Cross-Site Request Forgery Protection
SAP PI provides mechanisms to ensure protection against XSRF ( Cross-Site Request Forgery ) attempts.
Preventing Unauthorized Execution of Cache Refresh
Configuration data Integration Directory is replicated by a cache refresh mechanism for the involved runtime engines involved. Cache refresh is initiated automatically when a user activates a change list in Enterprise Services Repository or in Integration Directory. In addition to that, cache refresh can be initiated manually.
More information: Runtime Caches
Manual cache refresh is protected against XSRF (Cross-Site Request Forgery) attempts by the following measures:
-
CPA Cache and mapping cache
Manual refresh of the CPA cache can be initiated by calling the URL: http(s)://<host>:<port>/CPACache/refresh.
Manual refresh of the mapping cache can be initiated by calling the URL: http(s)://<host>:<port>/run/MappingCache/refresh
It is not possible to execute a cache refresh using these URLs with a service user.
For dialog user, the following applies: To be able to execute a cache refresh (delta or full cache refresh) using these URLs, UME role SAP_XI_ADMINISTRATOR_J2EE must be assigned to the dialog user.
-
Integration Engine cache and business system caches (for SAP systems based on Application Server ABAP)
It is not possible for dialog user to initiate a refresh of theses caches using a URL (only protected service users enabled for technical communication).