Wednesday, September 23, 2020

SAP NW GW Cross-Site Request Forgery Protection

 Just quick notes about making modifying requests on older (pre 2.0 SP02) and newer (post 2.0 SP02) SAP NWGW.

Notes here are taken from SAP Help

Newer gateway

Newer NWGW (post 2.0 SP02) can and should be authorized using standard CSRF token in a header. 

Authentication flow in that case is 

  1. Make non modifying (GET or HEAD) request with header field
    2. X-CSRF-TOKEN: Fetch

    You will receive CSRF token in the response 

  2.  Make modifying request (POST, PUT, MERGE...) with header field
X-CSRF-TOKEN: <token>

This is the recommended option and you should use it, if it is possible.


Older gateway

On the older gateway systems you have to use the older and less secure authorization method. It consists of sending just header parameter inside POST request.
X-Requested-With=XMLHttpRequest

You also have to set that protection mechanism on the service itself.

  1. In t-code SICF
  2. Open node for your service
  3. Navigate to Service Data and GUI Configuration
  4. Fill parameters
    1. Parameter name: ~CHECK_CSRF_TOKEN
    2. Parameter value: 0/1 (enable/disable)
    3. Save

Compatiblity Mode for SP02 – HTTP Handler in SICF (node sdata)

(Default : X-Requested-With, to enable XSRF check use, ~CHECK_CSRF_TOKEN=1)

The request handler is /IWFND/CL_SDATA_ODATA_APP.

Standard Mode – HTTP Handler in SICF (node odata)

(Default: XSRF check, to disable and switch to X-Requested-With, use ~CHECK_CSRF_TOKEN=0)

The request handler is /IWFND/CL_SODATA_HTTP_HANDLER.

at

1 comment:

  1. MSME- Business Services, Report Business Credit Defaulters12 January, 2022 12:42

    Check Commercial Cibil Report of any business before doing business with them. It will give you the idea about how well is doing business and will it be able to return money on time.

    ReplyDelete