Skip to content

Back-End Connectivity

Much of the Foundation APIs' functionality is closely tied to the network communication to the back-end servers. While Foundation APIs make it easier for developers to write applications that interact with servers, the APIs rely on the okHttp library for network communication. In order to give developers using the foundation library more control, the classes that make networking calls use the OkHttpClient that is directly given to them, or fall back to use the OkHttpClient that is set globally on ClientProvider.


When a mobile application is configured with an authentication method, any access to the back end that uses REST API requires an authenticated session context or valid authentication headers for authentication. Authentication modules provided with the SDK help you with authentication.

Typical usage of OkHttpClient involves setting up an instance with the necessary authenticator or interceptor and setting that instance globally on ClientProvider for any method calls that interact with mobile services.

OkHttpClient mobileServiceNetworkingClient = new OkHttpClient.Builder()
    .addInterceptor(new SamlInterceptor(samlConfiguration))
    .cookieJar(new WebkitCookieJar())
Settings mobileAppSettings = new Settings();
RemoteNotificationClient mobileServicePushClient = new RemoteNotificationClient();

Foreground Activity Tracking

When establishing a new session, authentication modules may need to interact with the user to obtain credential information. To accomplish this, the modules need to know which activity is in the foreground. The Foundation component has a AppLifeCycleCallbackHandler singleton that is used to find which activity is in the foreground.

This callback handler must be registered using before any networking calls are made. Once registered, the ApplLifeCycleCallbackHandler will be able to keep track of the foreground activity.

See the Authentication topic for more information.

Mobile Service HTTP Headers

Some functionality in mobile services depend on special HTTP headers. The presence of these headers in a request affects certain functions like logout.

Header Description
X-SMP-APPID The application id of the mobile app as configured in SAP Mobile Services
X-SMP-APP-VERSION The mobile application version
X-SMP-SDK-VERSION The version of the SDK the app is using


The foundation library provides AppHeadersInterceptor that automatically adds these headers to the OKHttp request if they are not already present. In addition to the headers specifically for Mobile Service, AppHeadersInterceptor also adds the Accept-Language header to requests that do not already have one. The Accept-Language header added by AppHeadersInterceptor is of the form "LA-CO, LA;q=0.9" where "LA" is the language code of the device's locale, and "CO" is the country code of the device's locale.

To use this class, add an AppHeadersInterceptor when building an OKHttpClient. The following example shows how to use AppHeadersInterceptor in a no-auth configuration. Please note that usually this interceptor is added in addition to the other authentication interceptors.

// Construct AppHeadersInterceptor without input parameter, SettingsParameter object is retrieved from SettingsProvider class.
AppHeadersInterceptor appHeadersInterceptor = AppHeadersInterceptor();

OkHttpClient client = new OkHttpClient.Builder()

Cross-Site Request Forgery Protection

If you want to use Cross-Site Request Forgery (CSRF) protection for your application, first you must enable this feature in the SAP mobile service cockpit. See: Defining Application Security for more information.

If CSRF protection is enabled, you need to send an X-CSRF-Token header for the modifying HTTP requests. The CsrfTokenInterceptor can automatically handle this for every request.


The CSRF Protection option protects all services, such as registration, with CSRF tokens. Proxied endpoints are not protected, since they may be protected on the back end.

Basic Usage

The following example shows how to add the CsrfTokenInterceptor if you have one root URL for every CSRF token request. The rootUrl parameter is the URL from which the CSRF token will be requested.

String rootUrl = "";

OkHttpClient client = new OkHttpClient.Builder()
    .addInterceptor(new CsrfTokenInterceptor(rootUrl))

Advanced Usage

If you have multiple CSRF protected back ends and these back ends accept different CSRF tokens, you must implement a CsrfTokenUrlProvider to provide CSRF URL for different request URLs. For token storing, you should implement a CsrfTokenStore. A default implementation of the store is provided that will keep a token per host and port.

public class MyCsrfTokenUrlProvider implements CsrfTokenUrlProvider {
    public String getTokenUrl(String url) {
        // TODO: implement custom logic to create token URL from the request URL
        return ...

public class MyCsrfTokenStore implements CsrfTokenStore {
    public void setToken(String token, String url) {
        // TODO: implement

    public String getToken(String url) {
        // TODO: implement
        return ...

    public void deleteToken(String url) {
        // TODO: implement

For more information about how this protection works, see the following topics:

User Blocking

An administrator can block a particular user by setting a condition at the server. A blocked user is unable to register an application, receive data, or both. When a user is blocked, all HTTP requests from that user’s applications receive a 403 (Forbidden) status response with an X-MESSAGE-CODE header. The header value indicates whether registration, traffic, or both is blocked. At this point, the application can no longer communicate with the server and should notify users that they are blocked.

The foundation library provides the BlockedUserInterceptor class to facilitate handling this condition. It is constructed with a callback function and added to the interceptor chain of the OkHttpClient. The specified callback is invoked on the first receipt of a 403 response with the X-MESSAGE-CODE header from the server. Subsequent reception of the blocked response will not trigger the callback again until a successful response is received or the application is restarted.

The callback will be supplied with an enum value representing the blocked type that was in the response header.

X-MESSAGE-CODE Value Summary

enum Value Header Value Description
UNDEFINED_BLOCK N/A An unrecognized value was received
REGISTRATION_BLOCKED REG_BLOCKED All application registrations by this user are blocked
TRAFFIC_BLOCKED TRAFFIC_BLOCKED All data for this user is blocked
TRAFFIC_AND_REGISTRATION_BLOCKED TRAFFIC_REG_BLOCKED Both registration and data for this user is blocked
REGISTRATION_WIPED REGISTRATION_WIPED This user's registration at the server has been wiped

Please note that the callback is invoked synchronously. Therefore, it needs to return in a timely, non-blocking manner. The developer is free to start a thread or an activity in the callback if that is necessary.

To use this class, add a BlockedUserInterceptor to the OkHttpClient instance. Please note that usually this interceptor is added in addition to the other interceptors.

// Construct BlockedUserInterceptor supplying a callback function.
OkHttpClient client = new OkHttpClient.Builder()
    .addInterceptor(new BlockedUserInterceptor( new BlockedUserInterceptor.BlockedUserCallback(){

            public void handleBlockedUser(BlockedUserInterceptor.BlockType blockType) {
                // TODO: inform the user that they are blocked by the administrator
        } ))

Lock and Wipe

Lock and Wipe is a policy in the setting data provided by the server. This policy specifies the number of days that are allowed to elapse without authenticating with the server before the application is locked or its data is wiped. The settings data from the server is returned by the Settings object in the foundation library.

The Lock and Wipe Policy is set for the application at the server. This is labeled "blockWipingPolicy" in the JSON that is sent down to the client. Lock is named "blockDisconnectedPeriod" and wipe is "wipeDisconnectedPeriod". Both values are in days.

If "blockWipeEnabled" is true and either or both of these are greater than zero, then the corresponding action is taken if the application fails to connect to the server within the specified number of days.

Presumably, the wipe period is longer than the lock period. If the lock period is exceeded, then the application should be locked until the user successfully connects to the server.

If the wipe period is exceeded, then the application data should be reset.

A LockWipePolicy class is provided by the foundation library. The "blockWipingPolicy" is parsed by the Settings object. The values in mobileservices/settingsExchange/blockWipingPolicy are used to construct a LockWipePolicy object. These previously described values are:

  • "wipeDisconnectedPeriod"
  • "blockWipeEnabled"
  • "blockDisconnectedPeriod"

Two callback methods can also be passed to the LockWipePolicy constructor in addition to these values. These are lockCallback and wipeCallback which handle the lock and wipe conditions respectively. Alternatively, the LockWipePolicy can be constructed without the callbacks and they can be set at a later time by using setLockCallback and setWipeCallback.

// Lock and Wipe policy values parsed and extracted through the Setting object JSON
JSONObject settingsJson;    // result from Settings.CallbackListener.onSuccess()
boolean enabled = false;
int lockDays = 0;
int wipeDays = 0;

JSONObject lockWipePolicyJson = settingsJson.optJSONObject("blockWipingPolicy");
if (lockWipePolicyJson != null) {
    enabled = lockWipePolicyJson.optBoolean("blockWipeEnabled", false);
    lockDays = lockWipePolicyJson.optInt("blockDisconnectedPeriod", 0);
    wipeDays = lockWipePolicyJson.optInt("wipeDisconnectedPeriod", 0);

// Construct the Lock Wipe Policy supplying two callback functions.

LockWipePolicy lockWipePolicy = new LockWipePolicy(
    new LockWipePolicy.LockCallback() {

        public void handleLock() {
            // TODO: Inform the user that the application is locked due to not connecting with the server
    new LockWipePolicy.WipeCallback() {

        public void handleWipe() {
            // TODO: Reset the application data

A call to LockWipePolicy.apply() must be made after the client policy is retrieved through the Settings object and the LockWipePolicy object is constructed and the callbacks assigned. The respective callback will be invoked in the case where the lock or wipe intervals have been exceeded. Wipe is evaluated first. If it is zero or within range then lock is evaluated. In this way, only one of the callbacks can be called for a single invocation of LockWipePolicy.apply().

Date retrieveLastConnectionTime() {
    Date lastConnectionTime;
    // TODO: Retrieve the persisted the last connection time
    return lastConnectionTime;


The call to LockWipePolicy.apply() requires the last connection time. This corresponds to the last time that the application communicated with the server. To accommodate this, the application must save the current time (GMT) in the application secure store each time it communicates with the server. This is facilitated by the LastConnectionTimeInterceptor class provided by the foundation library. It is constructed with a callback function and added to the interceptor chain of the OkHttpClient. The specified callback is invoked every time a success (200) response is received from the server.

// Construct LastConnectionTimeInterceptor supplying a callback function.
OkHttpClient client = new OkHttpClient.Builder()
    .addInterceptor(new LastConnectionTimeInterceptor( new LastConnectionTimeInterceptor.LastConnectionTimeCallback(){

            public void updateLastConnectionTime() {
                Date lastConnectionTime = new Date();
                // TODO: Persist the last connection time
        } ))

Last update: November 30, 2023