SAP Gateway: Testing the CREATE method

A CREATE operation uses the HTTP POST method and is called against the same URL as the QUERY operation.

Getting reference to x-csrf-token via Firefox

I am using RESTClient plugin for Firefox to access the gateway services.  To properly call the CREATE service a header x-csrf-token parameter must be provided.  To get the proper parameter value call a regular QUERY service with the following header parameters.

x-csrf-token = Fetch
Content-Type = application/atom+xml

The returned value should look something like this:

x-csrf-token: DdFL6AjPANgi6xca09kpyQ==

Request Header Requirements

Two header parameters of the POST request are required to process the operation:

  • x-CSRF-Token: set to the active session token to avoid CSRF hackign attacks
  • Content-Type: application/atom+xml
  • URL Method: POST
  • URL: same as the Query operation [ie: http://HOST:8000/sap/opu/odata/sap/Z_GWCM_USER/userCollection]

Request body XML structure

I am skipping the steps required to generate a required Data & Consumption models – the assumption is that you would be create those on your own.

In the example below I’ve created a very simple create call that only accepts the user name, password, and first/last names of the new user

<?xml version="1.0" encoding="utf-8" standalone="yes"?>
<atom:entry xmlns:atom=""
	<atom:content type="application/xml">

Even though every field in your Gateway data model may not be relevant for the CREATE operation, they must be supplied in the request with either a valid value or with its null attribute set to “true”. For example, in the sample above, the property “city” is not needed for the CREATE operation, but it still must be included with its null attribute set to “true” ( ). Otherwise, a HTTP 500 error can result with error message “The Data Services Request could not be understood due to malformed syntax”.

Upon successful creation, you should receive an HTTP “Status Code: 201 Created” in the Response Header. An OData standard is that after every CREATE operation has completed, the client should automatically perform a READ operation. In the Response Header section, look at the Location parameter in the HTTP header returned to the client. This is the URL to perform the READ operation.

Leave a Reply


captcha *