cancel
Showing results for 
Search instead for 
Did you mean: 

Forbidden $batch completed with status 403 - The request contains an invalid x-csrf-token"

andrei_sap_andrei
Discoverer
0 Kudos

I'm trying to develop a MTA application with an app router.
I have a Java odata service based service. The Java OData service is an XSA OData V4 implementation which i try to move it to the cloud.

I configured the app router in the following way:

- name: xxx-approuter

...
parameters:
SAP_JWT_TRUST_ACL: [{ "clientId": "*", "identityzone": "*" }]
properties: 
destinations: 
- name: dest_odata_srv 
url: "https://pUsertrial-dev-xxx-services-odatav4.cfapps.eu10.hana.ondemand.com" 
forwardAuthToken: true


The xs-app.json of the app router looks like:

{
  "welcomeFile": "/cp.portal",
  "authenticationMethod": "route",
  "routes": [
    {
      "source": "^(.*)$",
      "target": "$1",
      "service": "html5-apps-repo-rt",
      "authenticationType": "xsuaa"
    },
    {
      "source": "^(/java/odata/v4/.*)$",
      "target": "$1",
      "scope": [
        "uaa.user"
      ],
      "authenticationType": "xsuaa",
      "destination": "dest_odata_srv",
      "csrfProtection": true
    }
  ]
}


The xs-security of the mta is like:
{
  "xsappname": "xxx",
  "tenant-mode": "dedicated",
  "description": "Security profile of called application",
  "scopes": [
    {
      "name": "uaa.user",
      "description": "UAA"
    }
  ],
  "role-templates": [
    {
      "name": "Token_Exchange",
      "description": "UAA",
      "scope-references": [
        "uaa.user"
      ]
    }
  ]
}

I'm able to launch the fiori launchpad from the app router URL, i can log in, launch a fiori app but when the Fiori app is calling the backend service i get the following error in the browser console: 403 - Forbidden

Also when i check the application router log:
{
  "written_at": "2020-03-11T08:03:40.623Z",
  "written_ts": 1583913820623000000,
  "csn_component": "-",
  "correlation_id": "a3dbd3a4-0c93-487f-7167-a469afc9e58d",
  "type": "log",
  "logger": "nodejs-logger",
  "layer": "/Handler",
  "level": "error",
  "container_id": "10.0.137.26",
  "component_type": "application",
  "component_id": "139add06-272b-4169-aba6-66268295a135",
  "component_name": "xxx-approuter",
  "component_instance": -1,
  "source_instance": -1,
  "organization_id": "-",
  "organization_name": "-",
  "space_id": "cf8c6c68-564f-47be-b6ef-ba60b4b97af7",
  "space_name": "dev",
  "request_id": "a3dbd3a4-0c93-487f-7167-a469afc9e58d",
  "msg": "POST request to /java/odata/v4/xxx/$batch completed with status 403 - The request contains an invalid x-csrf-token"
}


The login user has assign the role defined Token_Exchange defined in the security file.

Does anybody know what is wrong with the configurations?

gregorw
Active Contributor
0 Kudos

It would make answering your question a lot easier if you would provide the JSON nicely formated. Also you could give my sample application bookshop-java a try which is proven to work and come back if you still have issues.

Accepted Solutions (0)

Answers (0)