S/4HANA Extension - Multitenancy

Question

I'm trying out the S/4HANA extension development exercises for multi-tenancy (Week 2 - Unit 4 of this course). I was able to setup Postman as described in the video, but when I execute PUT tenant after executing GET csrf token, I get an error that says Forbidden and do not get a status of 204 as shown in the video, but get 403 instead. Could you please let me know what I might be doing wrong here. Many thanks.

Please find attached a copy of the response received via Postman. In the logs of approuter, I can see this one message stand out (but my destination seems to be set) Msg: "Error during loading of destination service credentials. Verify Destination service is bound"

Could there be any other reason why I am getting a 403 Forbidden response instead of it creating a tenant successfully? Any pointers to proceed would be appreciated.

Answer 1

Access is forbidden because the backend is again being protected by a CSRF filter - in addition to the CSRF protection which the approuter provides. Likely, you will see a header x-csrf-token: Required in the 403 response.

Fo fix this, in your backend application, remove the RestCsrfPreventionFilter in line 47 of web.xml.

Background: the approuter has its own CSRF protection mechanism. By providing a CSRF token in your request, you only deal with the approuter's CSRF protection. If the backend is again protected against CSRF, nothing is providing a CSRF token to the backend. Additionally, the CSRF protection on the backend is no longer necessary as you have protected the backend so that it can only be accessed via the approuter.