Cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

[Self-Hosted-App][CSP] Basic mendix app not running as self-hosted-app

Siemens Creator Siemens Creator
Siemens Creator

Hi folks,

 

The goal is to use a self-hosted app within MindSphere.


The app itself is for now just the plain standard demo-app from Mendix that you can create immediatelly when you set up an account there. So the app currently has no interaction with any MindSphere APIs at all.

In my case the app is located here within the Mendix-Cloud:

Mendix-Demo-App

This runs fine and no critical errors show up within the Chrome Debugger.

 

Now I just want the very same thing to be available using the MindSphere Launchpad as a Selfhosted App. So in the first development step there should be no connectivity to any data stored in MindSphere.

 

Using Chrome's Debugger I was able to get rid all reported CSP-related errors when configuring the self-hosted-app in the developer cockpit - but the app still does not show up.

Looking at the Chrome Debugger's network tab, I can see that one of the post-request seems not to work (/xas/), see screenshot "failed-postrequest", but the response tab is empty in Chrome (probably because MindSphere redirects and shows a gateway error immediatelly afterwards which looses the debugger information - see screenshot "gatewayerror")

Anyway: using Firefox debugger I was able to get the response of the failed request:

 

MindSphere Gateway error: Invalid CSRF Token 'null' was found on the request parameter '_csrf' or header 'X-XSRF-TOKEN'.

 

I found a similar thread here in the community (Invalid-CSRF-Token-null-was-found-on-the-request) but as far as I understood this relates only to API authentication there - and as stated before: There are no API calls at all yet.

 

Do you have any suggestions to get this up and running? Or what else do I need do provide?

 

Thanks a lot

And

5 REPLIES

Re: [Self-Hosted-App][CSP] Basic mendix app not running as self-hosted-app

Valued Contributor
Valued Contributor

The '/login.html' issue might be due to the MindSphere Gateway hijacking all '/login*' endpoints, but I'm not sure. I know that you cannot use '/login/**' nor '/api/**' on your app, since it is used internally, but I don't know about individual file mappings.

 

The '/xas' might be in the same "hijacked" league.

 

What I would do to debug this is to try to expose the app through a custom path, such as '/myapp' and then put everything below it. Most http frameworks allow you to do such mapping with a single configuration variable. If that works, then you know it is something with the mapping conflicts.

Re: [Self-Hosted-App][CSP] Basic mendix app not running as self-hosted-app

Siemens Creator Siemens Creator
Siemens Creator

@dlouzan: Thanks for the hint. I have currenty no way of exposing the app differently, because it is just basic Mendix representation (build via the Mendix Webmodeler). But still you might be correct Smiley Happy

 

Also I just received the information, that if applications are running through the MindSphere Gateway and are using other http requests than GET (i. e. POST, PUT, PATCH, DELETE) those request have to implement the X-XSRF session token added to their request headers to prevent cross site request forgeries. This need for such a token also applies if those requests are not related to MindSphere data at all: since the calls are "rerouted" through the gateway, they all are checked for this token to ensure validity of the request.

 

A general approach to deal with this would be to create some kind of hook in the app, that encapsulates all request to add this token information.

 

In the end my issue may even relate to both (XRSF and "hijacking") ... 

 

Re: [Self-Hosted-App][CSP] Basic mendix app not running as self-hosted-app

Valued Contributor
Valued Contributor
What you can also do is to ask support to deactivate authentication for your self-hosted app, I know this is something that can be done but I don't know what are the requirements for it. That should solve all your authentication issues, specially since your application is self-hosted. But then your app has to implement some kind of user management itself.

Re: [Self-Hosted-App][CSP] Basic mendix app not running as self-hosted-app

Siemens Creator Siemens Creator
Siemens Creator

I don't think that anyone would disable authentication mechanisms for my case. I guess they are in place for some reason Smiley Happy

Actually I only wanted to share why it currently doesn't work for now.

 

Re: [Self-Hosted-App][CSP] Basic mendix app not running as self-hosted-app

Valued Contributor
Valued Contributor
Fair enough :-) I was not implying that you deactivate authentication: there's use cases where you implement your own authentication & authorization and want to bypass the MindSphere Gateway authentication.