Requests are sent without CSRF token to ABAP on-premise system

stephangutknecht commented 6 months ago

Issue Description

We are executing requests to an ABAP on-premise system. We realized that for some requests, there is no CSRF token provided in the headers when monitoring the requests on ABAP side. Hence, they are failing.

Request in Java

return apiClient.executeRequest(
        () -> {
          HttpDestination httpDest = null;
          log.debug(
              "Command {} with ID {} is being sent to {}",
              payload.getBDTSCommandName(),
              payload.getBDTSCommandID(),
              destination);
          try {
            httpDest = destinationProvider.getMegaCliteDest(destination);
          } catch (Exception e) {
            log.error(
                "Destination could not be queried {} for CommandID {} ",
                e.getMessage(),
                payload.getBDTSCommandID());
          }

          var command = createCommand(payload);
          var request =
              new BDTSCommandCreateFluentHelper(DEFAULT_SERVICE_PATH, command, ENTITY_COLLECTION)
                  .toRequest();
          var client = HttpClientAccessor.getHttpClient(httpDest);
          return request.execute(client);
        });

Example headers w/o csrf-token

This XML file does not appear to have any style information associated with it. The document tree is shown below.
<HTTP_HEADER>
<IHTTPNVP>
<NAME>~request_line</NAME>
<VALUE>POST /sap/opu/odata/BDTS/COMMAND_SRV/BDTSCommandSet?sap-client=010 HTTP/1.1</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~request_method</NAME>
<VALUE>POST</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~request_uri</NAME>
<VALUE>/sap/opu/odata/BDTS/COMMAND_SRV/BDTSCommandSet?sap-client=010</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~path</NAME>
<VALUE>/sap/opu/odata/BDTS/COMMAND_SRV/BDTSCommandSet</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~path_translated</NAME>
<VALUE>/sap/opu/odata/BDTS/COMMAND_SRV/BDTSCommandSet</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~query_string</NAME>
<VALUE>sap-client=010</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~server_protocol</NAME>
<VALUE>HTTP/1.1</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>user-agent</NAME>
<VALUE>Apache-HttpClient/4.5.14 (Java/17.0.10)</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>accept</NAME>
<VALUE>application/json</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>accept-encoding</NAME>
<VALUE>gzip,deflate</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>b3</NAME>
<VALUE>bd23d4dce6cf4efa7d0de3baa481f866-7d0de3baa481f866</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>content-type</NAME>
<VALUE>application/json</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>cookie</NAME>
<VALUE> </VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>destination-name</NAME>
<VALUE>M9R_010</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>sap-passport</NAME>
<VALUE>2A54482A0300E600006274632D63726F73732D6F7263682D6170692D636F6E74726F6C6C65722D73720000616E6F6E796D6F757300000000000000000000000000000000000000000000005341505F434C4F55445F53444B5F5245515545535400000000000000000000000000000000000000000B6274632D63726F73732D676174657761792D616261702D7372762D303138653763363265306238333239343634323137393464396362653636613165653666612020200002DD9EA582047D47D4A3F3CBFEC904464E9110006B2F8F46489CF0DEE7A18DB0D400000001000000002A54482A</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>traceparent</NAME>
<VALUE>00-db592acda0b5fda2b97c5324a2916468-01e5ed65ca4ec8fc-01</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>tracestate</NAME>
<VALUE>4f12a59b-69d2b3b0@dt=fw4;1c;a915cd93;2049;0;0;0;1f5;05f4;2h03;3h86830b46;4h029b;5h01</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-b3-spanid</NAME>
<VALUE>7d0de3baa481f866</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-b3-traceid</NAME>
<VALUE>bd23d4dce6cf4efa7d0de3baa481f866</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-cf-applicationid</NAME>
<VALUE>1d1665f2-e48a-4343-932c-feee179c21bc</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-cf-instanceid</NAME>
<VALUE>63690941-1fee-44be-54a3-d942</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-cf-instanceindex</NAME>
<VALUE>0</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-correlationid</NAME>
<VALUE>b2f3450f-e0f7-4bb8-8e0b-a8c0bb8d453e</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-dynatrace</NAME>
<VALUE>FW4;1775416240;28;-1458188909;8265;0;1326622107;501;05f4;2h03;3h86830b46;4h029b;5h01</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-forwarded-for</NAME>
<VALUE>3.68.176.248, 10.0.136.0</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-forwarded-proto</NAME>
<VALUE>https</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-request-start</NAME>
<VALUE>1711546838110</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-scp-request-id</NAME>
<VALUE>fe6455db-49f1-4f84-9e7b-75137f4aeb61-660421D6-5E79DE5</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-ssl-client</NAME>
<VALUE>1</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-ssl-client-issuer-dn</NAME>
<VALUE>L0NOPWluc3RhbmNlSWRlbnRpdHlDQQ==</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-ssl-client-notafter</NAME>
<VALUE>240328121038Z</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-ssl-client-notbefore</NAME>
<VALUE>240327121038Z</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-ssl-client-session-id</NAME>
<VALUE>AFD0680A8CA1DE4EB9CA9AF8634948B4A3BAB6E1BFD0283DAE59FBFC0DB8B6C1</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-ssl-client-subject-cn</NAME>
<VALUE>NTkyNWFiZjYtMjk5Mi00MjQyLTY5NTctNTdjMg==</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-ssl-client-subject-dn</NAME>
<VALUE>L09VPWFwcDo4Y2U0ODVmNy00MTYyLTQ1N2UtODk2Ny0zODVmNTYyYjEyZGQvT1U9c3BhY2U6YTcyN2Q2MWQtNzcwZC00ODA5LWI3NzAtYmI1MzIxNWQ4MGIyL09VPW9yZ2FuaXphdGlvbjo5Y2E3MTQ0My1hYmE2LTQyN2QtOGVkYi03OGZjMjBiZDYwMDYvQ049NTkyNWFiZjYtMjk5Mi00MjQyLTY5NTctNTdjMg==</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-ssl-client-verify</NAME>
<VALUE>0</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-vcap-request-id</NAME>
<VALUE>bd23d4dc-e6cf-4efa-7d0d-e3baa481f866</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>x-dynatrace-application</NAME>
<VALUE>v=2;appId=;cookieDomain=ondemand.com;rid=1507327465;rpid=424364408;en=wechx5wh</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>connection</NAME>
<VALUE>close</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>sap-connectivity-scc-location_id</NAME>
<VALUE>shared-scc</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>host</NAME>
<VALUE>ldcim9r.devint.net.sap:44311</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~server_name</NAME>
<VALUE>ldcim9r.devint.net.sap</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~server_port</NAME>
<VALUE>44311</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>transfer-encoding</NAME>
<VALUE>chunked</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~server_name_expanded</NAME>
<VALUE>ldcim9r.devint.net.sap</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~server_port_expanded</NAME>
<VALUE>44311</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~remote_addr</NAME>
<VALUE>10.239.14.195</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~uri_scheme_expanded</NAME>
<VALUE>HTTPS</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~unidentified_path_segments</NAME>
<VALUE>/BDTSCommandSet</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~virtual_host_number</NAME>
<VALUE>0</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~script_name</NAME>
<VALUE>/sap/opu/odata</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~path_info</NAME>
<VALUE>/BDTS/COMMAND_SRV/BDTSCommandSet</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~script_name_expanded</NAME>
<VALUE>/sap/opu/odata</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~path_info_expanded</NAME>
<VALUE>/BDTS/COMMAND_SRV/BDTSCommandSet</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~path_translated_expanded</NAME>
<VALUE>/sap/opu/odata/BDTS/COMMAND_SRV/BDTSCommandSet</VALUE>
</IHTTPNVP>
<IHTTPNVP>
<NAME>~gui_header_handler_field</NAME>
<VALUE>/sap/opu/odata</VALUE>
</IHTTPNVP>
</HTTP_HEADER>

The expectation is the CSRF token is added by the framework. It doesn't happen for all requests. We are retrying the requests in case of failures. At some point, the requests are successful. This retry mechanism was built to avoid the "CSRF token invalid" issue.

Impact / Priority

This issue blocks our release.

Affected development phase: Release

Impact: Blocked

Timeline: Go-Live on April 15th

Error Message

[INFO] com.sap.btc.cross.gateway.abap:btc-cross-gateway-abap-parent:pom:1.0.0 [INFO] +- org.junit.jupiter:junit-jupiter:jar:5.10.1:test [INFO] | +- org.junit.jupiter:junit-jupiter-api:jar:5.10.1:test [INFO] | | +- org.opentest4j:opentest4j:jar:1.3.0:test [INFO] | | - org.junit.platform:junit-platform-commons:jar:1.10.1:test [INFO] | +- org.junit.jupiter:junit-jupiter-params:jar:5.10.1:test [INFO] | - org.junit.jupiter:junit-jupiter-engine:jar:5.10.1:test [INFO] +- org.slf4j:slf4j-api:jar:2.0.11:provided [INFO] +- org.junit.vintage:junit-vintage-engine:jar:5.10.1:test [INFO] | +- org.junit.platform:junit-platform-engine:jar:1.10.1:test [INFO] | +- junit:junit:jar:4.13.2:test [INFO] | - org.apiguardian:apiguardian-api:jar:1.1.2:test [INFO] +- com.sap.sectesting:fortify-annotations:jar:1.2.2:provided [INFO] - org.springdoc:springdoc-openapi-starter-webmvc-ui:jar:2.3.0:compile [INFO] +- org.springdoc:springdoc-openapi-starter-webmvc-api:jar:2.3.0:compile [INFO] | +- org.springdoc:springdoc-openapi-starter-common:jar:2.3.0:compile [INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:3.2.2:compile [INFO] | | | - org.springframework.boot:spring-boot:jar:3.2.2:compile [INFO] | | - io.swagger.core.v3:swagger-core-jakarta:jar:2.2.19:compile [INFO] | | +- org.apache.commons:commons-lang3:jar:3.14.0:compile [INFO] | | +- io.swagger.core.v3:swagger-annotations-jakarta:jar:2.2.19:compile [INFO] | | +- io.swagger.core.v3:swagger-models-jakarta:jar:2.2.19:compile [INFO] | | +- org.yaml:snakeyaml:jar:2.2:compile [INFO] | | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.1:compile [INFO] | | | - jakarta.activation:jakarta.activation-api:jar:2.1.2:compile [INFO] | | +- jakarta.validation:jakarta.validation-api:jar:3.0.2:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile [INFO] | | +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile [INFO] | | | - com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile [INFO] | | +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.15.3:compile [INFO] | | - com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.3:compile [INFO] | - org.springframework:spring-webmvc:jar:6.1.3:compile [INFO] | +- org.springframework:spring-aop:jar:6.1.3:compile [INFO] | +- org.springframework:spring-beans:jar:6.1.3:compile [INFO] | +- org.springframework:spring-context:jar:6.1.3:compile [INFO] | | - io.micrometer:micrometer-observation:jar:1.12.2:compile [INFO] | | - io.micrometer:micrometer-commons:jar:1.12.2:compile [INFO] | +- org.springframework:spring-core:jar:6.1.3:compile [INFO] | | - org.springframework:spring-jcl:jar:6.1.3:compile [INFO] | +- org.springframework:spring-expression:jar:6.1.3:compile [INFO] | - org.springframework:spring-web:jar:6.1.3:compile [INFO] - org.webjars:swagger-ui:jar:5.10.3:compile [INFO] [INFO] -----< com.sap.btc.cross.gateway.abap:btc-cross-gateway-abap-srv >------ [INFO] Building btc-cross-gateway-abap-srv 1.0.0 [2/3] [INFO] from srv/pom.xml [INFO] --------------------------------[ jar ]--------------------------------- [INFO] [INFO] --- dependency:3.6.1:tree (default-cli) @ btc-cross-gateway-abap-srv --- [INFO] com.sap.btc.cross.gateway.abap:btc-cross-gateway-abap-srv:jar:1.0.0 [INFO] +- com.sap.cds:cds-starter-spring-boot:jar:2.6.1:compile [INFO] | +- com.sap.cds:cds-services-api:jar:2.6.1:compile [INFO] | | +- com.sap.cds:cds4j-api:jar:2.6.1:compile [INFO] | | - com.sap.cloud.environment.servicebinding.api:java-core-api:jar:0.10.3:compile [INFO] | +- com.sap.cds:cds-framework-spring-boot:jar:2.6.1:runtime [INFO] | +- org.springframework.boot:spring-boot-starter-web:jar:3.2.2:compile [INFO] | | +- org.springframework.boot:spring-boot-starter-json:jar:3.2.2:compile [INFO] | | | +- com.fasterxml.jackson.datatype:jackson-datatype-jdk8:jar:2.15.3:compile [INFO] | | | - com.fasterxml.jackson.module:jackson-module-parameter-names:jar:2.15.3:compile [INFO] | | +- org.springframework.boot:spring-boot-starter-tomcat:jar:3.2.2:compile [INFO] | | | +- org.apache.tomcat.embed:tomcat-embed-core:jar:10.1.18:compile [INFO] | | | +- org.apache.tomcat.embed:tomcat-embed-el:jar:10.1.18:compile [INFO] | | | - org.apache.tomcat.embed:tomcat-embed-websocket:jar:10.1.18:compile [INFO] | | +- org.springframework:spring-web:jar:6.1.3:compile [INFO] | | - org.springframework:spring-webmvc:jar:6.1.3:compile [INFO] | - org.yaml:snakeyaml:jar:2.2:compile [INFO] +- com.sap.cds:cds-adapter-odata-v4:jar:2.6.1:runtime [INFO] | +- com.sap.cds:cds-adapter-api:jar:2.6.1:compile [INFO] | +- com.sap.cds:cds-services-utils:jar:2.6.1:compile [INFO] | | +- io.opentelemetry:opentelemetry-api:jar:1.31.0:compile [INFO] | | | - io.opentelemetry:opentelemetry-context:jar:1.31.0:compile [INFO] | | +- com.sap.cloud.security.xsuaa:token-client:jar:3.3.4:compile [INFO] | | - com.sap.cloud.mt:tools:jar:2.6.1:compile [INFO] | +- com.sap.cds:cds4j-core:jar:2.6.1:compile [INFO] | | - com.github.ben-manes.caffeine:caffeine:jar:3.1.8:compile [INFO] | +- com.sap.cloud.mt:cds-mtx:jar:2.6.1:compile [INFO] | | - commons-io:commons-io:jar:2.11.0:compile [INFO] | - com.sap.cds.repackaged:odata-v4-lib:jar:2.6.1:runtime [INFO] | +- commons-codec:commons-codec:jar:1.16.0:compile [INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-xml:jar:2.15.3:runtime [INFO] | | - org.codehaus.woodstox:stax2-api:jar:4.2.1:runtime [INFO] | - com.fasterxml:aalto-xml:jar:1.3.2:runtime [INFO] +- com.sap.cloud.tenantlifecycle:euporie-dwc-integration:jar:2.0.0-20240221090523_b27f38d3c7984f90a66471f22b4d5c106ea0c260:compile [INFO] | +- io.pivotal.cfenv:java-cfenv-boot:jar:3.1.5:compile [INFO] | | +- io.pivotal.cfenv:java-cfenv-jdbc:jar:3.1.5:compile [INFO] | | - org.springframework.boot:spring-boot:jar:3.2.2:compile [INFO] | +- org.json:json:jar:20231013:compile [INFO] | +- org.apache.commons:commons-lang3:jar:3.14.0:compile [INFO] | +- com.sap.cloud.environment.servicebinding:java-sap-vcap-services:jar:0.10.3:compile [INFO] | +- com.sap.cloud.environment.servicebinding:java-sap-service-operator:jar:0.10.3:compile [INFO] | +- com.sap.cloud.tenantlifecycle:euporie-api:jar:2.0.0-20240223143312_5cb76ce618f22654cb288b49024f1843032b854c:compile [INFO] | | - com.sap.cloud.tenantlifecycle:euporie-api-domain:jar:2.0.0-20240223143312_5cb76ce618f22654cb288b49024f1843032b854c:compile [INFO] | +- com.sap.cloud.tenantlifecycle:hegemone-specs:jar:2.0.0-20240223131614_684d4d07779bd192d6b5d79ea703e93830438085:compile [INFO] | +- com.sap.cloud.tenantlifecycle:euporie-authentication:jar:2.0.0-20240214115019_af60650aad511598c8e5aac76f412d341ead5275:compile [INFO] | | - org.reflections:reflections:jar:0.10.2:compile [INFO] | | - org.javassist:javassist:jar:3.25.0-GA:compile [INFO] | - com.sap.dwc:util-model:jar:2.3.1:compile [INFO] +- com.sap.cloud.sdk.datamodel:odata-core:jar:5.4.0:compile [INFO] | +- com.sap.cloud.sdk.datamodel:odata-client:jar:5.4.0:compile [INFO] | +- com.sap.cloud.sdk.cloudplatform:cloudplatform-core:jar:5.4.0:compile [INFO] | +- com.sap.cloud.sdk.cloudplatform:cloudplatform-connectivity:jar:5.4.0:compile [INFO] | | +- com.sap.cloud.sdk.cloudplatform:resilience-api:jar:5.4.0:compile [INFO] | | +- com.mikesamuel:json-sanitizer:jar:1.2.3:compile [INFO] | | - com.auth0:java-jwt:jar:4.4.0:compile [INFO] | +- com.sap.cloud.sdk.cloudplatform:connectivity-apache-httpclient4:jar:5.4.0:compile [INFO] | | - com.sap.cloud.sdk.cloudplatform:caching:jar:5.4.0:compile [INFO] | +- com.sap.cloud.sdk.datamodel:fluent-result:jar:5.4.0:compile [INFO] | +- org.slf4j:jcl-over-slf4j:jar:2.0.11:runtime [INFO] | +- com.google.guava:guava:jar:32.0.1-jre:compile [INFO] | | +- com.google.guava:failureaccess:jar:1.0.1:compile [INFO] | | +- com.google.guava:listenablefuture:jar:9999.0-empty-to-avoid-conflict-with-guava:compile [INFO] | | +- org.checkerframework:checker-qual:jar:3.42.0:compile [INFO] | | +- com.google.errorprone:error_prone_annotations:jar:2.14.0:compile [INFO] | | - com.google.j2objc:j2objc-annotations:jar:2.8:compile [INFO] | +- com.google.code.gson:gson:jar:2.10.1:compile [INFO] | +- com.fasterxml.jackson.core:jackson-annotations:jar:2.15.3:compile [INFO] | +- com.fasterxml.jackson.core:jackson-core:jar:2.15.3:compile [INFO] | +- com.fasterxml.jackson.core:jackson-databind:jar:2.15.3:compile [INFO] | +- org.apache.httpcomponents:httpcore:jar:4.4.16:compile [INFO] | +- org.apache.httpcomponents:httpclient:jar:4.5.14:compile [INFO] | - io.vavr:vavr:jar:0.10.4:compile [INFO] | - io.vavr:vavr-match:jar:0.10.4:compile [INFO] +- com.sap.cloud.sdk.datamodel:odata-v4-core:jar:5.4.0:compile [INFO] +- com.sap.cds:cds-services-impl:jar:2.6.1:compile [INFO] | +- com.sap.cds:cds-services-messaging:jar:2.6.1:compile [INFO] | | - jakarta.jms:jakarta.jms-api:jar:3.1.0:compile [INFO] | - com.sap.cloud.environment.servicebinding.api:java-access-api:jar:0.10.3:compile [INFO] +- com.sap.cds:cds-feature-mt:jar:2.6.1:compile [INFO] | +- com.sap.cloud.mt:multi-tenant-runtime:jar:2.6.1:compile [INFO] | - com.sap.cloud.mt:multi-tenant-subscription:jar:2.6.1:compile [INFO] | - com.sap.cloud.instancemanager:client:jar:3.14.0:compile [INFO] +- com.sap.cds:cds-feature-cloudfoundry:jar:2.6.1:compile [INFO] +- org.apache.commons:commons-csv:jar:1.10.0:compile [INFO] +- com.sap.calm.x:uam-lib:jar:1.0.0-20240223094741_a7af5fa4a6cd94928ddc44f761cb36e5e2b47e14:compile [INFO] | +- jakarta.servlet:jakarta.servlet-api:jar:6.0.0:compile [INFO] | - com.sap.cloud.sdk.cloudplatform:resilience4j:jar:5.4.0:compile [INFO] | +- io.github.resilience4j:resilience4j-circuitbreaker:jar:2.2.0:compile [INFO] | | - io.github.resilience4j:resilience4j-core:jar:2.2.0:compile [INFO] | +- io.github.resilience4j:resilience4j-bulkhead:jar:2.2.0:compile [INFO] | +- io.github.resilience4j:resilience4j-timelimiter:jar:2.2.0:compile [INFO] | +- io.github.resilience4j:resilience4j-retry:jar:2.2.0:compile [INFO] | +- io.github.resilience4j:resilience4j-ratelimiter:jar:2.2.0:compile [INFO] | - javax.cache:cache-api:jar:1.1.1:compile [INFO] +- org.projectlombok:lombok:jar:1.18.30:provided [INFO] +- com.sap.hcp.cf.logging:cf-java-logging-support-logback:jar:3.7.0:compile [INFO] | - com.sap.hcp.cf.logging:cf-java-logging-support-core:jar:3.7.0:compile [INFO] | - com.fasterxml.jackson.jr:jackson-jr-objects:jar:2.15.3:compile [INFO] +- com.sap.cds:cds-integration-cloud-sdk:jar:2.6.1:compile [INFO] | +- com.sap.cloud.sdk.cloudplatform:tenant:jar:5.4.0:compile [INFO] | +- com.sap.cloud.sdk.cloudplatform:security:jar:5.4.0:compile [INFO] | +- com.sap.cloud.sdk.cloudplatform:connectivity-oauth:jar:5.4.0:compile [INFO] | | +- com.sap.cloud.environment.servicebinding.api:java-consumption-api:jar:0.10.3:compile [INFO] | | +- com.sap.cloud.security:java-api:jar:3.3.4:compile [INFO] | | - com.sap.cloud.security:java-security:jar:3.3.4:compile [INFO] | - com.sap.cloud.sdk.frameworks:resilience4j:jar:4.29.0:compile [INFO] +- org.springframework.security:spring-security-test:jar:6.2.1:test [INFO] | +- org.springframework.security:spring-security-core:jar:6.2.1:compile [INFO] | | +- org.springframework.security:spring-security-crypto:jar:6.2.1:compile [INFO] | | +- org.springframework:spring-aop:jar:6.1.3:compile [INFO] | | +- org.springframework:spring-beans:jar:6.1.3:compile [INFO] | | +- org.springframework:spring-context:jar:6.1.3:compile [INFO] | | - org.springframework:spring-expression:jar:6.1.3:compile [INFO] | +- org.springframework.security:spring-security-web:jar:6.2.1:compile [INFO] | +- org.springframework:spring-core:jar:6.1.3:compile [INFO] | | - org.springframework:spring-jcl:jar:6.1.3:compile [INFO] | - org.springframework:spring-test:jar:6.1.3:test [INFO] +- com.sap.xs.auditlog:audit-java-client-api:jar:2.0.19:compile [INFO] +- com.sap.xs.auditlog:audit-java-client-impl:jar:2.0.19:compile [INFO] | +- com.sap.xs.auditlog:auditlog-common:jar:2.0.52:compile [INFO] | - com.sap.xs.java:xs-user-holder:jar:1.8.3:compile [INFO] | - com.sap.xs2.security:java-container-security-api:jar:0.33.18:compile [INFO] | - com.sap.cloud.security.xssec:api:jar:1.0.2:compile [INFO] +- com.sap.xs.java:xs-env:jar:1.8.5:compile [INFO] +- org.slf4j:slf4j-api:jar:2.0.11:compile [INFO] +- com.sap.dwc:util-cap:jar:2.3.1:compile [INFO] | +- org.apache.httpcomponents.client5:httpclient5:jar:5.2.3:compile [INFO] | | +- org.apache.httpcomponents.core5:httpcore5:jar:5.2.4:compile [INFO] | | - org.apache.httpcomponents.core5:httpcore5-h2:jar:5.2.4:compile [INFO] | - com.sap.dwc.commons:commons-util:jar:2.19.0:compile [INFO] +- com.sap.dwc:util-headers:jar:2.3.1:compile [INFO] +- com.sap.dwc:util-product-config:jar:2.3.1:compile [INFO] +- com.sap.dwc:util-mutual-authentication:jar:2.3.1:compile [INFO] | +- org.bouncycastle:bcprov-jdk18on:jar:1.74:compile [INFO] | - org.bouncycastle:bcpkix-jdk18on:jar:1.75:compile [INFO] | - org.bouncycastle:bcutil-jdk18on:jar:1.75:compile [INFO] +- com.sap.dwc:util-routing:jar:2.3.1:compile [INFO] +- com.sap.calm.x:dwc-foundation:jar:2.1.0-20240226114504_323cb0ee25bfc3fc737165be74d6e691ba02ecc0:compile [INFO] | +- com.sap.cds:cds-starter-spring-boot-odata:jar:2.6.1:compile [INFO] | +- jakarta.annotation:jakarta.annotation-api:jar:2.1.1:compile [INFO] | +- jakarta.management.j2ee:jakarta.management.j2ee-api:jar:1.1.4:compile [INFO] | +- com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:jar:20220608.1:compile [INFO] | +- com.sap.cloud.sdk:sdk-core:jar:5.4.0:compile [INFO] | | +- com.sap.cloud.sdk.cloudplatform:connectivity-destination-service:jar:5.4.0:compile [INFO] | | - com.sap.cloud.sdk.cloudplatform:servlet-jakarta:jar:5.4.0:compile [INFO] | +- com.sap.cloud.sdk.cloudplatform:connectivity-dwc:jar:5.4.0:compile [INFO] | +- com.sap.cloud.sdk.cloudplatform:sap-passport:jar:4.28.0:compile [INFO] | | - com.sap.core.jdsr:com.sap.js.passport.api:jar:1.8.0:compile [INFO] | +- com.sap.cloud.sdk.cloudplatform:auditlog-scp-cf:jar:4.29.0:compile [INFO] | | - com.sap.cloud.sdk.cloudplatform:auditlog:jar:4.29.0:compile [INFO] | +- com.sap.cp.auditlog:audit-java-client-impl:jar:2.6.0:compile [INFO] | | +- com.sap.cloud.security:env:jar:3.3.4:compile [INFO] | | - com.sap.cp.auditlog:auditlog-common:jar:2.2.16:compile [INFO] | +- com.sap.cp.auditlog:audit-java-client-api:jar:2.6.0:compile [INFO] | +- org.springframework.boot:spring-boot-starter-security:jar:3.2.2:compile [INFO] | | - org.springframework.security:spring-security-config:jar:6.2.1:compile [INFO] | - org.jsoup:jsoup:jar:1.17.2:compile [INFO] +- org.springframework.boot:spring-boot-starter-actuator:jar:3.2.2:compile [INFO] | +- org.springframework.boot:spring-boot-starter:jar:3.2.2:compile [INFO] | | +- org.springframework.boot:spring-boot-autoconfigure:jar:3.2.2:compile [INFO] | | - org.springframework.boot:spring-boot-starter-logging:jar:3.2.2:compile [INFO] | | +- ch.qos.logback:logback-classic:jar:1.4.14:compile [INFO] | | | - ch.qos.logback:logback-core:jar:1.4.14:compile [INFO] | | +- org.apache.logging.log4j:log4j-to-slf4j:jar:2.21.1:compile [INFO] | | | - org.apache.logging.log4j:log4j-api:jar:2.21.1:compile [INFO] | | - org.slf4j:jul-to-slf4j:jar:2.0.11:compile [INFO] | +- org.springframework.boot:spring-boot-actuator-autoconfigure:jar:3.2.2:compile [INFO] | | - org.springframework.boot:spring-boot-actuator:jar:3.2.2:compile [INFO] | +- io.micrometer:micrometer-observation:jar:1.12.2:compile [INFO] | | - io.micrometer:micrometer-commons:jar:1.12.2:compile [INFO] | - io.micrometer:micrometer-jakarta9:jar:1.12.2:compile [INFO] | - io.micrometer:micrometer-core:jar:1.12.2:compile [INFO] | +- org.hdrhistogram:HdrHistogram:jar:2.1.12:runtime [INFO] | - org.latencyutils:LatencyUtils:jar:2.0.3:runtime [INFO] +- com.sap.cumulus.jiralinking:jira-annotation:jar:3.5.3:test [INFO] +- com.sap.calm.metering:calm-metering-lib:jar:2.0.0-20240222062514_8b51388995c7417ff0ea946e10efa94717f572d0:compile [INFO] | +- org.springframework.boot:spring-boot-starter-webflux:jar:3.2.2:compile [INFO] | | +- org.springframework.boot:spring-boot-starter-reactor-netty:jar:3.2.2:compile [INFO] | | | - io.projectreactor.netty:reactor-netty-http:jar:1.1.15:compile [INFO] | | | +- io.netty:netty-codec-http:jar:4.1.105.Final:compile [INFO] | | | | +- io.netty:netty-common:jar:4.1.105.Final:compile [INFO] | | | | +- io.netty:netty-buffer:jar:4.1.105.Final:compile [INFO] | | | | +- io.netty:netty-transport:jar:4.1.105.Final:compile [INFO] | | | | +- io.netty:netty-codec:jar:4.1.105.Final:compile [INFO] | | | | - io.netty:netty-handler:jar:4.1.105.Final:compile [INFO] | | | +- io.netty:netty-codec-http2:jar:4.1.105.Final:compile [INFO] | | | +- io.netty:netty-resolver-dns:jar:4.1.105.Final:compile [INFO] | | | | +- io.netty:netty-resolver:jar:4.1.105.Final:compile [INFO] | | | | - io.netty:netty-codec-dns:jar:4.1.105.Final:compile [INFO] | | | +- io.netty:netty-resolver-dns-native-macos:jar:osx-x86_64:4.1.105.Final:compile [INFO] | | | | - io.netty:netty-resolver-dns-classes-macos:jar:4.1.105.Final:compile [INFO] | | | +- io.netty:netty-transport-native-epoll:jar:linux-x86_64:4.1.105.Final:compile [INFO] | | | | +- io.netty:netty-transport-native-unix-common:jar:4.1.105.Final:compile [INFO] | | | | - io.netty:netty-transport-classes-epoll:jar:4.1.105.Final:compile [INFO] | | | - io.projectreactor.netty:reactor-netty-core:jar:1.1.15:compile [INFO] | | | - io.netty:netty-handler-proxy:jar:4.1.105.Final:compile [INFO] | | | - io.netty:netty-codec-socks:jar:4.1.105.Final:compile [INFO] | | - org.springframework:spring-webflux:jar:6.1.3:compile [INFO] | | - io.projectreactor:reactor-core:jar:3.6.2:compile [INFO] | | - org.reactivestreams:reactive-streams:jar:1.0.4:compile [INFO] | +- org.springframework.boot:spring-boot-starter-aop:jar:3.2.2:compile [INFO] | | - org.aspectj:aspectjweaver:jar:1.9.21:compile [INFO] | - com.sap.cloud.sdk.cloudplatform:resilience:jar:5.4.0:compile [INFO] +- com.sap.calm.x:calm-kafka-clientlib:jar:2.1.0-20240220141031_e1d18dc1b3a447c6c3f87bd95dcb3008600749fe:compile [INFO] | +- io.cloudevents:cloudevents-json-jackson:jar:2.5.0:compile [INFO] | | - io.cloudevents:cloudevents-core:jar:2.5.0:compile [INFO] | | - io.cloudevents:cloudevents-api:jar:2.5.0:compile [INFO] | +- io.cloudevents:cloudevents-kafka:jar:2.5.0:compile [INFO] | | - org.apache.kafka:kafka-clients:jar:3.6.1:compile [INFO] | | +- com.github.luben:zstd-jni:jar:1.5.5-1:runtime [INFO] | | +- org.lz4:lz4-java:jar:1.8.0:runtime [INFO] | | - org.xerial.snappy:snappy-java:jar:1.1.10.4:runtime [INFO] | +- org.immutables:value:jar:2.10.1:compile [INFO] | +- com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:jar:2.15.3:compile [INFO] | +- com.fasterxml.jackson.datatype:jackson-datatype-jsr310:jar:2.15.3:compile [INFO] | +- jakarta.validation:jakarta.validation-api:jar:3.0.2:compile [INFO] | +- org.springframework.security:spring-security-oauth2-client:jar:6.2.1:compile [INFO] | | +- org.springframework.security:spring-security-oauth2-core:jar:6.2.1:compile [INFO] | | - com.nimbusds:oauth2-oidc-sdk:jar:9.43.3:compile [INFO] | | +- com.github.stephenc.jcip:jcip-annotations:jar:1.0-1:compile [INFO] | | +- com.nimbusds:content-type:jar:2.2:compile [INFO] | | +- com.nimbusds:lang-tag:jar:1.7:compile [INFO] | | - com.nimbusds:nimbus-jose-jwt:jar:9.21:compile [INFO] | +- org.springframework.kafka:spring-kafka:jar:3.1.1:compile [INFO] | | +- org.springframework:spring-messaging:jar:6.1.3:compile [INFO] | | +- org.springframework:spring-tx:jar:6.1.3:compile [INFO] | | - org.springframework.retry:spring-retry:jar:2.0.5:compile [INFO] | +- io.pivotal.cfenv:java-cfenv:jar:3.1.5:compile [INFO] | | - com.cedarsoftware:json-io:jar:4.19.1:compile [INFO] | | - com.novell.ldap:jldap:jar:2009-10-07:compile [INFO] | +- org.apache.commons:commons-collections4:jar:4.4:compile [INFO] | +- org.springframework.cloud:spring-cloud-context:jar:4.1.1:compile [INFO] | - org.apache.commons:commons-text:jar:1.11.0:compile [INFO] +- com.google.code.findbugs:jsr305:jar:3.0.2:compile [INFO] +- org.springframework.boot:spring-boot-starter-test:jar:3.2.2:test [INFO] | +- org.springframework.boot:spring-boot-test:jar:3.2.2:test [INFO] | +- org.springframework.boot:spring-boot-test-autoconfigure:jar:3.2.2:test [INFO] | +- com.jayway.jsonpath:json-path:jar:2.9.0:test [INFO] | +- jakarta.xml.bind:jakarta.xml.bind-api:jar:4.0.1:compile [INFO] | | - jakarta.activation:jakarta.activation-api:jar:2.1.2:compile [INFO] | +- net.minidev:json-smart:jar:2.5.0:compile [INFO] | | - net.minidev:accessors-smart:jar:2.5.0:compile [INFO] | | - org.ow2.asm:asm:jar:9.4:compile [INFO] | +- org.assertj:assertj-core:jar:3.24.2:test [INFO] | | - net.bytebuddy:byte-buddy:jar:1.14.11:test [INFO] | +- org.awaitility:awaitility:jar:4.2.0:test [INFO] | +- org.hamcrest:hamcrest:jar:2.2:test [INFO] | +- org.mockito:mockito-core:jar:5.7.0:test [INFO] | | +- net.bytebuddy:byte-buddy-agent:jar:1.14.11:test [INFO] | | - org.objenesis:objenesis:jar:3.3:test [INFO] | +- org.mockito:mockito-junit-jupiter:jar:5.7.0:test [INFO] | +- org.skyscreamer:jsonassert:jar:1.5.1:test [INFO] | | - com.vaadin.external.google:android-json:jar:0.0.20131108.vaadin1:test [INFO] | - org.xmlunit:xmlunit-core:jar:2.9.1:test [INFO] +- org.junit.jupiter:junit-jupiter-api:jar:5.10.1:test [INFO] | +- org.opentest4j:opentest4j:jar:1.3.0:test [INFO] | +- org.junit.platform:junit-platform-commons:jar:1.10.1:test [INFO] | - org.apiguardian:apiguardian-api:jar:1.1.2:test [INFO] +- org.junit.jupiter:junit-jupiter-engine:jar:5.10.1:test [INFO] | - org.junit.platform:junit-platform-engine:jar:1.10.1:test [INFO] +- org.junit.jupiter:junit-jupiter-params:jar:5.10.1:test [INFO] +- org.mockito:mockito-inline:jar:5.2.0:test [INFO] +- com.tngtech.archunit:archunit-junit5:jar:1.2.1:test [INFO] | +- com.tngtech.archunit:archunit-junit5-api:jar:1.2.1:test [INFO] | | - com.tngtech.archunit:archunit:jar:1.2.1:test [INFO] | - com.tngtech.archunit:archunit-junit5-engine:jar:1.2.1:test [INFO] | - com.tngtech.archunit:archunit-junit5-engine-api:jar:1.2.1:test [INFO] +- org.junit.jupiter:junit-jupiter:jar:5.10.1:test [INFO] +- org.junit.vintage:junit-vintage-engine:jar:5.10.1:test [INFO] | - junit:junit:jar:4.13.2:test [INFO] +- com.sap.sectesting:fortify-annotations:jar:1.2.2:provided [INFO] - org.springdoc:springdoc-openapi-starter-webmvc-ui:jar:2.3.0:compile [INFO] +- org.springdoc:springdoc-openapi-starter-webmvc-api:jar:2.3.0:compile [INFO] | - org.springdoc:springdoc-openapi-starter-common:jar:2.3.0:compile [INFO] | - io.swagger.core.v3:swagger-core-jakarta:jar:2.2.19:compile [INFO] | +- io.swagger.core.v3:swagger-annotations-jakarta:jar:2.2.19:compile [INFO] | - io.swagger.core.v3:swagger-models-jakarta:jar:2.2.19:compile [INFO] - org.webjars:swagger-ui:jar:5.10.3:compile

Project Details

SDK Version: 5.4.0
Link to GitHub repo: https://github.tools.sap/Business-Data-Transformation-Solution/btc-cross-gateway-abap-srv
Project type, for example:
- [x] CAP Project
- [ ] SDK Maven Archetype
- [ ] None of the above:
Platform:
- [ ] Cloud Foundry
- [x] Deploy with Confidence (Cloud Foundry)
- [ ] None of the above:

Checklist

[x] Checked out the documentation and Stack Overflow
[x] Description provided with all relevant information
[x] Exception and stack trace provided
[ ] Attached debug logs
[x] Attached dependency tree
[x] Provided Cloud SDK version & link to relevant source code

CharlesDuboisSAP commented 6 months ago

Hello Stephan, Could you send debug logs and http wire logs of your application Best, Charles

newtork commented 6 months ago

Before uploading wire logs:

Please sanitize the logs from authorization data.
If not sanitized, please only provide such sensitive data privately, e.g. via company email.

@CharlesDuboisSAP is asking for wire logs because they represent the Java/client side logs. Whereas your attached log entry, while unfamiliar to us, it looks like server side logs. For the latter we cannot provide interpretation nor support.

@stephangutknecht: CSRF token requests are being sent by default for OData POST/PUT/PATCH. Like in your source code. If the CSRF token retrieval is not successful, then the actual OData request will not contain the header. Unfortunately SAP Cloud SDK cannot make hard assumptions for CSRF requirements of generic target systems. This is why the logic is lenient.

How can a CSRF token request fail? E.g.

HTTP authorization is insufficient.
Target system does not support CSRF token / HEAD requests.

stephangutknecht commented 6 months ago

@newtork @CharlesDuboisSAP

We have now executed the process with the loggers you mentioned on DEBUG. You can find the logs here: https://dashboards-sf-5adb053e-a43d-4d07-89fd-afa801f39a1f.cls-02.cloud.logs.services.eu10.hana.ondemand.com/goto/a04bc954a49a70ad54a8a5a6b9d5177d?security_tenant=global.

MatKuhr commented 6 months ago

We get an error when accessing the link:

{"statusCode":400,"error":"Bad Request","message":"[request query.security_tenant]: definition for this key is missing"}

Can you please check again?

gutknechts commented 6 months ago

You need to first login to the Kibana instance before opening the link.

MatKuhr commented 6 months ago

Okay, so how do I do that exactly? I don't know anything about your Kibana instance 🤷🏻‍♂️

stephangutknecht commented 6 months ago

To get access, first get the CALM CAM Central Profile (https://spc.ondemand.com/sap/bc/webdynpro/a1sspc/cam_wd_central?item=request&profile=CALM%20CAM%20Central%20Profile#). Afterwards, you need CALM_APPLOG_PROD authorization (https://spc.ondemand.com/sap/bc/webdynpro/a1sspc/cam_wd_central?item=request&profile=CALM_APPLOGS_PROD). Now, you should be able to access the logs.

cschubertcs commented 6 months ago

Hi @stephangutknecht,

I am from the Cloud SDK Team as well and will have a look at this issue. I just requested access to the Kibana related authorizations, as described in your last comment.

cschubertcs commented 5 months ago

Hi @stephangutknecht,

I now seem to have the respective roles assigned, but the link above still gives the same error Matthias already posted before. Are there any more steps necessary?

stephangutknecht commented 5 months ago

@cschubertcs

Probably the logs are already removed. The retention date is 1 week I think. I will activate the logs for one of the next executions, and share the link to Kibana.

Best regards Stephan

cschubertcs commented 5 months ago

Sounds good. But does it anyway make sense to see the exact same error message Matthias had without the correct access rights?

stephangutknecht commented 5 months ago

@cschubertcs

You now have the correct rights. You can just not see the logs anymore as they are already deleted. When we have the new logs available, you should be able to see them.

cschubertcs commented 5 months ago

Hi Stephan, When clicking this link I still get the same error message as before: https://dashboards-sf-5adb053e-a43d-4d07-89fd-afa801f39a1f.cls-02.cloud.logs.services.eu10.hana.ondemand.com/auth/saml/captureUrlFragment?nextUrl=%2Fgoto%2Fa04bc954a49a70ad54a8a5a6b9d5177d&security_tenant=

{"statusCode":400,"error":"Bad Request","message":"[request query.security_tenant]: definition for this key is missing"}

I tried Firefox (my standard) and Chrome (not used for kibana before). There still seems to be something missing.

stephangutknecht commented 5 months ago

@cschubertcs

Can you try to open the landing page from Kibana first, and afterwards the direct link? I have issues with this as well, when accessing the direct link.

https://dashboards-sf-5adb053e-a43d-4d07-89fd-afa801f39a1f.cls-02.cloud.logs.services.eu10.hana.ondemand.com/app/dashboards#/view/ZCALMEU10

cschubertcs commented 5 months ago

Okay, an improvement: I now see at least the UI, bot not the relevant data: grafik

stephangutknecht commented 5 months ago

@cschubertcs

I have just re-run the execution with all loggers on DEBUG. Please take a look.

https://dashboards-sf-5adb053e-a43d-4d07-89fd-afa801f39a1f.cls-02.cloud.logs.services.eu10.hana.ondemand.com/goto/49174939457edf6592dc1f8062025a87?security_tenant=global

(Please remember to first access the Kibana instance on its own, and then use the direct link)

cschubertcs commented 5 months ago

Hi @stephangutknecht,

I finally can see data, but can you let me know where you don't see the CSRF token being added? For the moment I was just able to identify places where it get's added (and cached) successfully.

Best case would be the http-outgoing-<some-number> identifier. Right now I can see 371 requests that either fetch a CSRF token, or have it added.

stephangutknecht commented 5 months ago

@cschubertcs

If you don't see the issue anymore, we can close the item. I would re-open if we see it again in one of the next executions.

cschubertcs commented 5 months ago

Would be fine for me. However, as I never identified the issue before in the first place I cannot reliably make sure that it doesn't currently occur anymore. I just did a spot check and only see GET requests without any CSRF handling (as expected) or HEAD/POST/PUT/PATCH that have CSRF handling. That doesn't guarantee, however, that there is no issue anymore, just that I couldn't find anything. If you can point us at a concrete error message or request that doesn't have it added we would be more able to go through the related logs, as it's right now not managable to go through the logs line by line to maybe identify the issue.

stephangutknecht commented 3 months ago

We have observed the issue with missing CSRF token in Cloud SDK requests again. Here is the link to the log: https://dashboards-sf-5adb053e-a43d-4d07-89fd-afa801f39a1f.cls-02.cloud.logs.services.eu10.hana.ondemand.com/app/discover#/?_g=(filters:!(),refreshInterval:(pause:!t,value:0),time:(from:'2024-06-23T08:30:00.000Z',to:'2024-06-23T09:00:00.000Z'))&_a=h@9365b12

PS: First login to the Kibana instance using https://dashboards-sf-5adb053e-a43d-4d07-89fd-afa801f39a1f.cls-02.cloud.logs.services.eu10.hana.ondemand.com/app/dashboards#/view/ZCALMEU10?_g=h@c823129&_a=h@e94ae0c

stephangutknecht commented 3 months ago

We have identified that the issue might be related to an issue with the Java version of cloud-sdk. The documentation about CSRF token fetching seems to cover the JS version only, and seems to differ for Java. In our case, the slash at the end of the url to fetch the token was not added automatically.

KavithaSiva commented 3 months ago

Have you verified this behaviour with a REST client(e.g with Postman)? Does the CSRF token fetch to the remote system always work if there is / at the end of the path? And if the / is not included, is it flaky, with tokens retrieved sometimes?

I was unfortunately not able to find the relevant CSRF token fetch logs. And now the logs are no longer accessible(they probably expired) Would you be able to extract and attach the relevant logs here directly when the issue occurs? It is difficult to find the relevant ones in Kibana.

stephangutknecht commented 3 months ago

@KavithaSiva Yes, we were able to reproduce the issue with Insomnia. It only works with "/" at the end of the path. However, according to documentation, this should be handled by Cloud SDK.

CharlesDuboisSAP commented 3 months ago

You can define this CustomCsrfTokenRetriever which will add a trailing / on the service path:

class CustomCsrfTokenRetriever implements CsrfTokenRetriever
{
    DefaultCsrfTokenRetriever defaultCsrfTokenRetriever = new DefaultCsrfTokenRetriever();

    @Nonnull
    @Override
    public CsrfToken retrieveCsrfToken( @Nonnull HttpClient httpClient, @Nonnull String servicePath )
    {
        return defaultCsrfTokenRetriever.retrieveCsrfToken(httpClient, servicePath + "/");
    }

    @Nonnull
    @Override
    public CsrfToken retrieveCsrfToken(
            @Nonnull HttpClient httpClient,
            @Nonnull String servicePath, @Nonnull Map<String, Collection<String>> headers )
    {
        return defaultCsrfTokenRetriever.retrieveCsrfToken(httpClient, servicePath + "/", headers);
    }
}

And then set the CustomCsrfTokenRetriever on your request like so:

var request = ....
request.setCsrfTokenRetriever(new CustomCsrfTokenRetriever());
var client = HttpClientAccessor.getHttpClient(httpDest);
return request.execute(client);

Let me know if this works.

stephangutknecht commented 3 months ago

@CharlesDuboisSAP Thanks for the reply. We have implement similar mechanism, and it works for us. Still, I think either the documentation needs to be adapted or the mechanism in Cloud SDK that should handle trailing slash in the service path must be implemented as documented.

CharlesDuboisSAP commented 3 months ago

I will update the Java documentation (OData v2 and v4) to add the workaround.

SAP / cloud-sdk-java