本文介绍了ABAP Websocket 服务器 XSRF 令牌的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我目前正在尝试在 SAP 应用程序服务器上设置 Web 套接字服务器作为概念证明.连接到 web-socket 服务器的应用程序不是 UI5 或 WebDynpro 应用程序,而是运行在无头计算机上的中间件程序.

I'm currently trying to setup a web-socket server on an SAP application server as a proof of concept. The application which is connecting to the web-socket server is not going to be a UI5 or WebDynpro application but just a middle-ware program running on a headless computer.

按照快速指南,我已经设置了推送通道,并且我有一个带有接口方法 ON_STARTON_MESSAGE 等的对象.我目前正在测试使用 wscat 的接口,你可以从 npm 获得.

Following a quick guide, I've setup the push channel and I have an object with the interface methods ON_START, ON_MESSAGE and etc. I'm currently testing the interface using wscat which you can get from npm.

当我第一次尝试使用 wscat 连接到我的服务时,我收到了一个 HTTP 500 错误.

When I tried connecting to my service for the first time using wscat I was receiving a HTTP 500 error.

我不确定为什么会收到 500 错误,所以我尝试通过 http 和网络浏览器访问 URL 以查看发生了什么.

I wasn't sure why I was getting the 500 error, so I tried to access the URL via http and a web browser to see what was happening.

500 SAP Internal Server Error

ERROR: Cross-Site Request Forgery (XSRF) check has failed ! (termination: ABORT_MESSAGE_STATE)

我看到网关服务也在使用这些令牌,因此我创建了一个快速网关服务并使用 X-CSRF-Token: Fetch 发送了一个 GET 请求除了当我尝试使用 uri 参数 sap-XSRF 时,我从中获得的令牌不起作用.

I had seen these tokens also in use by Gateway services, so I had created a quick gateway service and sent a GET request with X-CSRF-Token: Fetch except the token that I get from this doesn't work when I attempt to use uri parameter sap-XSRF.

接下来,我开始调试CL_APC_MANAGER 函数HANDLE_REQUEST 以查看我的请求是否进入.我还想追踪 500 错误的来源.我设法将其追溯到 CL_APC_MANAGER 方法 CHECK_XSRF.

Going forward, I started to debug CL_APC_MANAGER function HANDLE_REQUEST to see if my request comes in at all. I also wanted to trace where the origin of the 500 error comes from. I've managed to trace it back to CL_APC_MANAGER method CHECK_XSRF.

METHOD check_xsrf.
  DATA: lv_xsrf_token             TYPE string.
  *
  * validate XSRF token
  *
  lv_xsrf_token = i_server->request->get_form_field( name = if_http_form_fields_sap=>sap_xsrf ).
IF lv_xsrf_token IS INITIAL.
  lv_xsrf_token = i_server->request->get_header_field( name = if_http_form_fields_sap=>sap_xsrf ).
ENDIF.

IF lv_xsrf_token IS INITIAL.
  r_successful = abap_false.
ELSE.

  CALL METHOD i_server->validate_xsrf_token
    EXPORTING
      token                    = lv_xsrf_token
    IMPORTING
      successful               = r_successful
    EXCEPTIONS
      token_not_found          = 1
      cookie_not_found         = 2
      internal_error           = 3
      called_by_public_service = 4
      OTHERS                   = 5.
  IF sy-subrc <> 0 OR abap_false = r_successful.
    r_successful = abap_false.
  ELSE.
    r_successful = abap_true.
  ENDIF.
ENDIF.

ENDMETHOD.

如果我使用调试器手动跳过此检查,那么我就可以毫无问题地连接到我的网络套接字服务器.

If I skip this check manually with the debugger, than I'm able to connect to my web-socket server without a problem.

但是,在尝试连接之前,我完全不确定我实际上应该如何获取此令牌.我注意到 XSRF Tokens 保存在数据库表 SECURITY_CONTEXT 中.唯一的问题是在此表中创建了一个条目,其中包含尝试连接后所需的密钥.我之前需要它,但我不确定正确检索令牌的程序是什么.

However I'm not sure at all how I'm actually supposed to get this token before attempting to connect. I noticed the XSRF Tokens are saved in database table SECURITY_CONTEXT. The only problem is an entry is created in this table with the key I need to have after I attempt to connect. I need it before and I'm not sure what the procedure is for retrieving a token properly.

有没有人有使用这些经验的人可以解释一下?提前致谢.

Is there anybody with previous experience using these that can shed some light? Thanks in advance.

编辑我使用的是带有 Service Pack 4 的 740 版.

EDIT I'm using Version 740 with Service Pack 4.

推荐答案

正确生成标题的正确"方法是通过维护表 APC_CROSS_ORIGIN (transaction SAPC_CROSS_ORIGIN>).

The "correct" way to do have the header generated correctly is by maintaining table APC_CROSS_ORIGIN (transaction SAPC_CROSS_ORIGIN).

WebSockets 功能仅在 7.40SP5 中发布供客户使用,这可能解释了为什么您的系统中没有该表.我建议您暂时使用您的解决方法,直到您的系统得到修补.

WebSockets functionality was only released for customer use in 7.40SP5, which probably explains why you don't have that table in your system. I'd recommend using your workaround for now, until your system has been patched.

这篇关于ABAP Websocket 服务器 XSRF 令牌的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

09-03 06:39
查看更多