cancel
Showing results for 
Search instead for 
Did you mean: 

Usage of CSRF token in ABAP for POST request

former_member445147
Participant

Hi Experts

I have problems while using REST POST operations in ABAP report in context of the CSRF token.

Problem : here i'm getting 403 bad request , CSRF token validation is failed. even I'm passing the token and session

but same thing is working in the rest client .

Here is the report code

1) first part is getting token

2) Validating token

How to solve this issue

REPORT zcsrf_validation.





DATA lo_client                TYPE REF TO       if_http_client.

DATA lo_response              TYPE REF TO       if_rest_entity.

DATA lv_response              TYPE string.

DATA lv_token                 TYPE string.

DATA lv_session               TYPE string.

DATA lv_xcrf                  TYPE string.

DATA lv_http_status           TYPE string.

DATA  gc_content_type_form    TYPE string VALUE 'application/json; charset=utf-8'.

DATA  gc_url                  TYPE string VALUE 'https://hana.xyz.net:8081/sap/ca/gef/arcgis/rest/services/EQ_A_E/featureserver/0/applyEdits'.





"======================Getting CSRF token ==========================================



cl_http_client=>create_by_url(

    EXPORTING

      url     = gc_url

    IMPORTING

      client  = lo_client

    EXCEPTIONS

      OTHERS  = 4 ).



lo_client->request->set_content_type( content_type = gc_content_type_form ).



lo_client->request->set_method( if_http_request=>co_request_method_get ).



lo_client->authenticate(

  EXPORTING

    client               =  '100'                " R/3 system (client number from logon)

    username             =  'user'               " ABAP System, User Logon Name

    password             =  'password'            " Logon ID

   language              =  sy-langu ).              " SAP System, Current Language



lo_client->request->set_header_field(

  EXPORTING

    name  =  'X-CSRF-Token'                " Name of the header field

    value =  'Fetch'   ).



lo_client->send(

      EXCEPTIONS

        http_communication_failure = 1

        http_invalid_state         = 2

        http_processing_failed     = 3

        http_invalid_timeout       = 4

        OTHERS                     = 5  ).





lo_client->receive(

  EXCEPTIONS

    http_communication_failure = 1

    http_invalid_state         = 2

    http_processing_failed     = 3

    OTHERS                     = 4 ).





lv_token    = lo_client->response->get_header_field('X-CSRF-Token').

lv_session  = lo_client->response->get_header_field('set-cookie').



lo_client->close( ).

FREE lo_client.

"===========================end of Getting CSRF token ====================================





"=========================validation CSRF token with Post request=========================



cl_http_client=>create_by_url(

    EXPORTING

      url     = gc_url

    IMPORTING

      client  = lo_client

    EXCEPTIONS

      OTHERS  = 4 ).



lo_client->request->set_content_type( content_type = gc_content_type_form ).



lo_client->request->set_method( if_http_request=>co_request_method_post ).



lo_client->authenticate(

  EXPORTING

    client               =  '100'                " R/3 system (client number from logon)

    username             =  'user'               " ABAP System, User Logon Name

    password             =  'password'                " Logon ID

   language              =  sy-langu ).



lo_client->request->set_header_field(

  EXPORTING

    name  = 'X-CSRF-Token'                " Name of the header field

    value =    lv_token  ).



lo_client->request->set_form_field(

  EXPORTING

    name  = 'Cookie'                    " Name of form field

    value =   lv_session   ).





lo_client->send(

      EXCEPTIONS

        http_communication_failure = 1

        http_invalid_state         = 2

        http_processing_failed     = 3

        http_invalid_timeout       = 4

        OTHERS                     = 5

    ).



lo_client->receive(

  EXCEPTIONS

    http_communication_failure = 1

    http_invalid_state         = 2

    http_processing_failed     = 3

    OTHERS                     = 4 ).



lv_http_status = lo_client->response->get_header_field( '~status_code' ).

lv_response    = lo_client->response->get_header_field('~status_reason' ).

lv_xcrf        = lo_client->response->get_header_field('x-csrf-token' ).



WRITE 😕 'Satus:', lv_http_status.

WRITE 😕 'Response:', lv_response.

WRITE 😕 'CSRF-Token:', lv_xcrf .
Sandra_Rossi
Active Contributor

Thank you for the feedback, but I guess it's best to place the code after correction under GK answer.

Accepted Solutions (1)

Accepted Solutions (1)

GK817
Active Contributor

Hi Harish,

Can you try enabling the acceptance of cookies in your client?

lo_http_client->PROPERTYTYPE_ACCEPT_COOKIE = if_http_client=>co_enabled.

GK

former_member445147
Participant
0 Kudos

Hi Gaurav karkara

Thanks for the reply , i tried , but it not working

GK817
Active Contributor
0 Kudos

Where are you setting it? GET request or POST request?

GK817
Active Contributor

Also, can you try by not creating a new client instance while POST, but use the same client instance as GET request?

Sandra_Rossi
Active Contributor
0 Kudos

Solution works, as confirmed by Harish in separate answer...

former_member445147
Participant
0 Kudos

Hi Gaurav Karkara

Thanks a lot Yes it will work

we need add lo_http_client->PROPERTYTYPE_ACCEPT_COOKIE = if_http_client=>co_enabled. and we need remove the new client creation .

Here is the working code

*&---------------------------------------------------------------------*


*& Report ZCSRF_VALIDATION


*&---------------------------------------------------------------------*


*&


*&---------------------------------------------------------------------*


REPORT zcsrf_validation.










DATA lo_client                TYPE REF TO       if_http_client.


DATA lo_response              TYPE REF TO       if_rest_entity.


DATA lv_response              TYPE string.


DATA lv_token                 TYPE string.


DATA lv_session               TYPE string.


DATA lv_xcrf                  TYPE string.


DATA lv_http_status           TYPE string.


DATA  gc_content_type_form    TYPE string VALUE 'application/json; charset=utf-8'.


DATA  gc_url                  TYPE string VALUE 'https://hana.xyz.net:8081/sap/ca/gef/arcgis/rest/services/EQ_A_E/featureserver/0/applyEdits'.










"======================Getting CSRF token ==========================================






cl_http_client=>create_by_url(


    EXPORTING


      url     = gc_url


    IMPORTING


      client  = lo_client


    EXCEPTIONS


      OTHERS  = 4 ).






lo_client->request->set_content_type( content_type = gc_content_type_form ).






lo_client->request->set_method( if_http_request=>co_request_method_get ).






lo_client->authenticate(


  EXPORTING


    client               =  '100'                " R/3 system (client number from logon)


    username             =  'user'               " ABAP System, User Logon Name


    password             =  'password'                " Logon ID


   language              =  sy-langu ).              " SAP System, Current Language


lo_client->propertytype_accept_cookie = if_http_client=>co_enabled.




lo_client->request->set_header_field(


  EXPORTING


    name  =  'X-CSRF-Token'                " Name of the header field


    value =  'Fetch'   ).






lo_client->send(


      EXCEPTIONS


        http_communication_failure = 1


        http_invalid_state         = 2


        http_processing_failed     = 3


        http_invalid_timeout       = 4


        OTHERS                     = 5  ).










lo_client->receive(


  EXCEPTIONS


    http_communication_failure = 1


    http_invalid_state         = 2


    http_processing_failed     = 3


    OTHERS                     = 4 ).










lv_token    = lo_client->response->get_header_field('X-CSRF-Token').


lv_session  = lo_client->response->get_header_field('set-cookie').










*"===========================end of Getting CSRF token =========================================


*


*


*


*


*"=========================validation CSRF token with Post request==============================


*






*


lo_client->request->set_method( if_http_request=>co_request_method_post ).






lo_client->request->set_header_field(


  EXPORTING


    name  = 'X-CSRF-Token'                " Name of the header field


    value =    lv_token  ).






lo_client->request->set_form_field(


  EXPORTING


    name  = 'Cookie'                    " Name of form field


    value =   lv_session   ).










lo_client->send(


      EXCEPTIONS


        http_communication_failure = 1


        http_invalid_state         = 2


        http_processing_failed     = 3


        http_invalid_timeout       = 4


        OTHERS                     = 5


    ).






lo_client->receive(


  EXCEPTIONS


    http_communication_failure = 1


    http_invalid_state         = 2


    http_processing_failed     = 3


    OTHERS                     = 4 ).






lv_http_status = lo_client->response->get_header_field( '~status_code' ).


lv_response    = lo_client->response->get_header_field('~status_reason' ).


lv_xcrf        = lo_client->response->get_header_field('x-csrf-token' ).






WRITE 😕 'Satus:', lv_http_status.


WRITE 😕 'Response:', lv_response.


WRITE 😕 'CSRF-Token:', lv_xcrf .

0 Kudos

Hi Mr.Karkara,
It works for me also. Thank you for solition.

Answers (0)