cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

X-csrf token validation success from standalone app but fails from Managed approuter based app.

joreddy
Explorer

on ‎02-18-2022 9:00 AM

0 Kudos

Hi,

I am trying to post to backed which requires x-csrf-token validation.

The validation is success from the Standalone UI5 app but not from managed approuter application.

All the code,configurations in xs-app.json are same.

Please let me know if anyone faced the issue.

Thanks.

Show replies
Show replies
Margot
Product and Topic Expert
Product and Topic Expert
‎02-18-2022 9:50 AM
0 Kudos

For which product do you use the Managed App Router - SAP Work Zone, SAP Launchpad service or SAP Cloud Portal?

joreddy
Explorer
‎02-18-2022 10:31 AM
0 Kudos

Hi Margot,

We're using Managed Approuter for SAP Work Zone.

Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎02-18-2022 7:32 PM
0 Kudos

Hi josephbyreddy,

Could you share your xs-app.json file with us?

I believe you must disable csrf checks for each route you implement via App Router. As csrf check only makes sense when the connection goes via browser, I understand that is not necessary when the connection is between App Router and the route itself.

Best regards,
Ivan

Show replies
Show replies
joreddy
Explorer
‎02-18-2022 8:22 PM
0 Kudos

Hi Ivan,

Thanks for your reply.Below is my xs-app.json file.

{ "welcomeFile": "/index.html", "authenticationMethod": "route", "logout": { "logoutEndpoint": "/do/logout" }, "routes": [ { "source": "^/sap/opu/odata/(.*)$", "target": "/sap/opu/odata/$1", "destination": "sapsltgw", "authenticationType": "xsuaa", "csrfProtection": true }, { "source": "^(.*)$", "target": "$1", "service": "html5-apps-repo-rt", "authenticationType": "xsuaa" } ]}

I've tried with both true and false for csrfProtection but no change.Please let me know if any further details are required.

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎02-18-2022 8:41 PM
0 Kudos

Hi josephbyreddy,

I've noticed that you are using an ABAP backend system. Have you implemented the token fetching before making a call to the backend service itself? If you can't use another method of authentication that doesn't rely on using csrf protection, then you ought to request it before POSTing to a backend service. That's something you have to do on your HTML5 application as it is not handled automatically by BTP's destination service nor by Cloud Connector. Here is a sample JS code that you could adapt to your particular use-case:

https://help.sap.com/viewer/e157c391253b4ecd93647bf232d18a83/LATEST/en-US/652fd37957d6406dbdc5150297...

There is also a blog where csrf fetching is done via HTML5 application:

https://blogs.sap.com/2014/01/13/building-a-crud-application-with-sapui5-using-odata-model/

Best regards,
Ivan

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎02-18-2022 9:12 PM
0 Kudos

Hi josephbyreddy,

I've also forgotten that is you really need to make calls to any SAP API, you would be better off by using SAP Cloud SDK. It automates loads of stuff for you automatically and it contains most of the data models ready to be consumed.

Best regards,
Ivan

Ask a Question