Cross-Site Request Forgery Protection

Preventing Unauthorized Execution of Cache Refresh

Configuration data Integration Directory is replicated by a cache refresh mechanism for the involved runtime engines involved. Cache refresh is initiated automatically when a user activates a change list in Enterprise Services Repository or in Integration Directory. In addition to that, cache refresh can be initiated manually.

More information: Runtime Caches

Manual cache refresh is protected against XSRF (Cross-Site Request Forgery) attempts by the following measures:

• CPA Cache and mapping cache

  Manual refresh of the CPA cache can be initiated by calling the URL: http(s)://<host>:<port>/CPACache/refresh.

  Manual refresh of the mapping cache can be initiated by calling the URL: http(s)://<host>:<port>/run/MappingCache/refresh

  It is not possible to execute a cache refresh using these URLs with a service user.

  For dialog user, the following applies: To be able to execute a cache refresh (delta or full cache refresh) using these URLs, UME role SAP_XI_ADMINISTRATOR_J2EE must be assigned to the dialog user.

• Integration Engine cache and business system caches (for SAP systems based on Application Server ABAP)

  It is not possible for dialog user to initiate a refresh of theses caches using a URL (only protected service users enabled for technical communication).