I have seen loads of threads with the same topic but none of them specify the complete solution. They all give solutions in bits and pieces. After struggling for the past couple of days, I managed to crack it.

Disable Authentication pop up and CSRF token


You have developed a application(which is used to modify data in the backend)  using SAP UI5 as front end (deployed in Netweaver Portal) with NetWeaver Gateway OData services as backend. You want OData calls from UI to not show login pop-ups when the request is sent to the SAP Gateway server.


An obvious one, set up the user credentials in ‘Logon tab’ of the SICF service.

Test it. Hey it works!! No authentication pop up. But you are too quick. Test the complete cycle until the data is saved in your UI5 application. You will find that you are getting ‘CSRF token invalid’ or ‘CSRF token undefined’ or a error message similar to this (along with HTTP status code 403 (Forbidden)) in the console. This error goes away as soon as you remove the user credentials from the logon tab of the SICF service.


You want both the features – there must not be any authentication pop ups when application is accessed AND application should be able to save/modify data without any issue.

What happens:

According to the link Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library, the framework checks for all modifying requests the validity of the CSRF token in the request. The validation is done by the ICF runtime that checks against the token from the “anti-XSRF cookie”. If the validation fails an HTTP status code 403 (Forbidden) is sent back.


When you provide logon details in the ICF node, you will not be getting CSRF token from the system. This is because CSRF will work only for services that require authentication. But when you send a modifying request to the framework, it expects CSRF token by default and hence the save fails.


The only way is to disable the CSRF protection mechanism. The above CSRF link mentions how to disable it in the SICF service node. But that alone will not disable the CSRF token. You have to add the header(‘X-Requested-With’ with a value of ‘X’)  in the ODATA request to disable the CSRF token completely.


1. Set the value of ~CHECK_CSRF_TOKEN=0 in the GUI_CONFIGURATION of your service (steps given in the link – Cross-Site Request Forgery Protection – SAP Gateway Foundation (SAP_GWFND) – SAP Library towards the end)

2. Maintain User credentials in the ‘Logon Data’ tab of your service – Remember this is needed to avoid authentication pop up.

3. Now depending on which route you use to update data, add the headers

a. If you use OData Model to update data, make sure that you give the following lines BEFORE the create/put/delete call.


var oEntry = {};

  oEntry.Empid = sap.ui.getCore().byId(“Id”).getValue();

  oEntry.Empname = sap.ui.getCore().byId(“Name”)


  oEntry.Empadd = sap.ui.getCore().byId(“Address”)


  oEntry.Empdes = sap.ui.getCore().byId(“Role”)


  oModelSav.setHeaders({“X-Requested-With” : “X”});

  oModelSav.create(‘/EmployeeSet’, oEntry, null, function(){

      alert(“Employee Created Successfully –  “); 


  alert(“Employee Creation Failed   “);



b. if you are using POST operation, use the code below.

Important Note:There is no need to issue a GET call before this since we do not want to use the CSRF token.

    var oHeaders = {   'X-Requested-With': 'X',   'Accept' : 'application/json',   }; OData.request({ requestUri : "https://:/sap/opu/odata/sap/ZMM_EMPLOYEE_SRV/EmployeeSet",                 method : "POST",                         headers : oHeaders,                 data:oEntry                 },                 function(data,request) {                   alert("Employee Created Successfully  ");                         location.reload(true);                   },                         function(err) {                      alert("Employee Creation Failed  ");                     }); 

New NetWeaver Information at SAP.com

Very Helpfull



User Rating: Be the first one !