1

i've got a doGet working but when i follow try to do de doPost, i get a 403, I think it's because the server allways send me the header "x-csrf-token: require", but the strange here is that I desactivated before these lines: 

<!-- disabled to make REST work - AUTHN/AUTHZ MUST NOT USE COOKIES! -->
<!--
<filter>
    <filter-name>RestCsrfPreventionFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RestCsrfPreventionFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>RestCsrfPreventionFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>
-->

I read that the approuter take the security, this is my Override post method, I only want to try that it's working : 

 @Override
protected void doPost( final HttpServletRequest request , final HttpServletResponse response) throws IOException, ServletException {
    response.getWriter().write("POST METHOD");
}

But I see in the response header this every time :

Response from app - HTTP 403 enter image description here

I discover that you need to active the authentication in the approuter , but it's still not working for me, this is my approuter code :

enter image description here

Sander Wozniak
  • 650
  • 8
  • 27
Joseluis Jimenez
  • 21
  • 4
  • Are you using an approuter in front of your Java microservice or are you talking directly to an unprotected microservice? – Philipp Herzig Mar 22 '19 at 07:23
  • I am using approuter and it´s working, validating the user with the correct Role to do de GET method..... i´m trying to do the front-end fiori to make the "x-csrf-token:fetch" and send again the microservice. – Joseluis Jimenez Mar 22 '19 at 08:12

1 Answers1

2

The approuter by default protects all non-GET routes with CSRF protection by default. If you just want to test this out, you can use the approuter's configuration to turn it off using the "csrf-protection":false in the xs-app.json (https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/c103fb414988447ead2023f768096dcc.html).

However, this is not recommended. The better option is to fetch the CSRF token and send it in every subsequent request

Philipp Herzig
  • 350
  • 6
  • 10
  • Thakns you very much, but i want to use the csrf-protection: true , so thats my problem , i am using the default approuter and i can't do POST method my web browser don´t do the fetch ... i don´t know what to do :/ – Joseluis Jimenez Mar 25 '19 at 07:11
  • 2
    Yes, but this is the idea of CSRF protection. In order to obtain a token you first need to fetch the token via x-csrf-token: fetch in the header. The response should contain then the token in the header + a corresponding session cookie. Repeating the request with the previously return session cookie + the returned token in the request header `x-csrf-token: ` will allow you to do the post. Otherwise, please open a new question as this question seems to be answered for me. – Philipp Herzig Apr 01 '19 at 10:55