Search code examples
ibm-mobilefirstmobilefirst-adapterssap-gateway

MobileFirst SAP Adapter http HEAD requests

We are working with MobileFirst 6.3, mobilefirst server running on RHEL linux. We connect to SAP and have used Discovery to generate adapter code and used those generated adapter calls except for custom authentication. If we do a create in toward SAP, that results in http POST request, but adapter always generates one http HEAD request before that actual request. I've had SAP backend people complain about these (not that I personally think they would cause much harm). I've also confirmed these when inspecting other things using wireshark. I can imagine that they would relate to some type of connectivity check by the adapters, but have not been able to find any evidence of this. Searching for similar questions is also challencing since HTTP and HEAD strings are so common in urls and html code.

  • Can anyone verify my guess of the purpose of these HEAD requests ?
  • Is there any documentation on these ?
  • Are they in any way configurable (and in that case what would be the disadvantages for opting out) ?

Adapter definitions:

..
    <connectivity>
            <connectionPolicy xsi:type="nwgateway:NWGatewayHTTPConnectionPolicyType">
                    <protocol>HTTP</protocol>
                    <domain>our.complex.host</domain>
                    <port>10084</port>
                    <connectionTimeoutInMilliseconds>30000</connectionTimeoutInMilliseconds>
                    <socketTimeoutInMilliseconds>30000</socketTimeoutInMilliseconds>
                    <serviceRootUrl>/sap/opu/odata/sap/OUR_CUSTOM_REQS/</serviceRootUrl>
                    <!-- Following properties used by adapter's key manager for choosing specific certificate from key store  
                    <sslCertificateAlias></sslCertificateAlias> 
                    <sslCertificatePassword></sslCertificatePassword>-->
                    <maxConcurrentConnectionsPerNode>50</maxConcurrentConnectionsPerNode>           
            </connectionPolicy>
    </connectivity>

..
    <procedure name="createOurCustomObjectHeader" securityTest="OurCustomSecurityTest" connectAs="endUser"/>
..

Adapter code:

function createOurCustomObjectHeader(content) {
    var request = {
            CollectionName: "OurCustomObjectHeaderSet",
            Content : content
    };
    return WL.Server.createNWBusinessObject(request);
}

Security test code:

    <customSecurityTest name="OurCustomSecurityTest">
        <test realm="wl_antiXSRFRealm" />
        <!--  test realm="wl_authenticityRealm"/ -->
        <test realm="wl_remoteDisableRealm" />
        <test realm="OurCustomRealm" isInternalUserID="true" />
        <test realm="wl_deviceNoProvisioningRealm" isInternalDeviceID ="true" />
    </customSecurityTest>
Solution

  • After looking at the code, it appears we use HEAD request to fetch a CSRF-Token from the Gateway and then we insert that token into the header of the actual create request. If you refer to SAP's documentation, all modifying operations require a CSRF token header for security purposes.

    In 6.3 or even later versions of MobileFirst, I'm afraid there's no way around this configuration due to the provisions of the SAP Gateway infrastructure.