cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAP Cloud Platform Workflow: Service Task post call with CSRF Token validation Problem

joergklement
Discoverer

on ‎01-19-2018 1:05 PM

0 Kudos

Hi Community,

I'm trying to create a Workflow in SAP Cloud Platform with a Service Task which calls an OData Service via Cloud Connector on my onPremise SAP System.

This OData call is a post call and should save some data on the onPremise System. For the CSRF Token I also maintained a path:

(I work with an external alias for debugging purposes)

Both, CSRF Token Generation and OData post call has been successfully tested with paths above via Postman, via SOAPUI and via ABAP program, the service works correct.

Unfortunately, if I run a Workflow Instance in SAP Cloud Platform, I receive the error message that the CSRF Token Validation has been failed:

I've debugged the HTTP Handler class /IWFND/CL_SODATA_HTTP_HANDLER and there is a CSRF Token generation and validation in the code.

If I run the workflow, the CSRF Token has been successfully generated and the CSRF Token will be delivered as response header field:

debugger-fetch.jpg

After this call, a second call comes in which is the post call. I've also checked for the delivered Request Header Fields. The generated CSRF Token will be submitted from the SAP Cloud Platform Workflow as request Headerfield:

debugger-post-headerfields.jpg

But then comes the problem: The validation of the CSRF Token fails:

debugger-post.jpg

My conclusion is that in the post call not only the CSRF Token has to be submitted but also the Session Cookie from the first (= the CSRF Token generation) call. As you can see in the screenshot this Cookie has not been submitted, therefore the CSRF Token cannot be assigned to the right User-Session and the security management decides, that the CSRF Token is not valid. In fact, I can reproduce this behaviour when I call in this manner (= second call without session cookie) the OData services via Postman and SOAPUI.

I'm wondering if someone else has the same problems or if I've overseen something in my conclusion, so any help and hint is appreciated.

Some remarks:

- Deactivation of CSRF Token checks is not an option

- The blogs which I've found describing the Workflow service task OData calls with post method don't use CSRF Token due to "Basic Authentification is activated", maybe someone out there has a tutorial/blog which uses post call on SAP Cloud Platform Workflow with CSRF Token generation and validation.

Kind regards

Jörg

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

joergklement
Discoverer
‎02-09-2018 11:16 AM
0 Kudos

With help of SAP I was able to solve my problem:

My suspision was right, the session cookie has not reached the onPremise System and therefore die CSRF Token validation was not successfull. But: SAP Cloud Platform Workflow has sent the session cookie together with the CSRF Token in the POST Request.

The Problem lies within the SAP Cloud Connector and it's settings:

In the Cloud Connector Administration Website, you are able to maintain your cloud to on-Premise Connection in Tab "Access Control". As Example: You have a SAP on-Premise System which is reachable via domain "sapmachine.sap.com" and you assign this on-Premise System to virtual Hostname "virtualsapmachine.sap.com":

cloud-to-on-premise-access-control.jpg

This enables the communication between SAP Cloud Platform and SAP Backend System via Cloud Connector. But Cookies are created with assignment to a certain domain. As example: The SAP Session Cookie is assigned to domain ".sapmachine.sap.com" (please note the dot "." at the beginning of the domain in the screenshot - some servers do this, so too my sap-backend server):

cookie-domain.jpg

For correct communication between SAP Cloud Platform and SAP Backend System, also the domain information in the exchanged cookies has to be adjusted from virtualhost names to on-premise hostnames and vice versa. This can be done in SAP Cloud Connector Administration Website in tab "Cookie domains". As example: You assign the virtual host "virtualsapmachine.sap.com" to the cookie domain ".sapmachine.sap.com":

cloud-to-on-premise-cookie-domains.jpg

This solved my Problem. The session Cookie will be sent from SAP Cloud Platform Workflow together with the CSRF Token in the POST Request to my Cloud Connector and the Cloud Connector forwards the request and the session cookies in respect to the cookie domain mapping settings to my SAP on-Premise System. The SAP Backend System can validate the CSRF Token with the Session Information and everything works fine.

/closed

Show replies
Show replies
Ask a Question