Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enabling user authentication propagation for web services(Exposed as OData services) using custom processor.

tejesvi_dvr
Explorer
‎01-07-2015 11:14 AM

User Propagation

Use Cases:

Note

  • When accessing the service document directly from the Gateway Management Cockpit, the security profile Name must be same as the Service Namepace of the service. For example, if the Service Namespace is SAP_SSO2, the security profile Name must be SAP_SSO2.
  • For onboarded applications (SAP Mobile Platform applications that have an endpoint using the Integration Gateway service as back-end URL, with the internal option enabled), the security profileName and the Service Namespace of the service need not be same.

In this Blog we will be showcasing how an user can Propagate his Credentials which he has configured in the SMP server to IGW which internally gets Propagated to the Back End Service for Authentication.

In this Blog we will be covering Basic Authentication and MYSPASSO2 Based user Propagation.

This Blog will guide the Admin/developer on what configurations one has to do in SMP Admin Cockpit , IGW and in the Custom Script to Enable User Propagation.

Use Case - 1

Basic Authentication

Admin has to configure the http/https security profile from smp Admin cockpit with the back end system's url from where user will get the data with basic authentication, As shown below.

by setting up the below mentioned configuration, SMP will propagate the user credentials while making a call in the business oriented URL via request object as a header.

The Request Object is retrieved in the Script processor and is added to http header which is used while making a call to the back end web service.

NOTE: Credentials should be the Authorization Details of the Back end System.

Steps to Configure Basic Authentication Propagation

SMP ADMIN Cockpit Steps

1) Log on to the SMP Admin Cockpit https://localhost:8083/Admin and go to the Settings-> Security Profile tab.

2) Create a security profile with Authentication type as HTTP/HTTPS Authentication and provide the URL of the Back end System from where the Data/web-service is hosted. i.e. in my case i am using a SAP ABAP system's URL where my web service is hosted and the service has Basic Authentication enabled for the same and click on Save as Shown Below.

   The Security Profile Created above can be assigned to the application which is created in the SMP Cockpit.

IGW Steps

1)      create a Content Bundle from Design Time Eclipse Editor by using the Web service generated from the back end, which was used to create security profile in previous step. and add the below mentioned code in the script either in first or second methods of Script Processor

the below mentioned code will fetch odata context from exchange headers and retrieve http request object from the odata context object and from the request object fetchs the Authorization header and finally add it to message header which will be passed to Web Service call as http client header.

function processRequestData(message) {

importPackage(com.sap.gateway.ip.core.customdev.util);
importPackage(java.util);
importPackage(com.sap.gateway.core.ip.component.commons);
importPackage(com.sap.gateway.ip.core.customdev.logging);
importPackage(org.apache.olingo.odata2.api.processor);

var headers = message.getHeaders();
var context = headers.get("ODataContext");
var request = context.getParameter("~httpRequestObject");
var Auth = request.getHeader("Authorization");

if(Auth!=null)
message.setHeader("Authorization",Auth);

return message;

}

2) once the bundle is created with the above mentioned code in custom script,deploy the Bundle from Design Time with the Service Name Space as the Security profile Name which was created in SMP ADMIN Cockpit Steps.

   

3) now open the service document and fire the call to the entity set in the business oriented URL i.e. http://localhost:8080/gateway/odata/SAP_BASIC/<ServiceName>;v=1/<entitySet>

or

https://localhost:8084/gateway/odata/SAP_BASIC/<ServiceName>;v=1/<entitySet>

    Authentication challenge will be thrown by the browser as shown below.

   

    enter the user name and password, here credentials should be same as the credentials of back end System. so the user credentials entered will be propagated from SMP to Odata and inturn will be propagated to the back end system to get Authorized.

MYSAPSSO2 Authentication

Admin has to configure the http/https security profile from smp Admin cockpit with the back end system's url from where user will get the data with MYSAPSSO2 cookie, As shown below.

Note: For MYSAPSSO2 Authentication Admin has to add SMP certificate to Back End System and in vice versa Back End Systems certificate into SMP server for Mutual Hand Shake.

Steps to Add the Back End Certificate to SMP Server is Mentioned at the End of the this Blog.

By setting up the below mentioned configuration, SMP will propagate the user credentials i.e. Corresponding Cookie in the request object as an Attribute.

The Request Object is retrieved in the Script processor and the Coockie added to http header which is used while making a call to the back end web service.

Steps to Create MYSAPSSO2 Scenario

SMP ADMIN Cockpit Steps

1) Log on to the SMP Admin Cockpit https://localhost:8083/Admin and go to the Settings-> Security Profile tab.

1) Create a security profile with HTTP/HTTPS Authentication and provide the URL of the Back end System from where the Data/web-service is hosted. i.e. in my case i am using a SAP ABAP system's URL where my web service is hosted and the service has MYSAPSSO2 Cookie enabled for the same and click on Save as Shown Below.

   

    

IGW Steps

1)  Create a Content Bundle from design time Eclipse Editor by using the Web service generated from the back end which was used to create security profile in previous step. and the add the below mentioned code in the script either in first or second methods.

the below mentioned code will fetch odata context from exchange headers and retrieve http request object from the odata context object and from the request object fetch the MYSAPSSO2 attribute and finally add it to message header which will be passed to cxf as http client header.


function processRequestData(message) {

importPackage(com.sap.gateway.ip.core.customdev.logging);
importPackage(com.sap.gateway.ip.core.customdev.util);
importPackage(org.apache.olingo.odata2.api.processor);

var headers = message.getHeaders();
var context = headers.get("ODataContext");
var request = context.getParameter("~httpRequestObject");
var MYSAPSSO2 = request.getAttribute("MYSAPSSO2");

if(MYSAPSSO2!=null)
message.setHeader("mysapsso2",MYSAPSSO2);


return message;
}

3) once the bundle is created with the above mentioned code in custom script,deploy the Bundle from Design Time with the Service Name Space as the Security profile Name which was created in previous Steps.

   

   Note: Here the private Key Alias is the Alias Name of the Back End Systems Certificate which is uploaded in the SMP servers Key Store. Private Key Alias is compulsory for the SSO2 Cookie Retrieval .

4) now open the service document and fire the call to the entity set in the business oriented URL i.e.

    http://localhost:8080/gateway/odata/SAP_BASIC/<ServiceName>;v=1/<entitySet>

   or

    http://localhost:8084/gateway/odata/SAP_BASIC/<ServiceName>;v=1/<entitySet>

    Authentication challenge will be thrown by the browser as shown below.

   

    enter the user name and password, here credentials should be same as the credentials of back end System. so that SSO2 Cookie generated corresponding to the user will be propagated from SMP to Odata and in turn will be propagated to the back end system to get Authorized.

Use Case - 2

1) Create an Application in SMP Cockpit and Assign/Configure IGW service URL which we have created in UseCase 1 as Back end to the Application as Shown below.

2) Create a New Security Profile with the Back End Url on which the webservice is hosted by Going to Authentication Tab As Shown Below or Assign an Existing Security Profile like SAP_BASIC or SAP_SSO2 which we have created already in Usecase 1  and click on the save to save the Application.

3) Access the Application from Mobile Application to test the User Propagation.

Steps to Add the Back End Certificate to SMP Server

   1) Open File->Open Keystor fFile in portecle Tool and go the Location where the smp_keystore.jks file is Located. i.e. SMP server->Configurations  and click ok to open the Keystore.jks, Password for the keystore is "changeit".

   2)  Go to Tools-> Import Trusted Certificate and select the Back End System's Certificate from your system and click on import

   3)  Click on the ok and yes buttons as shown below.


  4) Enter the Alias Name for the Certificate which is getting imported, this Alias Name is used while deploying the bundle from Design Time Eclipse.

5) Save the Keystore in the portecle Tools once the certificate is imported. Other wise the imported certificate will not be Reflected in SMP server's Configurations.

9 Comments
Labels in this area
Popular Blog Posts