Closed borceacristiann closed 4 years ago
hassler-d
commented
4 years ago Hi Cristian,
You should not receive a 403 if the token has expired. Can you explain in more detail what cache are you using and how your application is using this library? What is your application setup: How is it deployed? Are you using SAP Java Buildpack with servlet security or are you using spring? Do you have a link to a repo of your application? Thanks!
Best Regards Daniel
borceacristiann
commented
4 years ago 1.Can you explain in more detail what cache are you using and how your application is using this library?
For HTTP requests we are using jQuery Ajax library. The X-CSRF-Token is fetched from the approuter's root path. Future request will use this token and will not fetch another one, because the ajax request sees the token present in the cache. After a logout and re-login (using the launchpad sing out option), the old token is still there.
Even if we try to access the UIs individually (from outside the launchpad) and configure the logout endpoint property in the xs-app.json, the token is not cleared on logout. Should the approuter take care of clearing the cache? Or do we need to configure a specific endpoint in the backed that achieves this?
2.What is your application setup: How is it deployed?
The UI5 applications are deployed as HTML5 repos using MTA deployment descriptor and are integrated into the SAP Fiori launchpad.
The approuter and backend services are deployed as nodejs applications using MTA deployment descriptor.
3.Are you using SAP Java Buildpack with servlet security or are you using spring?
We have a mixture of languages, but for retrieving the X-CSRF-Token we are using the approuter deployed as a nodejs_buildpack.
4.Do you have a link to a repo of your application?
https://github.wdf.sap.corp/EnterpriseThreatDetection/etd-cloud-approuter
hassler-d
commented
4 years ago Hi Cristian,
it looks like your problem is app router specific. You do not seem to be using our library. Can you please create this issue on their repository?
Thanks! Daniel
borceacristiann
commented
4 years ago Thanks :)
Dear Colleagues,
I am part of the SAP ETD-Cloud team which is working on a multi-tenant application that is deployed in Cloud Foundry.
All the applications are deployed in Cloud Foundry and the approuter is the single entry point for all the of them. The UI5 applications are deployed as HTML5 repos and are integrated into the SAP Fiori launchpad.
CSRF token-based protection is used for all CRUD operations that require it (POST, PUT, DELETE) and the token is received by executing a GET request on the approuter's root path, with the corresponding fetch X-CSRF-Token header.
To avoid multiple X-CSRF-Token requests we cache the token, but this gets us into trouble, as after a logout and re-login (using the launchpad sing out option), the old token is still there. Because it is cached, we will receive a 403 status from the approuter due to the fact that the token has expired after the logout command.
For authentication, authorization and role generation we use the XSUAA service.
We already tried the following setup, but haven't managed to clear the cache:
Is there any possibility to clear cached headers on logout?
Regards, Borcea Cristian.