Hi Vladislav,

    There are two  ways .

1 . By ignoring the CSRF

       TCODE - SICF

       Execute (Press F8)

       Goto to ur service

           default_host ->  SAP -> opu -> odata -> sap -> ur service name

     Open ur service -> select GUI configuration

        Parameter Name : ~CHECK_CSRF_TOKEN

         value                  : 0

For Create

      URL : http://xxxxxx.xxxx:8080/sap/opu/odata/sap/xxxxx/xxxxCollection

Content-Body :

<?xml version="1.0" encoding="utf-8"?>

<atom:entry

xmlns:atom="http://www.w3.org/2005/Atom"

xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"

xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

<atom:content type="application/xml">

      <m:properties>

            <d:orderID>5000025</d:orderID>

            <d:postingDate>2012-05-19T00:00:00</d:postingDate>

            <d:netAmount>84330.00</d:netAmount>

            <d:currency>GBP</d:currency>

            <d:soldToParty>600101</d:soldToParty>

            <d:lastName>BROWN</d:lastName>

            <d:firstName>MICHEAL</d:firstName>

            <d:city/>

            <d:country>AG</d:country>

            <d:description>test me1</d:description>

      </m:properties>

</atom:content>

</atom:entry>

For Update

URL : http://xxxxxx.xxxx:8080/sap/opu/odata/sap/xxxxx/xxxxCollection(bank_key='10010010',bank_ctry='DE')

Method :  PUT

  Header : Same as Create

Content-Body :

<?xml version="1.0" encoding="utf-8"?>

<atom:entry

xmlns:atom="http://www.w3.org/2005/Atom"

xmlns:d="http://schemas.microsoft.com/ado/2007/08/dataservices"

xmlns:m="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata">

<atom:content type="application/xml">

      <m:properties>

            <d:orderID>5000025</d:orderID>

            <d:postingDate>2012-05-19T00:00:00</d:postingDate>

            <d:netAmount>84330.00</d:netAmount>

            <d:currency>GBP</d:currency>

            <d:soldToParty>600101</d:soldToParty>

            <d:lastName>BROWN</d:lastName>

            <d:firstName>MICHEAL</d:firstName>

            <d:city/>

            <d:country>AG</d:country>

            <d:description>test me1</d:description>

      </m:properties>

</atom:content>

</atom:entry>

For Update

URL : http://xxxxxx.xxxx:8080/sap/opu/odata/sap/xxxxx/xxxxCollection(bank_key='10010010',bank_ctry='DE')

Method :  DELETE

Header : Same as Create

2. Considering  CSRF Token

     which is mentioned by Gururaj

Regards,

Jibin Joy

Hi Vladislav,

seems that you've missed a little note in Gurujaj's comment:

1.) you need to get the xml, which serves as template for the POST operation.
     You obtain it with a READ operation - not with a query.

     So you have to adjust the URL in order to point to an entry
     The READ operation returns a single resource, which is an <entry>

     This <entry> contains the "namespace" information, which is required and which

     had been mentioned in your error message.

     In case you have to manually adjust your xml (e.g. for a deep insert), you can safely

     copy&paste it into the <entry> tag

2) For executing the POST, you have to change the URL back to the QUERY

    collection (feed).

One more remark:

When activating your service in transaction /IWFND/MAINT_SERVICE, you have two options:

ICF-Nodes:

SDATA - compatibility Mode

ODATA - Standard Mode

The difference is in the implementation of the underlying OData library

I recommend using the odata-branch in SICF, because it is more advanced, supports more odata-features, better error handling, better security-support, etc

This means that the URL of your service changes to

.../sap/opu/odata/...

instead of

.../sap/opu/sdata/...

The disadvantage is that - for the sake of security - you have to provide the x-csrf-token header (for POST, PUT, DELETE operations)

The header x-requested-with is not required in the odata-branch

I'd as well recommend to use the transaction /IWFND/GW_CLIENT because it will implicitely handle the x-csrf-token for you.

Amongst other comfortables features of this client, there is a button "Use as Request", which copies the http-response into the request-body field, which is exactly the use case in POST and PUT operations

Hope this has added some more clarification,

cheers,

Carlos

Hello Carlos,

Even i am facing same kind of issue.

I am implementing the method EXECUTE_ACTION , with HTTP method 'POST'. When i execute the service in the browser i get the error saying

'The specified HTTP method is not allowed for the resource identified by the Data Service Request URI".

When i run the same URL in the REST client with the x-csrf token it says "CSRF token validation failed".

I assigned the csrf token which i got from the GET method.

Could you please help me out how can i resolve this..??

Best Regards,

Prasanna

Hello Prasanna,

I can only try to provide some hints for investigation:
- if executing a function import will have impact on Backend data, it would be defined with HTTP  method POST, in the metadata-provider-class.
   This can be checked using the $metadata url
   Executing a function import from browser is possible, but only if the specified HTTP-method is GET, because the browser only sends a GET-request.
   As such, the error message you got is understandable in this context
   A function import which enforces HTTP-POST, can only be executed with REST client
- when using a REST client like Firefox, you have to ensure that your browser-session is the same when you do the GET the csrf-token and when you execute the POST
   Otherwise the csrf-token is not valid anymore
- You could try using transaction /IWFND/GW_CLIENT. Since it automatically handles the csrf-token, one cannot make any mistake (copy&paste, time-out, etc)
- You could ensure that you are using the service in the ODATA branch of SICF
- You could try disabling the csrf-token

   (Transaction SICF, choose service, “display Service”, press GUI configuration,

   enter ~CHECK_CSRF_TOKEN   value 0/1 (disable/enable))
- Note that when disabling the csrf-token, it will switch to the old

   X-Requested-With=XMLHttpRequest

Kind Regards,
Carlos

Hello Carlos,

Thanks a lot for quick response.

I tried  the same in  gateway client( /IWFND/GW_CLIENT) by making the ~CHECK_CSRF_TOKEN  value as 0, ie disabling the csrf-token. Every thing is working fine now .

But a small query, will it not affect if we disable the csrf token..??

Best Regards,

Prasanna.

Hi Prasanna,

the csrf-token mechanism has been introduced for security reasons, it is a <feature> 😉

Disabling it has the side-effect of losing the protection.

So I'd say that I don't see any issue during prototyping/testing, but it should be enabled for poductive usage.

For more info see here

http://help.sap.com/saphelp_gateway20sp06/helpdata/en/89/ea6a0543dc4e13b20b3462f57d7404/frameset.htm

and there

http://help.sap.com/saphelp_gateway20sp06/helpdata/en/e6/cae27d5e8d4996add4067280c8714e/content.htm

Kind Regards,

Carlos