext.getPath(), oEntry, null,
     function() {
          alert("Update successful");
      },
     function() {
           alert("Update failed");
});


None of the approaches worked. Apparently the issue is not only in the X-CSRF token. What I have also unsuccessfully tried is executing POST, PUT, DELETE using a REST client, with Basic Authentication (since we are using Basic in the .xsaccess file) and with the technical user for our database.

Then I took a look at the Server logs as suggested by the 403 Forbidden error and this is what I have found from the xsengine log:

2015-08-05 08:51:25.519895 e XSAuthentication Wire.cpp(00108) : SQL error. Code: 10, Message: invalid username or password at ptime/query/catalog/userinfo.cc:958

[2435]{2435}[-1/-1] 2015-08-05 08:51:51.388753 i TraceContext TraceContext.cpp(00827) : UserName=, ApplicationName=*****, ApplicationSource=*******/****.xsodata/, EppRootContextId=*****C3A6, EppTransactionId=*****FC81, EppConnectionId=*****3431, EppConnectionCounter=0, EppComponentName=SAP_E2E_TA_UI5LIB, EppAction=Step 2

2015-08-05 08:51:51.388717 e XSAuthentication Wire.cpp(00108) : SQL error. Code: 416, Message: user is locked; try again later: lock time is 1440 minutes; user is locked until 2015-08-06 08:51:51.3830000 (given in UTC) [1440,2015-08-06 08:51:51.3830000] at ptime/query/catalog/userinfo.cc:952

and from the HTTP log:

172.16.240.17 (172.16.240.21) - - [05/Aug/2015:13:42:59 +0000] DELETE ****/datasets/***.xsodata/Temp(1) HTTP/1.1 403 1932 9

Apparently the technical user is being locked for 1440 minutes (24 hours). I used the wrong password and that is why the technical user was locked. After these 24 hours passed I also tried updating the database this time with the correct password, but again it does not work. No log is saved in the xsengine logs, I see the entry only in the HTTP log.


Does anyone have any idea how to unlock the technical user before these 24 hours, and how this affects the whole problem that I have?


Thank you very much in advance.


Best Regards,

Elena

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • Best Answer
    Posted on Oct 06, 2015 at 08:19 AM

    Hi Elena,

    Have you resolved the issue...?

    Pls share the solution if you have resolved..!

    Regards,

    ThamizharasaN.

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Aug 31, 2015 at 09:16 AM

    Hi Elena

    I think the problem here might be that what XS needs is the SAML IdP user, not the DB one.

    Possibly the two have different passwords (if not different userid at all), hence the error.

    You could try to logon with a userid from SAP ID service, which I guess is your default IdP, unless you configured a different one.

    thanks, regards

    Vincenzo

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Oct 07, 2015 at 07:46 AM

    Hello Elena and Daniel,

    Thank you for your response.

    For us, It turned out to be an incorrect .xsaccess file and incorrect entry in the web dispatcher.

    We are trying to build a custom kpi based analytical application. Have you tried it?

    Regards,

    Karan

    Add a comment
    10|10000 characters needed characters exceeded

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.