问题
I'm currently trying to setup a web-socket server on an SAP application server as a proof of concept. The application which is connecting to the web-socket server is not going to be a UI5 or WebDynpro application but just a middle-ware program running on a headless computer.
Following a quick guide, I've setup the push channel and I have an object with the interface methods ON_START, ON_MESSAGE and etc. I'm currently testing the interface using wscat which you can get from npm.
When I tried connecting to my service for the first time using wscat I was receiving a HTTP 500 error.
I wasn't sure why I was getting the 500 error, so I tried to access the URL via http and a web browser to see what was happening.
500 SAP Internal Server Error
ERROR: Cross-Site Request Forgery (XSRF) check has failed ! (termination: ABORT_MESSAGE_STATE)
I had seen these tokens also in use by Gateway services, so I had created a quick gateway service and sent a GET request with X-CSRF-Token: Fetch except the token that I get from this doesn't work when I attempt to use uri parameter sap-XSRF.
Going forward, I started to debug CL_APC_MANAGER function HANDLE_REQUEST to see if my request comes in at all. I also wanted to trace where the origin of the 500 error comes from. I've managed to trace it back to CL_APC_MANAGER method CHECK_XSRF.
METHOD check_xsrf.
DATA: lv_xsrf_token TYPE string.
*
* validate XSRF token
*
lv_xsrf_token = i_server->request->get_form_field( name = if_http_form_fields_sap=>sap_xsrf ).
IF lv_xsrf_token IS INITIAL.
lv_xsrf_token = i_server->request->get_header_field( name = if_http_form_fields_sap=>sap_xsrf ).
ENDIF.
IF lv_xsrf_token IS INITIAL.
r_successful = abap_false.
ELSE.
CALL METHOD i_server->validate_xsrf_token
EXPORTING
token = lv_xsrf_token
IMPORTING
successful = r_successful
EXCEPTIONS
token_not_found = 1
cookie_not_found = 2
internal_error = 3
called_by_public_service = 4
OTHERS = 5.
IF sy-subrc <> 0 OR abap_false = r_successful.
r_successful = abap_false.
ELSE.
r_successful = abap_true.
ENDIF.
ENDIF.
ENDMETHOD.
If I skip this check manually with the debugger, than I'm able to connect to my web-socket server without a problem.
However I'm not sure at all how I'm actually supposed to get this token before attempting to connect. I noticed the XSRF Tokens are saved in database table SECURITY_CONTEXT. The only problem is an entry is created in this table with the key I need to have after I attempt to connect. I need it before and I'm not sure what the procedure is for retrieving a token properly.
Is there anybody with previous experience using these that can shed some light? Thanks in advance.
EDIT I'm using Version 740 with Service Pack 4.
回答1:
The "correct" way to do have the header generated correctly is by maintaining table APC_CROSS_ORIGIN (transaction SAPC_CROSS_ORIGIN).
WebSockets functionality was only released for customer use in 7.40SP5, which probably explains why you don't have that table in your system. I'd recommend using your workaround for now, until your system has been patched.
来源:https://stackoverflow.com/questions/31983752/abap-websocket-server-xsrf-token