Nov 05, 2019 at 10:14 AM
Usage of CSRF token in ABAP for POST request
Hi Experts
I have problems while using REST POST operations in ABAP report in context of the CSRF token.
Problem : here i'm getting 403 bad request , CSRF token validation is failed. even I'm passing the token and session
but same thing is working in the rest client .
Here is the report code
1) first part is getting token
2) Validating token
How to solve this issue
REPORT zcsrf_validation.
DATA lo_client TYPE REF TO if_http_client.
DATA lo_response TYPE REF TO if_rest_entity.
DATA lv_response TYPE string.
DATA lv_token TYPE string.
DATA lv_session TYPE string.
DATA lv_xcrf TYPE string.
DATA lv_http_status TYPE string.
DATA gc_content_type_form TYPE string VALUE 'application/json; charset=utf-8'.
DATA gc_url TYPE string VALUE 'https://hana.xyz.net:8081/sap/ca/gef/arcgis/rest/services/EQ_A_E/featureserver/0/applyEdits'.
"======================Getting CSRF token ==========================================
cl_http_client=>create_by_url(
EXPORTING
url = gc_url
IMPORTING
client = lo_client
EXCEPTIONS
OTHERS = 4 ).
lo_client->request->set_content_type( content_type = gc_content_type_form ).
lo_client->request->set_method( if_http_request=>co_request_method_get ).
lo_client->authenticate(
EXPORTING
client = '100' " R/3 system (client number from logon)
username = 'user' " ABAP System, User Logon Name
password = 'password' " Logon ID
language = sy-langu ). " SAP System, Current Language
lo_client->request->set_header_field(
EXPORTING
name = 'X-CSRF-Token' " Name of the header field
value = 'Fetch' ).
lo_client->send(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
http_invalid_timeout = 4
OTHERS = 5 ).
lo_client->receive(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
OTHERS = 4 ).
lv_token = lo_client->response->get_header_field('X-CSRF-Token').
lv_session = lo_client->response->get_header_field('set-cookie').
lo_client->close( ).
FREE lo_client.
"===========================end of Getting CSRF token ====================================
"=========================validation CSRF token with Post request=========================
cl_http_client=>create_by_url(
EXPORTING
url = gc_url
IMPORTING
client = lo_client
EXCEPTIONS
OTHERS = 4 ).
lo_client->request->set_content_type( content_type = gc_content_type_form ).
lo_client->request->set_method( if_http_request=>co_request_method_post ).
lo_client->authenticate(
EXPORTING
client = '100' " R/3 system (client number from logon)
username = 'user' " ABAP System, User Logon Name
password = 'password' " Logon ID
language = sy-langu ).
lo_client->request->set_header_field(
EXPORTING
name = 'X-CSRF-Token' " Name of the header field
value = lv_token ).
lo_client->request->set_form_field(
EXPORTING
name = 'Cookie' " Name of form field
value = lv_session ).
lo_client->send(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
http_invalid_timeout = 4
OTHERS = 5
).
lo_client->receive(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
OTHERS = 4 ).
lv_http_status = lo_client->response->get_header_field( '~status_code' ).
lv_response = lo_client->response->get_header_field('~status_reason' ).
lv_xcrf = lo_client->response->get_header_field('x-csrf-token' ).
WRITE :/ 'Satus:', lv_http_status.
WRITE :/ 'Response:', lv_response.
WRITE :/ 'CSRF-Token:', lv_xcrf .