on 11-05-2019 10:14 AM
Hi Experts
I have problems while using REST POST operations in ABAP report in context of the CSRF token.
Problem : here i'm getting 403 bad request , CSRF token validation is failed. even I'm passing the token and session
but same thing is working in the rest client .
Here is the report code
1) first part is getting token
2) Validating token
How to solve this issue
REPORT zcsrf_validation.
DATA lo_client TYPE REF TO if_http_client.
DATA lo_response TYPE REF TO if_rest_entity.
DATA lv_response TYPE string.
DATA lv_token TYPE string.
DATA lv_session TYPE string.
DATA lv_xcrf TYPE string.
DATA lv_http_status TYPE string.
DATA gc_content_type_form TYPE string VALUE 'application/json; charset=utf-8'.
DATA gc_url TYPE string VALUE 'https://hana.xyz.net:8081/sap/ca/gef/arcgis/rest/services/EQ_A_E/featureserver/0/applyEdits'.
"======================Getting CSRF token ==========================================
cl_http_client=>create_by_url(
EXPORTING
url = gc_url
IMPORTING
client = lo_client
EXCEPTIONS
OTHERS = 4 ).
lo_client->request->set_content_type( content_type = gc_content_type_form ).
lo_client->request->set_method( if_http_request=>co_request_method_get ).
lo_client->authenticate(
EXPORTING
client = '100' " R/3 system (client number from logon)
username = 'user' " ABAP System, User Logon Name
password = 'password' " Logon ID
language = sy-langu ). " SAP System, Current Language
lo_client->request->set_header_field(
EXPORTING
name = 'X-CSRF-Token' " Name of the header field
value = 'Fetch' ).
lo_client->send(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
http_invalid_timeout = 4
OTHERS = 5 ).
lo_client->receive(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
OTHERS = 4 ).
lv_token = lo_client->response->get_header_field('X-CSRF-Token').
lv_session = lo_client->response->get_header_field('set-cookie').
lo_client->close( ).
FREE lo_client.
"===========================end of Getting CSRF token ====================================
"=========================validation CSRF token with Post request=========================
cl_http_client=>create_by_url(
EXPORTING
url = gc_url
IMPORTING
client = lo_client
EXCEPTIONS
OTHERS = 4 ).
lo_client->request->set_content_type( content_type = gc_content_type_form ).
lo_client->request->set_method( if_http_request=>co_request_method_post ).
lo_client->authenticate(
EXPORTING
client = '100' " R/3 system (client number from logon)
username = 'user' " ABAP System, User Logon Name
password = 'password' " Logon ID
language = sy-langu ).
lo_client->request->set_header_field(
EXPORTING
name = 'X-CSRF-Token' " Name of the header field
value = lv_token ).
lo_client->request->set_form_field(
EXPORTING
name = 'Cookie' " Name of form field
value = lv_session ).
lo_client->send(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
http_invalid_timeout = 4
OTHERS = 5
).
lo_client->receive(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
OTHERS = 4 ).
lv_http_status = lo_client->response->get_header_field( '~status_code' ).
lv_response = lo_client->response->get_header_field('~status_reason' ).
lv_xcrf = lo_client->response->get_header_field('x-csrf-token' ).
WRITE 😕 'Satus:', lv_http_status.
WRITE 😕 'Response:', lv_response.
WRITE 😕 'CSRF-Token:', lv_xcrf .
Hi Harish,
Can you try enabling the acceptance of cookies in your client?
lo_http_client->PROPERTYTYPE_ACCEPT_COOKIE = if_http_client=>co_enabled.
GK
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Also, can you try by not creating a new client instance while POST, but use the same client instance as GET request?
Thanks a lot Yes it will work
we need add lo_http_client->PROPERTYTYPE_ACCEPT_COOKIE = if_http_client=>co_enabled. and we need remove the new client creation .
Here is the working code
*&---------------------------------------------------------------------*
*& Report ZCSRF_VALIDATION
*&---------------------------------------------------------------------*
*&
*&---------------------------------------------------------------------*
REPORT zcsrf_validation.
DATA lo_client TYPE REF TO if_http_client.
DATA lo_response TYPE REF TO if_rest_entity.
DATA lv_response TYPE string.
DATA lv_token TYPE string.
DATA lv_session TYPE string.
DATA lv_xcrf TYPE string.
DATA lv_http_status TYPE string.
DATA gc_content_type_form TYPE string VALUE 'application/json; charset=utf-8'.
DATA gc_url TYPE string VALUE 'https://hana.xyz.net:8081/sap/ca/gef/arcgis/rest/services/EQ_A_E/featureserver/0/applyEdits'.
"======================Getting CSRF token ==========================================
cl_http_client=>create_by_url(
EXPORTING
url = gc_url
IMPORTING
client = lo_client
EXCEPTIONS
OTHERS = 4 ).
lo_client->request->set_content_type( content_type = gc_content_type_form ).
lo_client->request->set_method( if_http_request=>co_request_method_get ).
lo_client->authenticate(
EXPORTING
client = '100' " R/3 system (client number from logon)
username = 'user' " ABAP System, User Logon Name
password = 'password' " Logon ID
language = sy-langu ). " SAP System, Current Language
lo_client->propertytype_accept_cookie = if_http_client=>co_enabled.
lo_client->request->set_header_field(
EXPORTING
name = 'X-CSRF-Token' " Name of the header field
value = 'Fetch' ).
lo_client->send(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
http_invalid_timeout = 4
OTHERS = 5 ).
lo_client->receive(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
OTHERS = 4 ).
lv_token = lo_client->response->get_header_field('X-CSRF-Token').
lv_session = lo_client->response->get_header_field('set-cookie').
*"===========================end of Getting CSRF token =========================================
*
*
*
*
*"=========================validation CSRF token with Post request==============================
*
*
lo_client->request->set_method( if_http_request=>co_request_method_post ).
lo_client->request->set_header_field(
EXPORTING
name = 'X-CSRF-Token' " Name of the header field
value = lv_token ).
lo_client->request->set_form_field(
EXPORTING
name = 'Cookie' " Name of form field
value = lv_session ).
lo_client->send(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
http_invalid_timeout = 4
OTHERS = 5
).
lo_client->receive(
EXCEPTIONS
http_communication_failure = 1
http_invalid_state = 2
http_processing_failed = 3
OTHERS = 4 ).
lv_http_status = lo_client->response->get_header_field( '~status_code' ).
lv_response = lo_client->response->get_header_field('~status_reason' ).
lv_xcrf = lo_client->response->get_header_field('x-csrf-token' ).
WRITE 😕 'Satus:', lv_http_status.
WRITE 😕 'Response:', lv_response.
WRITE 😕 'CSRF-Token:', lv_xcrf .
User | Count |
---|---|
85 | |
23 | |
11 | |
9 | |
8 | |
5 | |
5 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.