Reputation: 1007
REST with S/4HANA Cloud SDK: Tomee archetype project returns 403 forbidden on POST/PUT/DELETE
I created a S4SDK project with
mvn archetype:generate -DarchetypeGroupId=com.sap.cloud.s4hana.archetypes \
-DarchetypeArtifactId=scp-cf-tomee -DarchetypeVersion=LATEST
and I modified the HelloWorldServlet to have a doPost method, but I cannot get a POST request to reach it at all. I always get responses
HTTP status 403 forbidden
How can I use the S/4HANA Cloud SDK tomee archetype for REST development?
Upvotes: 1
Views: 333
Answers (2)
Reputation: 217
If you look into the response headers of your failed request, you will likely see a header X-CSRF-Token: Required. A CSRF token secures your application users from becoming victims of attacks that execute unwanted actions in your application.
Therefore, any state changing operation, such as PUT and POST, requires a valid CSRF token to ensure that the action is really intended by the authenticated user who invokes it. The CSRF token can be fetched as part of any previous side-effect free request, such as GET. Just append the header X-CSRF-Token: fetch to your request and extract the returned value from the response header X-CSRF-Token: abc123. Finally, make sure to send the extracted value as X-CSRF-Token: abc123 header of the next modifying request. Then everything should work as expected.
For more information, you can consult: http://www2.hu-berlin.de/newlogic/docs/config/filter.html#CSRF_Prevention_Filter_for_REST_APIs/Basic_configuration_sample
Upvotes: 4
Reputation: 1007
The default security configuration of S4SDK contains a cross-site request forgery (CSRF) prevention filter - comment it to make REST API development straightforward - but be aware of the CSRF problem and how CSRF relates to cookies - essentially ensure that no cookies are used in your REST application before and after adding these comments:
<!-- disabled to make REST work - AUTHN/AUTHZ MUST NOT USE COOKIES!
<filter>
<filter-name>RestCsrfPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.RestCsrfPreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RestCsrfPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
Upvotes: 0
Related Questions
- How to securely consume APIs in S/4HANA?
- Failed to get access token: no valid JWT bearer found while accessing S/4HANA via OAuth2Bearer
- Problem deploying S4SDK application in Cloud Foundry
- Issue while accessing SAP S/4HANA Cloud API using SDK or Rest OData
- Pre-generated type-safe client libraries for S/4HANA On-premise 2020 is not available
- Unable to retrieve data from S/4 system using SDK for service development
- Update requests send no longer all fields to the SAP S/4HANA system
- Cannot access S/4HANA on Premise system via Cloud Connector using SAP Cloud SDK for JavaScript
- SAP S/4HANA Cloud SDK Request language
- S/4HANA Cloud SDK :com.sap.cloud.sdk.s4hana.datamodel.odata.namespaces does not exist