How do I handle the need for CSFR token when using SAP Cloud SDK?
I am using the SAP Cloud SDK for Java to do CRUD on the SalesOrder APIs in S/4. Everything works well in that I can carry out these actions from Postman. However, these requests from Postman only work if I include a pre-request script to get a csrf token as outlined in this blog post
If I run the requests without the pre-request script outlined in the blog post, I get a '403 Forbidden'. As I said it works from Postman, but I would like to understand how this should be handled without the need for this script, for example if I was making a request from another application. Does the SDK allow me to handle this from the application code somehow. Maybe I am missing something.
Thanks for your time.
EDIT:
I am not making requests to the S/4 directly from Postman. I have an app deployed which is using the Cloud SDK to make the requests to S/4. It works if I use the pre-request script to fetch the CSFR token and attach it to the request before I send it, but 403 if I don't. So, if we imagine I am not using Postman but some ui somewhere to fill a form and send this request my understanding is that I shouldn't, as you suggested, have to worry about this token, that my service in the middle which uses the SDK and the VDM should handle this for me. This is what I am struggling to understand.
This is the servlet code:
@Override
protected void doPost(final HttpServletRequest request, final HttpServletResponse response)
throws ServletException, IOException {
String body = IOUtils.toString(request.getReader());
JSONObject so = new JSONObject(body);
String distributionChannel = so.get("DistributionChannel").toString();
String salesOrderType = so.get("SalesOrderType").toString();
String salesOrganization = so.get("SalesOrganization").toString();
String soldToParty = so.get("SoldToParty").toString();
String organizationDivision = so.get("OrganizationDivision").toString();
String material = so.get("Material").toString();
String requestedQuantityUnit = so.get("RequestedQuantityUnit").toString();
SalesOrderItem salesOrderItem = SalesOrderItem.builder()
.material(material)
.requestedQuantityUnit(requestedQuantityUnit).build();
SalesOrder salesOrder = SalesOrder.builder()
.salesOrderType(salesOrderType)
.distributionChannel(distributionChannel)
.salesOrganization(salesOrganization)
.soldToParty(soldToParty)
.organizationDivision(organizationDivision)
.item(salesOrderItem)
.build();
try {
final ErpHttpDestination destination = DestinationAccessor.getDestination(DESTINATION_NAME).asHttp()
.decorate(DefaultErpHttpDestination::new);
final SalesOrder storedSalesOrder = new CreateSalesOrderCommand(destination, new DefaultSalesOrderService(),
salesOrder).execute();
response.setStatus(HttpServletResponse.SC_CREATED);
response.setContentType("application/json");
response.getWriter().write(new Gson().toJson(storedSalesOrder));
logger.info("Succeeded to CREATE {} sales order", storedSalesOrder);
} catch (final Exception e) {
response.setStatus(HttpServletResponse.SC_BAD_REQUEST);
logger.error(e.getMessage(), e);
logger.error("Failed to CREATE sales order", e);
}
}
And the CreateSalesOrder command:
public SalesOrder execute() {
return ResilienceDecorator.executeSupplier(this::run, myResilienceConfig);
}
protected SalesOrder run() {
try {
return salesOrderService.createSalesOrder(salesOrder).execute(destination);
} catch (final ODataException e) {
throw new ResilienceRuntimeException(e);
}
}
I am using the version 3.16.1 of the SDK and have set logging level to DEBUG for the SDK in the manifest:
SET_LOGGING_LEVEL: '{ROOT: INFO, com.sap.cloud.sdk: DEBUG}'
and logging level to DEBUG in logback
If I remove the pre-request script from the request and send it I get the 403 response and logs shows the following messages:
"logger":"com.sap.cloud.sdk.service.prov.api.security.AuthorizationListener","thread":"http-nio-0.0.0.0-8080-exec-4","level":"DEBUG","categories":[],"msg":"Reading user principal"
"logger":"com.sap.cloud.sdk.service.prov.api.security.AuthorizationListener","thread":"http-nio-0.0.0.0-8080-exec-4","level":"DEBUG","categories":[],"msg":"Destroying Authorization as it is end of request." }
"logger":"com.sap.cloud.sdk.service.prov.api.security.AuthorizationService","thread":"http-nio-0.0.0.0-8080-exec-4","level":"DEBUG","categories":[],"msg":"Destroying Authorization JWT Token." }
As the other answers focus on the app to S/4 communication and you adjusted your question to make clear that you mean the User (e.g. Postman) to app communication I'll provide some additional information.
As mentioned by the other answers the CSRF handling to the S/4 system (or any OData endpoint) is automatically handled on side of the OData VDM.
What you are now encountering is the secure default configuration of the SAP Cloud SDK Maven Archetypes, which have the RestCsrfPreventionFilter activated by default.
This filter automatically protects all non-GET endpoints from CSRF by requiring you to fetch a CSRF Token prior to your request which you then provide.
This is completely unrelated to the OData VDM call to the S/4 system in the background.
To remedy your problems there are now three next steps:
- Use a
GETendpoint instead ofPOST- Probably only as a temporary workaround
- Remove the
RestCsrfPreventionFiltertemporarily from yourweb.xml- This should not be done for productive uses, but might make your life in the initial evaluation easier.
- "Live with it"
- As this is a commonly used pattern to protect your application against CSRF it's advised to keep the filter in place and do the CSRF-Token "flow" as required.
Further Reading
- OWASP description of CSRF: https://owasp.org/www-community/attacks/csrf
- OWASP cheat sheet on CSRF protection (linked to the approach used by the filter): https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#use-of-custom-request-headers
- JavaDoc of the
RestCsrfPreventionFilter: https://tomcat.apache.org/tomcat-8.5-doc/api/org/apache/catalina/filters/RestCsrfPreventionFilter.html
- Unsubscribe feature not working on SAP cloud platform CF for Multi-tenant SAAS application
- Extended application descriptor file and invalid datasource
- DOS Attack mitigation/rate limiting on SAP BTP CF Apps Apis
- XSLT mapping. Dynamically setting xml node names in a for each loop
- Logout functionality is not working properly in SAP Cloud Foundry authentication with XSUAA
- SAP DBTech JDBC: Cannot connect to jdbc:sap://... on SCP
- Bind northwind odata service to ui5?
- Build and Deploy a UI5-App to the Cloud without WebIDE
- Dump HANA Database using "SAP HANA Web-based Development Workbench"
- Invalid JWT token for New subaccount in SaaS
- SCP neo deploy-mta can't deploy 2 versions in a row
- SAML auth fails in WebIDE Full-Stack in "Run-As" mode
- SAP Cloud Foundry Trial and hanatrial Service HDI-Shared Plan
- Check HANA edition with SQL?
- Define SCP destination for S4HANA BAPI call with Cloud SDK
- Create SAPUI5 application programmatically?
- SAP HANA Cloud Platform for mobile apps
- Launch Fiori shell plugin before app component creation. How?
- SAP WebIDE Trial - OData Service Northwind not available
- SAP Cloud Platform relation to SAPUI5?
- jQuery.sap.includeScript().then() not working in SCP SAPUI5 app
- How to configure destination in HANA Cloud Platform?
- Deploy SAPUI5 Application to SAP Cloud or SAP App Center
- How to fix a DestinationAccessException thrown by the SAP Cloud SDK during application startup
- How do I change the expires_in value for an authentication token?
- Groovy script code to append xml node taking 15+ hours for 6K employee records
- What is the difference between SAP HANA, S/4HANA and HANA Cloud Platform?
- Does Select Query Support execBatch() in HANA?
- Can I deploy a react-app to the SAP Cloud Platform?
- Send POST request to OData service using SAP Cloud SDK version 3.2.0