Validation of CSRF Token

Hello,

we try to run the SAP CART APPROVAL App in our Systemlandscape.

We have implement an RelayServer, SUP, Gateway and Backend System.

The baskets were displayed on the device but when we try to approve or reject,

we received an error.

We receive the following information on the Android device:

[09:00] EntityManager Online request: ...ApplyDecision?WorkitemID=000006289817&DecisionKey=APPROVED&Comment=

[09:00] EntityManager onError, ...ApplyDecision?WorkitemID=000006289817&DecisionKey=APPROVED&Comment=

[09:00] EntityManager Error occured, SDM ErrorCode: 1, HTTPStatusCode: 403

[09:00] EntityManager HttpResponse Status code: 403, Reason: Forbidden

[09:00] EntityManager ParseSDMODataErrorXML() could not parse the message. Message was:

[09:00] EntityManager Validation of CSRF-Token failed

In the SUP we the follwoing Informations:

2013-02-19 09:00:20.800 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP:Returning Response from Gateway Back to Message Channel

2013-02-19 09:00:20.799 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Read response body from Gateway

2013-02-19 09:00:20.799 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]Response code is HTTP/1.1 403 Forbidden

2013-02-19 09:00:20.799 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Recieved the response from the gateway

2013-02-19 09:00:20.732 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP: Firing the request to the Gateway

2013-02-19 09:00:20.729 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWCRequestAdapter]ODP: Read the Request information

2013-02-19 09:00:20.727 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP :Recieved a request to fire to Gateway

2013-02-19 09:00:16.946 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP:Returning Response from Gateway Back to Message Channel

2013-02-19 09:00:16.945 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Read response from Gateway

2013-02-19 09:00:16.945 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]Response code is HTTP/1.1 200 OK

2013-02-19 09:00:16.945 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Recieved the response from the gateway

2013-02-19 09:00:15.859 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP: Firing the request to the Gateway

2013-02-19 09:00:15.855 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWCRequestAdapter]ODP: Read the Request information

2013-02-19 09:00:15.853 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP :Recieved a request to fire to Gateway

2013-02-19 09:00:06.234 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP:Returning Response from Gateway Back to Message Channel

2013-02-19 09:00:06.232 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Read response from Gateway

2013-02-19 09:00:06.232 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]Response code is HTTP/1.1 200 OK

2013-02-19 09:00:06.232 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Recieved the response from the gateway

2013-02-19 09:00:03.603 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP: Firing the request to the Gateway

2013-02-19 09:00:03.599 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWCRequestAdapter]ODP: Read the Request information

2013-02-19 09:00:03.597 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP :Recieved a request to fire to Gateway

2013-02-19 09:00:02.866 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP:Returning Response from Gateway Back to Message Channel

2013-02-19 09:00:02.863 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Read response from Gateway

2013-02-19 09:00:02.862 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]Response code is HTTP/1.1 200 OK

2013-02-19 09:00:02.862 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Recieved the response from the gateway

2013-02-19 09:00:02.555 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP: Firing the request to the Gateway

2013-02-19 09:00:02.553 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWCRequestAdapter]ODP: Read the Request information

2013-02-19 09:00:02.552 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP :Recieved a request to fire to Gateway

2013-02-19 09:00:01.822 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP:Returning Response from Gateway Back to Message Channel

2013-02-19 09:00:01.820 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Read response from Gateway

2013-02-19 09:00:01.820 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]Response code is HTTP/1.1 200 OK

2013-02-19 09:00:01.820 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP:Recieved the response from the gateway

2013-02-19 09:00:01.522 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWProxy]ODP: Firing the request to the Gateway

2013-02-19 09:00:01.517 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GWCRequestAdapter]ODP: Read the Request information

2013-02-19 09:00:01.515 INFO PROXY MessageChannel Thread-380 [com.sybase.suplite.gwc.req.handler.GatewayConnectorHandler]ODP :Recieved a request to fire to Gateway

2013-02-19 09:00:01.511 WARN Security MessageChannel Thread-380 [com.sybase.security.core.PreConfiguredUserLoginModule]Authentication failed Authentication failed due to invalid credentials.

2013-02-19 09:00:01.511 WARN Security MessageChannel Thread-380 [com.sybase.security.core.PreConfiguredUserLoginModule]Authentication failed Authentication failed due to invalid credentials.

From my point of view we have a problem with the CSRF-Token.

When we connect to the Gateway via Browser and try to retrieve an Token it works:

    Status Code: 200 OK

    Age: 0

    Cache-Control: proxy-revalidate

    Connection: Keep-Alive

    Content-Encoding: gzip

    Content-Length: 664

    Content-Type: application/xml

    Date: Wed, 20 Feb 2013 07:58:30 GMT

    Proxy-Connection: Keep-Alive

    Server: SAP NetWeaver Application Server / ABAP 731

    Set-Cookie: MYSAPSSO2=AjQxMDIBABgAQQBQAFAAUQBFAFUARABFADAAMQAgACACAAYAMQAwADADABAAQgBNAEQAIAAgACAAIAAgBAAYADIAMAAxADMAMAAyADIAMAAwAD cANQA4BQAEAAAACAYAAgBYCQACAEX%2fAPowgfcGCSqGSIb3DQEHAqCB6TCB5gIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHGMIHDAgEBMBkwDjEM MAoGA1UEAxMDQk1EAgcgEhEHFEZWMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMzAyMjAwNzU4Mjda MCMGCSqGSIb3DQEJBDEWBBQoQvYZzNAklv5z74dA2YIFgofCjDAJBgcqhkjOOAQDBC4wLAIUMhHj5Z4INdzsqEXLbvwu1jfrkmgCFCBZjFqrgT6l28odXnoG96M2FkDx; path=/; domain=ben-bmd SAP_SESSIONID_BMD_100=Caq_vzGfPjfPmBNTJQNk9VEkGjhPBhVg4QCAAKwaY30%3d; path=/

    X-CSRF-Token: Zmcy5Fs0QnaZHX6q2BhMfw==

    dataserviceversion: 2.0

When activating the Debug Mode on the Gatewayserver it seems that the App does not send an CSRF Token back to the Server.

Has anybody an Idea what we have forgotten?

The paramterer for CSRF Check is enable on the gateway.The Class /IWFND/CL_SODATA_HTTP_HANDLER is also active.

Thanks for your answer.