Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Configuring X-CSRF using Actions Editor

ronit1996
Product and Topic Expert
Product and Topic Expert
‎10-31-2022 3:48 PM

Concept and Need:


A CSRF token is a unique, secret, and unpredictable value that is generated by the server side and transmitted to the client to prevent CSRF attacks. The client includes the token in every subsequent modifying (create, update, and delete) request. The server-side application validates the request and rejects, if the expected token is missing, invalid, or expired. This protects the application from unauthorised modification of the database by a malicious entity.

Most SAP APIs have X-CSRF enabled for the create, update and delete operations to protect the APIs against CSRF attacks. As a part of this feature, we are providing the option to capture an action as X-CSRF relevant. Since GET requests do not change the state of a database, X-CSRF capability cannot be configured for a GET action.

 

Parent Blog:


 Actions Editor – Feature List, Usage and Maintenance of Actions Project

As of today, there are 2 ways to configure a X-CSRF token fetch endpoint in Action Editor:

  1. Configure a global token fetch endpoint in the Project Settings dialog.
  2. Support addition of X-CSRF-TOKEN header from the Parameter table.

 

Approach 1: Configure a global token fetch endpoint for an Actions Project


1. Click on the project settings icon. This will open the project settings dialog.

SettingsIcon.png

SettingsDialog.png

2. Now configure and save the token fetch endpoint. This endpoint will be applied to all the modifying actions in the project.

GlobalCSRFEnabled.png

After the global token fetch endpoint is configured, it will appear on the top right hand corner of the action details section as shown below.

GlobalEndpointConfigred.png

3. Action designer can also provide a token fetch endpoint specific to an action. This endpoint will override the global endpoint configured in the beginning.

Screenshot 2024-04-03 at 4.15.29 PM.png

Note: In certain cases, the GET call to the token fetch endpoint can return a huge response. We suggest adding $top = 1 to the endpoint or just having / in such cases. E.g., the endpoint can be /A_BusinessPartner?$top=1 or  /.

4. Execute the action.

Screenshot 2024-04-03 at 4.15.39 PM.png

 

Approach 2: Support addition of X-CSRF-TOKEN header from the Parameter table

1. Disable the global X-CSRF protection from the Project Settings dialog.

DisableCSRF.png

2. Add a header parameter X-CSRF-TOKEN of type string in the Parameter table.

X-CSRF.png

3. Provide the value for the X-CSRF-TOKEN in the Test interface.

AddCSRFToken.png

4. Execute the action

executeAction1.png


Note:  It is possible to disable/enable CSRF at the destination level e.g., X-CSRF could be enabled in the production environment but disabled in the development environment. To achieve this, we need to add a boolean property sap.lcnc.fetchXcsrf under the Additional Properties section of the destination configuration and set its value to true/false.


 

Thanks for reading and I hope it helped to understand the concept of configuring X-CSRF using Actions Editor. Please feel free to leave a comment if there are any questions and I would be happy to receive any feedback.

References

Labels:
8 Comments
Giampaolo
Explorer
‎03-20-2023 10:12 AM
0 Kudos
Hi,

I create a new oData on SAP onPrem with SEGW and all works fine with Postman.

I used this resourse to convert $metadata into openAPI3 json to upload into Build PA when I created my action.

The import seems correctly and I can do GET calls, but option Enable X-CSRF is missing.

Is there any parameter to add into SEGW or openAPI json to enable this options?

Thanks
Giampaolo
Explorer
‎03-20-2023 10:33 AM
SOLVED!

The options has been moved into Project Setting.

Giampaolo
Explorer
‎03-20-2023 5:35 PM
0 Kudos

In order to be able to call the service with the CSRF token from a process it is necessary to enter the complete path in the Token Fetch End Point field

E.g.: If the Resource Path is

/sap/opu/odata/sap/SERVICE_SRV

in the Token Fetch End Point you need to write

/sap/opu/odata/sap/SERVICE_SRV/action

 

Now I have another issue:

Action 'xxxxxxxxx' failed with the following error: 'Error thrown from action runtime library: Failed to read sap.lcnc.fetchXcsrf flag from destination XXXXXXX: Cannot destructure property 'originalProperties' of 'object null' as it is null.'.

In my destination I defined property sap.lcnc.fetchXcsrf = true.

Some advices?

Thanks

ronit1996
Product and Topic Expert
Product and Topic Expert
‎03-27-2023 9:37 AM
0 Kudos
Hi Giampaolo,

Following can be the reasons behind the error you are facing:

  1. If the destination variable was not mapped to an actual destination before deploying the process.

  2. If the destination does not exist in the BTP subaccount.


We have made some changes in our error messages to differentiate between the cases 1 and 2. Could you run the action again and post the error message in the reply? This will help in analysing the issue further.

Regards,

Ronit
Giampaolo
Explorer
‎03-28-2023 8:48 AM
0 Kudos
I try to explain me better.

I created an action to store data into a custom table in ECC on Premise and when I test this action (with defined destination), it works fine.

Instead, when i use the same action in a Process Automation, I have the error.

I tried to delete and re-create the BTP destination, but nothing changed.

The action into Process Automation has the same version release.

Thanks and Best regards,
Giampaolo
ronit1996
Product and Topic Expert
Product and Topic Expert
‎03-31-2023 6:24 AM
0 Kudos
Hi Giampaolo,

Thank you for your response. I understand that the destination against which the action was executed exists in the BTP subaccount and the execution works perfectly in Action Editor.

Could you please confirm whether the destination was chosen before executing the action in Process Automation? If a destination is not chosen and the user proceeds with executing the action in Process Automation, in that case the following error will be thrown:

The name of the destination is not defined. Please provide a valid destination name



Can I request you to execute the action again in Process Automation? If an error is thrown, could you please post the error logs in the reply?


Thanks and Best Regards,

Ronit
ravish_ranka
Employee
Employee
‎06-14-2023 11:28 AM
0 Kudos
I had similar issue, This got resolved after changing in API specification file. Check if you have Parameter X-CSRF-Token in API specification file. If it is there then remove it, As X-CSRF-Token is by default added in POST call from framework.

 
Keerthana
Participant
‎10-17-2023 2:43 PM
0 Kudos
Hi ronit1996 ,

I am trying to enable the X-CSRF-Token in one of the Integration Content API(DELETE operation) but when i am testing, getting below error.






I have enabled the X-CSRF-Token in the settings and also added the token endpoint path as /.

Please help me with this query.

Thanks in advance.

Regards,
Keerthana


Labels in this area
Popular Blog Posts