hi,
I have an ui5 application running under a service user in icf node (setup directly in the icf node) - and this triggers an error 403 error while trying to execute the modifying operation.
The reason behind it is that internally, the sap system is calling some c based function and returns a silent error sy-subrc = 2 on the check for the acquisition of the token - which seems to be rather invalid, considering the setup.
Setup is somewhat like:
- BSP Node: Service User, Auth. Method has Service Data;
- OData Nodes: Service User, Auth. Method has Service Data;
Execution wise, all works - it identifies the user and no problem occurs.. However, it seems that the CRSF-Token: Fetch "requires" some other Procedure to be in place other than Service Data.
Explaining a bit further, have the exact same request either pushing down an Authorization header or having the browser authenticate using a Basic Auth. returns a SSO cookie which is "handed over" on the subsequent request for the token fetch - having the cookie setup allows GW to generate a token as expected.
The opposite case (where the logon happens in the icf node using Service Data) does not generate the SSO cookie (there is no set-header for the cookie coming back) - hence, the X-CSRF-Token: Fetch returns a "blank" X-CSRF-Token - it doesn't even fail, it fails to acquire one... the "bypass" should take into account the authentication procedure used? - IMO, I shouldn't even be bothered with such BS protection, but it seems GW sort of 'enforces it' and it's kinda hard for me to tell folks here we should disable it - not to say, even thou is sort of "dummy" to have such for a Service User maybe keeping it in place would easy up changes in future if they want identified access (user based access).
Options I have atm:
- disable CSRF either in a custom handler;
- disable CSRF using the gui configuration option as per 7.4 docs;
Has anyone faced similar issue? - Any help to overcome this problem is highly appreciated, I don't want to disable the validation mechanism but I need to bypass and somehow "trick" the c kernel call.
Cheers,
- Dan.