6 Replies Latest reply on Jun 11, 2015 4:10 PM by rareddy

X-CSRF-TOKEN mismatch

singhall Jun 11, 2015 11:35 AM

I am using the odata translator to build a data federation module for SAP NW gateway.

To create any entry in the sap table we need to exchange the csrf token , but looks like for each call the csrf token is new , and all the operations are failing.

Please do let me know , if there is any way , I can maintain the same csrf token between the subsequent GET and POST call.

1. Re: X-CSRF-TOKEN mismatch

rareddy Jun 11, 2015 1:00 PM (in response to singhall)

Amit,

BTW, there is OData based SAP translator in Teiid. You can see that at [1]. Yes this will be missing the X-CSRF-TOKEN. So, I suggest you extending this translator/connector to fix the issue. Can point me any documents on usage of this header token. If you can tell me on how one can obtain/refresh/usage of this token, I can probably direct you as to where this needs be fixed.

You can contribute your work on this back to Teiid, and we will accept any changes.

Thanks

Ramesh..

[1] teiid/SAPNWODataExecutionFactory.java at master · teiid/teiid · GitHub
Actions
2. Re: X-CSRF-TOKEN mismatch

singhall Jun 11, 2015 1:40 PM (in response to rareddy)

Hi Ramesh,

I agree with the fact that this implementation is missing from the SAP translator, so I have extended the same to make use of this header.
The solution specified by SAP is to make a GET call first for the same URL to fetch the token and then set this token for subsequent POST call

http://scn.sap.com/thread/3265491

The issue even after doing this was , for each call either it is GET/POST , the session is different and my token gets invalidated. I think from WSConnectionImpl , for each request we are creating a new call.
Once I resolved this issue , surely I can contribute to the Teiid.

Thanks
Amit
Actions
3. Re: X-CSRF-TOKEN mismatch

singhall Jun 11, 2015 1:55 PM (in response to singhall)

I have put the x-csrf-token as well as set-cookie both in the header after retrieving the values from GET call , but still it fails to validate.
Actions
4. Re: X-CSRF-TOKEN mismatch

rareddy Jun 11, 2015 2:53 PM (in response to singhall)

Amit,

The "WS" connector is based on HTTP, so it is stateless. So, it will create a new connection every time. This most definitely requires a new resource-adapter. The question I have is how is "x-csrf-token" related to user credentials? It was not clear from the thread. set-cookie is response header so it will not have any effect on the request, and more over Teiid does not keep track of cookies, and SAP does not pass the token in the form of cookie either. This is some custom authentication flow that SAP defined.

Ramesh..
Actions
5. Re: X-CSRF-TOKEN mismatch

singhall Jun 11, 2015 3:26 PM (in response to rareddy)

Yes Ramesh,

After looking at the WS connector it is clear that it is stateless and as far as SAP is concerned we definitely need a new resource adapter , as SAP has defined this flow for POST operations.
There is a possibility that this authentication should be disabled , We are trying to work-around the same.
Also x-csrf-token is not related to user credential , its just a best practice they are using for CRSF vulnerability.

Thanks for the support.

Amit
Actions
6. Re: X-CSRF-TOKEN mismatch

rareddy Jun 11, 2015 4:10 PM (in response to singhall)

Ok, once you figure out let us know. If we need to make changes to resource-adapter or translator, we are open for the change. Just engage us back with what those need to be.

Ramesh..
Actions

Go to original post