Closed VerletzterDigitusPedis closed 7 months ago
Hi @VerletzterDigitusPedis,
thanks for reaching out to us.
What you are observing is part of a problem we (the Cloud SDK) decided not to tap into: User session management.
To solve the issue, I recommend running the pre-flight (i.e. HEAD
) request manually and just once.
Here is an example of how that could look:
final HttpClient httpClient = HttpClientAccessor.getHttpClient(destination);
final CsrfToken csrfToken = new DefaultCsrfTokenRetriever().retrieveCsrfToken(httpClient, SdkGroceryStoreService.DEFAULT_SERVICE_PATH);
// execute X times
ThreadContextExecutors.execute(() -> {
new DefaultSdkGroceryStoreService()
.deleteShelf(myShelf)
.withHeader(DefaultCsrfTokenRetriever.X_CSRF_TOKEN_HEADER_KEY, csrfToken.getToken())
.toRequest()
.execute(httpClient);
});
Hope that makes sense!
Best regards, Johannes
Hi Johannes, thank you for the great explanation and your deep insight. I tried to reproduce your suggestions in a test case and it seems to work. From my tests with Postman I assumed that the CSRF Token is only valid for a single request. In combination with the HTTP Client Cache and all of the given information we now have a rough idea on how to tackle this issue. Obviously the CSRF Token does not have an infinite validity. Therefore we will need to implement some kind of session store with a locking mechanism that is accessed by the threads once the token loses the validity. I assume that this is part of your proposed solution or would there be an easier way?
Kind Regards Marlon / VerletzterDigitusPedis
Hi @VerletzterDigitusPedis,
Therefore we will need to implement some kind of session store with a locking mechanism that is accessed by the threads once the token loses the validity. I assume that this is part of your proposed solution or would there be an easier way?
I think that sounds like a good idea. Unfortunately, though, as I stated earlier: We consciously decided to not provide any convenience from our side as we figured that we cannot provide a reasonable solution without making (potentially) too over specific assumptions on what applications actually want/need.
For example, should there be a way for applications to terminate an existing user session early? If so, how would that work? Also: Maybe some user sessions can be extended without re-fetching the CSRF token? Or maybe the session (in backend-side) is automatically extended upon using the CSRF token? If so, for how long?
Therefore, we decided not to implement support for user session management.
Best regards, Johannes
Hello everyone,
Issue Description
We are using the SAP Cloud SDK to connect with S/4HANA (on premise) in order to transfer business data from our custom coded source systems to S/4HANA. We are currently using version 5.2.0 of the Java SDK. For our VDM we are using the generator, so the dependency is
With the configuration
We use the SAP Cloud SDK in a multi-threaded way and sometimes receive errors where the CSRF token fetching fails. I would like to know if this is a problem with the SAP Cloud SDK itself or something that has to be configured in S/4HANA itself. To me it seems like multiple HEAD Requests at the same time seem to be the problem. We also noticed a pattern, where it typically happened every 5 minutes for a few requests. I also tried to reproduce it in an isolated test and I was at least somewhat successful. Here is the code:
This is a part of the output of the test code. This shows a similair pattern. A lot of requests fail at the same time, then everything seems to be fine for 5 minutes and the error continues.
I should add, that we also do load testing via K6 with virtual users and do not have the same problem there. Same with PI/CPI where we also use ODATA directly (although the PI handles the token fetching itself). Can you explain why and how it happens and maybe even the 5 minute pattern?
Impact / Priority
This affects our development and testing phase. We are discussing whether we should keep the CSRF mechanism at all.
Impact: Impaired
Timeline: Implmentation is scheduled to be finished in September but it already impairs our testing.
Error Message
If application logs are needed, then I can provide them as well. Given the amount of requests needed to reproduce this error, I omitted them for now. If you need a specific part, then just give me a heads up and I will try to add them.
Project Details
Checklist
Thank you for your valuable time and your support :)