Skip to Content

Forbidden $batch completed with status 403 - The request contains an invalid x-csrf-token"

I'm trying to develop a MTA application with an app router.
I have a Java odata service based service. The Java OData service is an XSA OData V4 implementation which i try to move it to the cloud.

I configured the app router in the following way:

- name: xxx-approuter

SAP_JWT_TRUST_ACL: [{ "clientId": "*", "identityzone": "*" }]
- name: dest_odata_srv 
url: "" 
forwardAuthToken: true

The xs-app.json of the app router looks like:

  "welcomeFile": "/cp.portal",
  "authenticationMethod": "route",
  "routes": [
      "source": "^(.*)$",
      "target": "$1",
      "service": "html5-apps-repo-rt",
      "authenticationType": "xsuaa"
      "source": "^(/java/odata/v4/.*)$",
      "target": "$1",
      "scope": [
      "authenticationType": "xsuaa",
      "destination": "dest_odata_srv",
      "csrfProtection": true

The xs-security of the mta is like:
  "xsappname": "xxx",
  "tenant-mode": "dedicated",
  "description": "Security profile of called application",
  "scopes": [
      "name": "uaa.user",
      "description": "UAA"
  "role-templates": [
      "name": "Token_Exchange",
      "description": "UAA",
      "scope-references": [

I'm able to launch the fiori launchpad from the app router URL, i can log in, launch a fiori app but when the Fiori app is calling the backend service i get the following error in the browser console: 403 - Forbidden

Also when i check the application router log:
  "written_at": "2020-03-11T08:03:40.623Z",
  "written_ts": 1583913820623000000,
  "csn_component": "-",
  "correlation_id": "a3dbd3a4-0c93-487f-7167-a469afc9e58d",
  "type": "log",
  "logger": "nodejs-logger",
  "layer": "/Handler",
  "level": "error",
  "container_id": "",
  "component_type": "application",
  "component_id": "139add06-272b-4169-aba6-66268295a135",
  "component_name": "xxx-approuter",
  "component_instance": -1,
  "source_instance": -1,
  "organization_id": "-",
  "organization_name": "-",
  "space_id": "cf8c6c68-564f-47be-b6ef-ba60b4b97af7",
  "space_name": "dev",
  "request_id": "a3dbd3a4-0c93-487f-7167-a469afc9e58d",
  "msg": "POST request to /java/odata/v4/xxx/$batch completed with status 403 - The request contains an invalid x-csrf-token"

The login user has assign the role defined Token_Exchange defined in the security file.

Does anybody know what is wrong with the configurations?

Add a comment
10|10000 characters needed characters exceeded

Related questions

0 Answers

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.