问题描述
我目前正在尝试在 SAP 应用程序服务器上设置 Web 套接字服务器作为概念证明.连接到 web-socket 服务器的应用程序不是 UI5 或 WebDynpro 应用程序,而是运行在无头计算机上的中间件程序.
I'm currently trying to setup a web-socket server on an SAP application server as a proof of concept. The application which is connecting to the web-socket server is not going to be a UI5 or WebDynpro application but just a middle-ware program running on a headless computer.
按照快速指南,我已经设置了推送通道,并且我有一个带有接口方法 ON_START
、ON_MESSAGE
等的对象.我目前正在测试使用 wscat
的接口,你可以从 npm
获得.
Following a quick guide, I've setup the push channel and I have an object with the interface methods ON_START
, ON_MESSAGE
and etc. I'm currently testing the interface using wscat
which you can get from npm
.
当我第一次尝试使用 wscat
连接到我的服务时,我收到了一个 HTTP 500 错误.
When I tried connecting to my service for the first time using wscat
I was receiving a HTTP 500 error.
我不确定为什么会收到 500 错误,所以我尝试通过 http 和网络浏览器访问 URL 以查看发生了什么.
I wasn't sure why I was getting the 500 error, so I tried to access the URL via http and a web browser to see what was happening.
500 SAP Internal Server Error
ERROR: Cross-Site Request Forgery (XSRF) check has failed ! (termination: ABORT_MESSAGE_STATE)
我看到网关服务也在使用这些令牌,因此我创建了一个快速网关服务并使用 X-CSRF-Token: Fetch
发送了一个 GET
请求除了当我尝试使用 uri 参数 sap-XSRF
时,我从中获得的令牌不起作用.
I had seen these tokens also in use by Gateway services, so I had created a quick gateway service and sent a GET
request with X-CSRF-Token: Fetch
except the token that I get from this doesn't work when I attempt to use uri parameter sap-XSRF
.
接下来,我开始调试CL_APC_MANAGER
函数HANDLE_REQUEST
以查看我的请求是否进入.我还想追踪 500 错误的来源.我设法将其追溯到 CL_APC_MANAGER
方法 CHECK_XSRF
.
Going forward, I started to debug CL_APC_MANAGER
function HANDLE_REQUEST
to see if my request comes in at all. I also wanted to trace where the origin of the 500 error comes from. I've managed to trace it back to CL_APC_MANAGER
method CHECK_XSRF
.
METHOD check_xsrf.
DATA: lv_xsrf_token TYPE string.
*
* validate XSRF token
*
lv_xsrf_token = i_server->request->get_form_field( name = if_http_form_fields_sap=>sap_xsrf ).
IF lv_xsrf_token IS INITIAL.
lv_xsrf_token = i_server->request->get_header_field( name = if_http_form_fields_sap=>sap_xsrf ).
ENDIF.
IF lv_xsrf_token IS INITIAL.
r_successful = abap_false.
ELSE.
CALL METHOD i_server->validate_xsrf_token
EXPORTING
token = lv_xsrf_token
IMPORTING
successful = r_successful
EXCEPTIONS
token_not_found = 1
cookie_not_found = 2
internal_error = 3
called_by_public_service = 4
OTHERS = 5.
IF sy-subrc <> 0 OR abap_false = r_successful.
r_successful = abap_false.
ELSE.
r_successful = abap_true.
ENDIF.
ENDIF.
ENDMETHOD.
如果我使用调试器手动跳过此检查,那么我就可以毫无问题地连接到我的网络套接字服务器.
If I skip this check manually with the debugger, than I'm able to connect to my web-socket server without a problem.
但是,在尝试连接之前,我完全不确定我实际上应该如何获取此令牌.我注意到 XSRF Tokens
保存在数据库表 SECURITY_CONTEXT
中.唯一的问题是在此表中创建了一个条目,其中包含尝试连接后所需的密钥.我之前需要它,但我不确定正确检索令牌的程序是什么.
However I'm not sure at all how I'm actually supposed to get this token before attempting to connect. I noticed the XSRF Tokens
are saved in database table SECURITY_CONTEXT
. The only problem is an entry is created in this table with the key I need to have after I attempt to connect. I need it before and I'm not sure what the procedure is for retrieving a token properly.
有没有人有使用这些经验的人可以解释一下?提前致谢.
Is there anybody with previous experience using these that can shed some light? Thanks in advance.
编辑我使用的是带有 Service Pack 4 的 740 版.
EDIT I'm using Version 740 with Service Pack 4.
推荐答案
正确生成标题的正确"方法是通过维护表 APC_CROSS_ORIGIN
(transaction SAPC_CROSS_ORIGIN
>).
The "correct" way to do have the header generated correctly is by maintaining table APC_CROSS_ORIGIN
(transaction SAPC_CROSS_ORIGIN
).
WebSockets 功能仅在 7.40SP5 中发布供客户使用,这可能解释了为什么您的系统中没有该表.我建议您暂时使用您的解决方法,直到您的系统得到修补.
WebSockets functionality was only released for customer use in 7.40SP5, which probably explains why you don't have that table in your system. I'd recommend using your workaround for now, until your system has been patched.
这篇关于ABAP Websocket 服务器 XSRF 令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!