403 Forbidden issue in SMP 3.0 (new error)

Hello experts,

I recently fixed my issue in my previous discussion. It worked using the Advanced Rest Client extension for Chrome. In the previous discussion I was sending XML payload, now I'm sending JSON.

My next step is to move the POST  to my hybrid app in javascript, where I have the same result (403 Forbidden) for a different reason, I imagine.

Below are transcripts in JavaScript. First I register the app:

    var uri = smpDomainAndPort + pathConnections;

    var oHeaders = {};

    oHeaders["Authorization"] = "Basic " + btoa(userID + ":" + password);

  oHeaders["Content-Type"] = "application/json";

    var request = {

        headers : oHeaders,

        requestUri : uri,

        data: connectionData,

        method : "POST"

    };

    OData.request(request, registerSuccess, registerError);

Then I save the APPCID:

function registerSuccess(result) {

    appCID = result.ApplicationConnectionId;

    window.localStorage.setItem("appcid", appCID);

Later I will do a GET in the Route collection

      var oHeaders = {};

      oHeaders['X-SMP-APPCID'] = appCID;

      oHeaders['X-CSRF-Token'] = 'FETCH';

    oHeaders['Authorization'] = "Basic " + btoa(userID + ":" + password);

    var strUri = smpDomainAndPort + pathCheckRoute;

    strUri = strUri.replace('{0}',1); // ID_USUARIO

    strUri = strUri.replace('{1}', '2015-02-24'); // DT_ROTEIRO

      var request = {

      headers : oHeaders,

      requestUri : strUri,

      method : "GET"

      };

      OData.read(request, checkRouteSucess, checkRouteError);

And then save the CSRF token and the SetCookiw with X-SMP-SESSIDSSO X-SMP-SESSID

function checkRouteSucess(data, response) {

  csrfToken = response.headers['X-CSRF-Token'];

  cookie = response.headers['Set-Cookie'];

Finally I will do a POST in the Route collection

    var route = {

      ID_ROTEIRO : 7,

      DT_ROTEIRO : new Date(),

      FINALIZADO : false,

      ID_USUARIO : 1

    }

    var oHeaders = {};

    oHeaders['X-SMP-APPCID'] = appCID;

    oHeaders['X-CSRF-Token'] = csrfToken;

    oHeaders['Authorization'] = "Basic " + btoa(userID + ":" + password);

    oHeaders['Content-Type'] = 'application/json'; 

    //oHeaders['Content-Type'] = 'application/json;odata=verbose'; 

        //oHeaders['DataServiceVersion'] = '2.0'; 

    //oHeaders['Content-Length'] = JSON.stringify(route).length;

    //oHeaders['Cookie'] = cookie;

    var strUri = smpDomainAndPort + pathRoute;

        var request = {

      headers : oHeaders,

      requestUri : strUri,

      method : "POST",

      data: JSON.stringify(route),

      //dataType: 'json'

        };

       OData.request(request, postRouteSucess, postRouteError);

The result is a 403 Forbidden error.

There are some commented out above, which I'm not sure are needed. I tested them also, with the same result: 403. Browser is Safari. It also does not work within the hybrid web container (Cordova) in iOS.

I'm not sure if the  X-SMP-SESSIDSSO X-SMP-SESSID cookies are needed. But I don't know how to set them correctly. I didn't find any material about this in SCN.

I have tested with front end and back end URLs. I have the 403 error for both:

var smpDomainAndPort = "http://dbs-sap-01:8080"; 

//var pathApp = '/routetogo_app';

var pathApp = '/gateway/odata/dbserver/routetogo_srv;v=1';

var pathRoute = pathApp + "/ROTEIRO";

SMP version is 3.0 with SP3. Below is a log of the error on the SMP side:

2015-02-24 12:31:16.343#DEBUG#SMPCorrelatedLoggingHandler#null#POST

2015-02-24 12:31:16.343#DEBUG#SMPApplicationProxyHandler#null#Retrieve appHandler=proxy, application=routetogo_app and backendURL=/ROTEIRO.

2015-02-24 12:31:16.343#DEBUG#ApplicationConnectionHelper#null#Process application connection id.

2015-02-24 12:31:16.343#DEBUG#ApplicationConnectionHelper#null#Request Header ApplicationConnection ID= 381dffb0-d4bc-4c2f-8077-e1a1304de4e4

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#----------In DirectProxy handle()--------- : routetogo_app

2015-02-24 12:31:16.358#INFO#DirectProxy#null#URL rewrite enabled?: true

2015-02-24 12:31:16.358#INFO#DirectProxy#null#Final endpoint URL is http://dbs-sap-01:8080/gateway/odata/dbserver/routetogo_srv;v=1/ROTEIRO

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#----Application Id sent from client is-------- routetogo_app

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#--------------About to fire the request to the backend-----------

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#----------In DirectProxy fireRequest()----------

2015-02-24 12:31:16.358#DEBUG#ProxyUtility#null#Inside getURLRewriteTable()

2015-02-24 12:31:16.358#DEBUG#ProxyUtility#null#appId : routetogo_app

2015-02-24 12:31:16.358#DEBUG#ProxyUtility#null#servlet_url : http://dbs-sap-01:8080/routetogo_app/ROTEIRO

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#Request body before re-write "{\"ID_ROTEIRO\":7}"

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#Request body after re-write "{\"ID_ROTEIRO\":7}"

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#Request headers and cookies

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#header: key=accept value=application/atomsvc+xml;q=0.8, application/json;odata=fullmetadata;q=0.7, application/json;q=0.5, */*;q=0.1

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#header: key=authorization value= *****

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#header: key=maxdataserviceversion value=3.0

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#header: key=accept-language value=pt-br

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#header: key=accept-encoding value=gzip, deflate

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#header: key=content-type value=application/json

2015-02-24 12:31:16.358#DEBUG#DirectProxy#null#header: key=origin value=file://

2015-02-24 12:31:16.374#DEBUG#DirectProxy#null#header: key= content-length value=20

2015-02-24 12:31:16.374#DEBUG#DirectProxy#null#header: key=x-csrf-token value=82A8702ECA13EE8B9F684D4BABA2B075

2015-02-24 12:31:16.374#DEBUG#DirectProxy#null#header: key=dataserviceversion value=1.0

2015-02-24 12:31:16.374#DEBUG#ConnectionPoolManager#null#ConnectionPoolManager get connection

2015-02-24 12:31:16.374#DEBUG#DirectProxy#null#--------------Finished firing the request to backend-----------

2015-02-24 12:31:16.374#DEBUG#DirectProxy#null#Setting Access-Control-Expose-Headers for CORS request

2015-02-24 12:31:16.374#DEBUG#DirectProxy#null#Setting Access-Control-Expose-Headers for CORS request

2015-02-24 12:31:16.374#DEBUG#DirectProxy#null#ODP:Recieved the response from the backend server

2015-02-24 12:31:16.374#DEBUG#DirectProxy#null#Response code is :403

2015-02-24 12:31:16.374#DEBUG#DirectProxy#null#Response cookie: name= X-SMP-SESSIDSSO

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#Response cookie: name= X-SMP-SESSID

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#Response header key:Server Response header value:SAP

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#Response header key:Date Response header value:Tue, 24 Feb 2015 20:31:16 GMT

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#Content Length is : 927

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#Response header key:Content-Type Response header value:text/html;charset=utf-8

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#Response header key:X-CSRF-Token Response header value:Required

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#Response header key:Access-Control-Allow-Credentials Response header value:true

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#Response header key:Access-Control-Allow-Origin Response header value:file://

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#------------content type:|encoding|length--------text/html;charset=utf-8--------927----

2015-02-24 12:31:16.389#ERROR#DirectProxy#null#Response code from backend is 403 for request http://dbs-sap-01:8080/gateway/odata/dbserver/routetogo_srv;v=1/ROTEIRO

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#prepareResponse finally block

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#Content-Type::: text/html;charset=utf-8

2015-02-24 12:31:16.389#DEBUG#ProxyUtility#null#Inside getURLRewriteTable()

2015-02-24 12:31:16.389#DEBUG#ProxyUtility#null#appId : routetogo_app

2015-02-24 12:31:16.389#DEBUG#ProxyUtility#null#servlet_url : http://dbs-sap-01:8080/routetogo_app/ROTEIRO

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null#URL rewrite : response is sent

2015-02-24 12:31:16.389#DEBUG#DirectProxy#null# prepareResponse() method ends

2015-02-24 12:31:16.389#DEBUG#SMPCORSHandler#null#Access-Control-Expose-Headers for CORS request already set by Backend

Thank you,

Luciano Sclovsky

Tags edited by: Jitendra Kansal (Moderator)