Missing CSRF Token Android App with SAP Netweaver Gateway

Question

I am doing an Android application that consumes OData from SAP Gateway in java. In this moment, I am able to retrieve data from the gateway, but when I want to update or create something, an error occurs saying "Expected Status OK or No Content".... I was reading in Internet and I would need to retrieve CSRF token in GET and set it on post and put operations.... How can I do this in android app consuming OData from SAP Gateway and using OData4j? My code for create the consumer is this:

            ODataConsumer consumer = ODataConsumers.create(serviceUrl);
            ODataConsumer.Builder builder = ODataConsumers.newBuilder(serviceUrl);
            builder.setClientBehaviors(new BasicAuthenticationBehavior("myuser", "mypass")); 
            consumer = builder.build();

Like you can see, i have the basic Authentication but it miss the csrf token...

I hope you can help me.

Thanks so much,

Borja.

Have you found a solution to this ? and in case you able to resolve can you share your knowledge on this please — Santhosh_Reddy, May 01 '16 at 09:36

score 0 · Answer 1 · answered Jan 28 '15 at 02:47

0

When setting the client behaviors of the builder object, pass parameter BasicAuthenticationBehavior object, passing new SAPCSRFBehaviour object..

builder.setClientBehaviors(new BasicAuthenticationBehavior(serviceLocation.getUserName(), serviceLocation.getPassword()), new SAPCSRFBehaviour());

How to handle CSRF tokens while consuming Gateway services using odata4j

answered Jan 28 '15 at 02:47

scott

441
5
11

1

Hi Scott, I tried that option and it isn't work for me. When I set the client behaviors and pass the SAPCSRFBehaviour object, Gateways response with a 403 error "Forbidden". We could resolve the problem following this post: http://scn.sap.com/docs/DOC-54896 Now, it is not necessary to set the SAPCSRFBehaviour object. We only have to set this headers: request = request.header("X-Requested-With", "XMLHttpRequest") .header("Authorization", "Basic " + encoded); Anyway, thanks a lot ;) Borja – Gargim Jan 28 '15 at 09:46

score 0 · Answer 2 · answered Feb 02 '15 at 15:11

YOu need to FIRST call the odata service with a header set to get the token. Then you make calls using the token.

**request = request.header("X-CSRF-Token", "Fetch")**

If Cross script attack token use is active, By default, you must do this call first.

Use the getway test call tool, or any running UI5 app that does ODATA calls and trace the calls you will see the token request sent.

Missing CSRF Token Android App with SAP Netweaver Gateway

2 Answers2