带有S / 4HANA Cloud SDK的REST:Tomee原型项目在POST / PUT / DELETE上返回禁止的403
[英]REST with S/4HANA Cloud SDK: Tomee archetype project returns 403 forbidden on POST/PUT/DELETE
问题描述
I created a S4SDK project with 
我创建了一个S4SDK项目,
mvn archetype:generate -DarchetypeGroupId=com.sap.cloud.s4hana.archetypes \
-DarchetypeArtifactId=scp-cf-tomee -DarchetypeVersion=LATEST
and I modified the HelloWorldServlet to have a doPost method, but I cannot get a POST request to reach it at all. 并且我将HelloWorldServlet修改为具有doPost方法,但根本无法获得POST请求。 I always get HTTP status 403 forbidden responses. 我总是收到HTTP状态403禁止响应。
How can I use the S/4HANA Cloud SDK tomee archetype for REST development? 如何使用S / 4HANA Cloud SDK原型进行REST开发?
2 个解决方案
解决方案1
3 2018-04-12 09:09:22
If you look into the response headers of your failed request, you will likely see a header X-CSRF-Token: Required . 如果查看失败请求的响应标头,则可能会看到标头X-CSRF-Token: Required 。 A CSRF token secures your application users from becoming victims of attacks that execute unwanted actions in your application. CSRF令牌可保护您的应用程序用户免受攻击,使其免受在您的应用程序中执行有害操作的攻击。
Therefore, any state changing operation, such as PUT and POST , requires a valid CSRF token to ensure that the action is really intended by the authenticated user who invokes it. 因此,任何状态更改操作(例如PUT和POST )都需要一个有效的CSRF令牌,以确保该操作确实是调用它的经过身份验证的用户想要的。 The CSRF token can be fetched as part of any previous side-effect free request, such as GET . 可以将CSRF令牌作为任何先前的无副作用请求(例如GET一部分进行提取。 Just append the header X-CSRF-Token: fetch to your request and extract the returned value from the response header X-CSRF-Token: abc123 . 只需将标头X-CSRF-Token: fetch到您的请求中,然后从响应标头X-CSRF-Token: abc123提取返回的值。 Finally, make sure to send the extracted value as X-CSRF-Token: abc123 header of the next modifying request. 最后,确保将提取的值作为下一个修改请求的X-CSRF-Token: abc123标头发送。 Then everything should work as expected. 然后一切都会按预期进行。
For more information, you can consult: http://www2.hu-berlin.de/newlogic/docs/config/filter.html#CSRF_Prevention_Filter_for_REST_APIs/Basic_configuration_sample 有关更多信息,您可以查询: http : //www2.hu-berlin.de/newlogic/docs/config/filter.html#CSRF_Prevention_Filter_for_REST_APIs/Basic_configuration_sample
解决方案2
0 2018-04-12 08:35:16
The default security configuration of S4SDK contains a cross-site request forgery (CSRF) prevention filter - comment it to make REST API development straightforward - but be aware of the CSRF problem and how CSRF relates to cookies - essentially ensure that no cookies are used in your REST application before and after adding these comments: S4SDK的默认安全配置包含一个跨站点请求伪造(CSRF)预防过滤器-对其进行注释以使REST API开发变得简单-但请注意CSRF问题以及CSRF与cookie的关系 -实质上确保在其中不使用cookie。添加以下注释之前和之后的REST应用程序:
<!-- disabled to make REST work - AUTHN/AUTHZ MUST NOT USE COOKIES!
<filter>
<filter-name>RestCsrfPreventionFilter</filter-name>
<filter-class>org.apache.catalina.filters.RestCsrfPreventionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>RestCsrfPreventionFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
-->
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.