cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

CSRF token validation failed - 403 Forbidden calling Hybris API_MKT_CONTACT_SRV with PUT

Go to solution
jmalla
Contributor

on ‎09-05-2018 8:17 PM - last edited on ‎02-04-2024 9:45 AM by

Hi Folks,

I have a Hybris system 1709 provisioned through CAL. There is no Hybris related data populated. So I am trying to create a contact.

I am using the API_MKT_CONTACT_SRV service.

I am doing a Get with the X-csrf-token=fetch in the Header.

Then I am posting a contact using a PUT using the returned x-csrf-token:

http://myIP:myPort/sap/opu/odata/sap/API_MKT_CONTACT_SRV;v=0002/Contacts

Here is the JSON I am using from How to import Contact Data via OData Services to SAP Hybris Marketing by johannes.hirling 

{
	"batchParts": {
		"batchChangeSet": {
			"batchChangeSetPart": {
				"method": "PUT",
				"ContactOriginData": {
					"ContactOriginData": {
						"LastName": "Test",
						"FirstName": "Tom",
						"EmailAddress": "JHI_001@test.com",
						"Country": "US",
						"ContactPostalCode": "60611",
						"ContactOrigin": "SAP_ERP_CONTACT",
						"ContactID": "JHI_001",
						"CityName": "Chicago",
						"BirthDate": "2000-12-13",
						"OriginDataLastChgUTCDateTime": "0000-00-00T00:00:00"
					}
				}
			}
		}
	}
}

Here I am passing the x-csrf-token

Response header:

Any help would be appreciated.

Thanks,

Jay

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

former_member247020
Active Participant
‎09-06-2018 2:25 PM

Hi Jay,

see the response on https://blogs.sap.com/2018/04/02/how-to-import-contact-data-via-odata-services-to-sap-hybris-marketi...

  • /Contacts only supports GET method.
    to create a new, or update a contact, use ContactOriginData
  • The request from the blog post is a CPI example using the CPI OData adapter.
    The CPI OData adapter does the transforms to the batch request automatically in the adapter, when processing in pages is enabled.
  • For creating contacts use ContactOriginData with POST and specify the method (PUT ot PATCH) in the batchChangeSetPart.
    Payload examples for direct request to the SAP Marketing Cloud OData Services can be found here: https://help.sap.com/viewer/0f9408e4921e4ba3bb4a7a1f75f837a7/1805.500/en-US/06526bdbae42455ba69a4aef...

For the csrf validation error.

With the response you get the token and cookie. both need to be submitted with the request.

set-cookie →SAP_SESSIONID_E4T_100=ZhvXja66yahG23SyyydcmPcLgySx1hHou4kCAAobqKg%3d; path=/; secure; HttpOnly

x-csrf-token →AGh8wYvtk8wGDRez5W6w-Q==

Example POST Request

POST /sap/opu/odata/sap/API_MKT_CONTACT_SRV/$batch HTTP/1.1
Host:<host>
x-csrf-token: AGh8wYvtk8wGDRez5W6w-Q==
Content-Type: multipart/mixed;boundary=batch
Cookie: SAP_SESSIONID_E4T_100=ZhvXja66yahG23SyyydcmPcLgySx1hHou4kCAAobqKg%3d

--batch
Content-Type: multipart/mixed; boundary=changeset_1


--changeset_1
content-type: application/http
content-transfer-encoding: binary


PUT ContactOriginData(ContactID='JHI_000',ContactOrigin='SAP_HYBRIS_CONSUMER') HTTP/1.1
Accept: application/json
Sap-Cuan-RequestTimestamp: '2018-06-01T13:00:00'
Sap-Cuan-SourceSystemType: POSTMAN
Sap-Cuan-SourceSystemId: EXT
Content-Type: application/json


{
"OriginDataLastChgUTCDateTime" : "2018-06-01T13:00:00",
"CityName" : "Chicago",
"Country" : "US",
"EmailAddress" : "DonDummy@test.com",
"FirstName" : "Don",
"LastName" : "Dummy",
"IsConsumer" : false,
"IsContactPerson" : true,
"Language" : "EN",
"MobileNumber" : "+49119201412191"
}


--changeset_1--
--batch--


hope this helps.

br,

johannes

Show replies
Show replies
jmalla
Contributor
‎09-07-2018 7:30 AM
0 Kudos

Hi johannes.hirling ,

Thanks for your answer. We were able to get the POST/PUT to work from the SAP Gateway client using HTTP when we disabled the csrf token functionality for the service in SICF - ~CHECK_CSRF_TOKEN = 0. However, when we took out the csrf disablement, we are running into issues again. We were using HTTP and for the csrf token to be returned, then we need to use HTTPS. But since our server is the CAL provided instance, the certificate is self signed and not in the client trust store. So the quest continues to get this to work. I will update this.

Thanks,

Jay


jmalla
Contributor
‎09-11-2018 4:05 AM
0 Kudos

Hi johannes.hirling - It's all working now. We had to export the self signed certificate from the server and import it into the client certificate store on the system. Then we were able to get this working from both the SAP Netweaver Gateway client and also from Postman in the way your described. So the main issue was the CAL provisioned Hybris system not having the SSL set up in place. Once this is set up, then it works like a charm.

Thanks for your help.

Regards,

Jay

jmalla
Contributor
‎09-11-2018 4:22 AM

Anyone running into this issue, please make sure your SSL setup has been done correctly on your SAP system. By default, you need HTTPS working for using the x-csrf-token functionality. So you need the server certificate installed in the client certificate store.

If you want to test the functionality without HTTPS and csrf tokens, simply go the service in SICF and then set the ~CHECK_CSRF_TOKEN = 0.


Please check out the excerpt in SAP note - 1896961 - HTTP/HTTPS Configuration for SAP NetWeaver Gateway 

Using HTTP

Necessary settings for CSRF token handling when HTTP is used

To protect Cross-Site Request Forgery attacks(CSRF or XSRF), SAP NW Gateway also supports CSRF token handling and returns a CSRF token if required by the OData consumer (HTTP/HTTPS client). On the other hand, this CRSF token must also be protected. Therefore, by default this token will only be sent if HTTPS is used. Default settings: The instance profile parameter "login/ticket_only_by_https" is set to 1. When using HTTP you have to ask your system administrators to set the instance profile parameter "login/ticket_only_by_https" to 0. Otherwise, the SAP NW Gateway hub system does not provide a CSRF token and the next modify operation such as POST, PUT, MERGE or DELETE will be terminated with HTTP status code 403 because of an invalid CSRF token.

Ensure that this setting is only made for internal test systems because it is a high security risk!

Deactivate "Redirect HTTP to HTTPS" to use HTTP

Normally, if an SAP NW Gateway hub system is configured to support SSL because of security reasons, your system administrators will also configure it to automatically redirect all HTTP requests to HTTPS to secure your system fully. The redirect setting is done by the instance profile parameter "icm/HTTP/redirect_xx". If you want to use HTTP for tests, you have to ask your system administrators to remove this redirect setting.

Do not forget to set the instance profile parameter "login/ticket_only_by_https" to 0 as mentioned above.

Regards,

Jay

Answers (0)

Ask a Question