cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OData update Forbidden

Go to solution
Former Member

on ‎08-06-2015 2:52 PM

0 Kudos

Hello everyone,

I have built a Fiori Application using OData Service, which is created from the XS engine and is accessed via an .xsodata file. I am able to show the data (executing GET HTTP requests). However, I cannot do a write (PUT, POST) or delete (DELETE) on the database. It gives me the following error:

     PUT https://webidetesting*****-*****.dispatcher.neo.ondemand.com/datasetcorpus/Dataset(47L) 403 (Forbidden)

     The server refused to fulfill the request. More information about why the request was refused may be found in the server logs.


Now I will describe everything I have tried without any success. First thing I tried is using OData.request(), then I decided to use the update(), create(), delete() methods from sap.m.oDataModel.

In the .xsaccess file I have tried both with and without using a X-CSRF-Token header.

In the first case I have in the .xsaccess:   

"prevent_xsrf" : true

Then I take the header from a GET request and pass it to a PUT request as follows:             



var bindingContext = oEvent.getSource().getBindingContext();


var oModel = oView.getModel();


oModel.setHeaders({


     "X-Requested-With": "XMLHttpRequest"


      "Content-Type": "application/json",


      "DataServiceVersion": "2.0",


      "X-CSRF-Token": "Fetch"


 });


 var headerXcsrfToken;


 oModel.read(bindingContext.getPath(), null, null, true, 


      function(oData, oResponse){


           alert("Read successful");


           headerXcsrfToken = oResponse.headers['X-CSRF-Token'];


      }, 


      function() {


           alert("Read failed");


      });                 


 oModel.setHeaders({


      "X-Requested-With": "XMLHttpRequest",


      "Content-Type": "application/json",


      "DataServiceVersion": "2.0",      


      "X-CSRF-Token": headerXcsrfToken


 });                 


 oModel.update(bindingContext.getPath(), oEntry, null,


      function() {


           alert("Update successful");


      },


      function() {


           alert("Update failed");


 });

I have also tried using this instead of the oModel.read() to handle the X-CSRF token automatically: 



oModel.refreshSecurityToken();

In the second case without using a X-CSRF token I have in the .xsaccess:

"prevent_xsrf" : true

And my code is then just as follows:



var oModel = oView.getModel();


oModel.update(bindingContext.getPath(), oEntry, null,


     function() {


          alert("Update successful");


      },


     function() {


           alert("Update failed");


});

None of the approaches worked. Apparently the issue is not only in the X-CSRF token. What I have also unsuccessfully tried is executing POST, PUT, DELETE using a REST client, with Basic Authentication (since we are using Basic in the .xsaccess file) and with the technical user for our database.

Then I took a look at the Server logs as suggested by the 403 Forbidden error and this is what I have found from the xsengine log:



2015-08-05 08:51:25.519895 e XSAuthentication Wire.cpp(00108) : SQL error. Code: 10, Message: invalid username or password at ptime/query/catalog/userinfo.cc:958


[2435]{2435}[-1/-1] 2015-08-05 08:51:51.388753 i TraceContext TraceContext.cpp(00827) : UserName=, ApplicationName=*****, ApplicationSource=*******/****.xsodata/, EppRootContextId=*****C3A6, EppTransactionId=*****FC81, EppConnectionId=*****3431, EppConnectionCounter=0, EppComponentName=SAP_E2E_TA_UI5LIB, EppAction=Step 2


2015-08-05 08:51:51.388717 e XSAuthentication Wire.cpp(00108) : SQL error. Code: 416, Message: user is locked; try again later: lock time is 1440 minutes; user is locked until 2015-08-06 08:51:51.3830000 (given in UTC) [1440,2015-08-06 08:51:51.3830000] at ptime/query/catalog/userinfo.cc:952

and from the HTTP log:



172.16.240.17 (172.16.240.21) - - [05/Aug/2015:13:42:59 +0000] DELETE ****/datasets/***.xsodata/Temp(1) HTTP/1.1 403 1932 9

Apparently the technical user is being locked for 1440 minutes (24 hours). I used the wrong password and that is why the technical user was locked. After these 24 hours passed I also tried updating the database this time with the correct password, but again it does not work. No log is saved in the xsengine logs, I see the entry only in the HTTP log.


Does anyone have any idea how to unlock the technical user before these 24 hours, and how this affects the whole problem that I have?


Thank you very much in advance.


Best Regards,

Elena

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

thamizharasan
Explorer
‎10-06-2015 9:19 AM

Hi Elena,

Have you resolved the issue...?

Pls share the solution if you have resolved..!

Regards,

ThamizharasaN.

Show replies
Show replies
Former Member
‎10-06-2015 3:54 PM
0 Kudos

Hi Karan, hi Thamizharasan,

we indeed finally found a solution to this issue. The issue was apparently related to the fact that CORS needs to be enabled in that case. While reading data from the OData service was possible without this setting, writing/updating/deleting was not.

Our setup is that we host the OData service on the XS Engine (XS Classic), while we use a Fiori frontend hosted on the HTML5 engine.

As shown on the screenshot, you need to navigate to /sap/hana/xs/admin/ on your HANA instance, then drill down all the way to the respective package, then select the CORS tab and set it to enabled for all the HTTP methods that you want to allow (e.g. make sure that POST, PUT, etc. are enabled).

Hope this help,

Daniel

Former Member
‎10-07-2015 8:35 AM
0 Kudos

Hello Karan and Thamizharasan,

I am sorry for my late reply. Indeed what Daniel just explained about enabling CORS was strongly related to the solution of the problem.


What we also did before enabling CORS was to give full privileges to our database user SLSMT for the particular schema LABS where our tables are. After that that we had some problems that Firefox and Internet Explorer still gave us a 403 Forbidden error. Chrome did not give an error and it was working fine, returning a HTTP status 204 No Content. Then, after enabling CORS, the problem was resolved for all browsers.


In order to show how to grant full privileges to your user for your schema, I have attached the picture below. You should go to sap/hana/ide/security/ in your HANA instance, select your user, go to the Object Privileges tab, choose the desired schema and tick all privileges.


Thank you all and do not hesitate to ask me any other related questions, I would be glad to help further if I can.


Best Regards,

Elena Elenkova


thamizharasan
Explorer
‎10-07-2015 9:16 AM
0 Kudos

Hi Elena,

Thanks for the solution. I enabled DELETE method in xs/admin. Now it's giving me 204 No Content. I checked my cors, also i have all privileges to the schema. What could be issue here...?

Regards,

ThamizharasaN.

former_member190457
Contributor
‎10-07-2015 9:19 AM
0 Kudos

204 is a success code, so congratulations your call is working good!

thamizharasan
Explorer
‎10-07-2015 9:32 AM
0 Kudos

Yeah just now checked. It's works fine. Thanks..!

thamizharasan
Explorer
‎10-07-2015 9:32 AM
0 Kudos

Hi Elena,

Thanks for the solutions. Everything set. Appreciate your help..!

Regards,

ThamizharasaN.

Former Member
‎10-07-2015 9:48 AM
0 Kudos

Hi Thamizharasan,

I am glad everything is working now and that this forum post helped somebody else, too. I am really thankful to Vincenzo and Daniel for their insights regarding the whole topic.

Best Regards,

Elena

Former Member
‎07-25-2016 10:15 AM
0 Kudos

Thanks a lot ! Very helpful information !

Answers (2)

Answers (2)

karanbahl
Active Participant
‎10-07-2015 8:46 AM
0 Kudos

Hello Elena and Daniel,

Thank you for your response.

For us, It turned out to be an incorrect .xsaccess file and incorrect entry in the web dispatcher.

We are trying to build a custom kpi based analytical application. Have you tried it?

Regards,

Karan

Show replies
Show replies
Former Member
‎10-07-2015 10:01 AM
0 Kudos

Hello Karan,

No, unfortunately. This is the first time I hear about KPI.

Regards,

Elena

former_member190457
Contributor
‎08-31-2015 10:16 AM
0 Kudos

Hi Elena

I think the problem here might be that what XS needs is the SAML IdP user, not the DB one.

Possibly the two have different passwords (if not different userid at all), hence the error.

You could try to logon with a userid from SAP ID service, which I guess is your default IdP, unless you configured a different one.

thanks, regards

Vincenzo

Show replies
Show replies
Former Member
‎09-01-2015 11:07 AM
0 Kudos

Dear Vincenzo,

Thank you for your answer.

I have tried what you suggested and I still get a 403 Forbidden error. We are currently using Basic Authentication and not SAML.

Best Regards,

Elena

former_member190457
Contributor
‎09-01-2015 11:13 AM
0 Kudos

hi Elena

I can see in both examples that in .xsaccess the configuration was:

"prevent_xsrf" : true

maybe you could try with value "false"?

thanks, regards

Vincenzo

Former Member
‎09-01-2015 11:24 AM
0 Kudos

Hello Vincenzo,

Yes, I am sorry, this is my typing mistake. In the second case it should be 

"prevent_xsrf" : false

and I have tried that without any success as well.

Best Regards,

Elena

karanbahl
Active Participant
‎10-01-2015 7:21 AM
0 Kudos

Hi Elena,

Were you able to resolve this? If yes, please share the solution.

Regards,

Karan

Ask a Question