cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

logon/logonServlet

Go to solution
Former Member

on ‎08-25-2010 6:07 PM

0 Kudos

Hi all

I call an iView (webdynpro) from the back end system by passing into the URL userid and password embedded as follow

http://hostname:port/logon/logonServlet?j_user=userid&j_password=pwd&redirectURL=%2Fwebdynpro%2Fdisp....

It has been working for months. Then we upgraded Portal up to SP20 and it is not working any longer. It says:

Cannot redirect to the requested application, the redirect parameter is invalid.

Is there part of the configuration post upgrade that I miss? Did I overwrite some application or component with the Upgrade??

thanks for help

Andrea

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎05-17-2012 8:15 PM
0 Kudos

Dear Andrea,

You can always append j_user and j_password parameters at the end of your URL (the one that includes your webdynpro or iview). For example:

http://hostname:port/webdynpro/dispatcher/sap.com/pcui_gp~isr/IsrFormDisplayOnly?SCENARIO=yourscenar...

Just remember to append j_user & j_password & login_submit=true at the end

Enjoy!!

Max

Show replies
Show replies
Former Member
‎05-17-2012 8:36 PM
0 Kudos

wow!

is still possible to cheat then!

don't tell anybody

thanks Max

martin_E
Active Contributor
‎06-30-2012 9:32 AM
0 Kudos

Don't expose user ids / passwords like this, even over https - There's a very good chance (depending on the E2E response speed) that they will be visible to the casual viewer in the address window of the browser.  It's just as bad when lazy developers link using user-ids / passwords directly from a page - the userid / password is visible in the status bar of the browser just by hovering the cursor on the link.

hth

Answers (2)

Answers (2)

Former Member
‎07-02-2012 9:09 AM
0 Kudos

hello everybody.

i have somehow the same problem - the only difference is that we want to "bypass" the netweaver login and password and we are calling an RFC function module.

any ideas? i tried to call the .html site with &j_user but it doesn't work.

Show replies
Show replies
former_member432219
Active Participant
‎08-25-2010 6:33 PM
0 Kudos

Hi Andrea

Unfortunately this re-direct will no longer work. You will no longer be able to directly use the redirectUrl parameter

The AS now encrypts the redirect parameter used for navigation after successful authentication (see note 1175239) so when the aboveURL is received at the server, an attempt to de-crypt it is made, which obviously in this case fails fails. This leads to the message you see

"cannot redirect to the requested application, the redirect parameter is invalid"

It was never intended that /logon/logonServlet could be directly called by a customer application or by using a browser, since it depends on internal functionality provided by the security service

Show replies
Show replies
Former Member
‎08-25-2010 6:52 PM
0 Kudos

come on! there should be another option to drivie peple in a portal page........

Former Member
‎08-25-2010 10:55 PM
0 Kudos

I mean there should be a possbility to by-pass this check.

Most of my iView are called via back-end. I won't imagine I don't have any option left

thanks for help

Andrea

Former Member
‎08-27-2010 8:53 AM
0 Kudos

Hi Andrea.

Use either Short Urls or [Quick links|http://help.sap.com/saphelp_nw04/helpdata/en/97/b0ef8b24a64ae884f0ab246e54cae5/frameset.htm].

Best regards,

Aliaksandr Zhukau

Former Member
‎09-01-2010 8:29 AM
0 Kudos

Hi Patrick,

If the redirect parameter needs to be encrypted, it is possible to construct an URL like this (suppose the parameter is base64 encoded): 

http://devportal:8280/logon/logonServlet?redirectURL=cLy9lcnBkZXYuY29ycC5hYmM6ODAwMC9zYXAvYmMvYnNwL3N
hcC96bW1fcHIuaHRt

Regards,

Former Member
‎09-01-2010 9:45 AM
0 Kudos

Hi Donald

I am not sure I fully understand the solution you proposed, but I've tried annyway to copy (with my hostname) and paste your URL in the browser and I see the usal problem, meaning it leads me to the logon page

The aim here is to by pass the logon pagae and pass directly into the RIL the userid and password that it used to work prior than the upgrade we did

thanks

ciao

Andrea

Former Member
‎09-01-2010 1:45 PM
0 Kudos

> 

> Hi Donald
> 
> I am not sure I fully understand the solution you proposed, but I've tried annyway to copy (with my hostname) and paste your URL in the browser and I see the usal problem, meaning it leads me to the logon page
> 
> The aim here is to by pass the logon pagae and pass directly into the RIL the userid and password that it used to work prior than the upgrade we did
> 
> thanks
> ciao
> Andrea

Hi Andrea,

The logonServlet indeed doesn't work any longer with the redirectURL parameter. We had a similar problem after our upgrade (and created also an OSS), because we used the logonServet for manually authenticating SSO users with another user account.

I think you can solve your issue with only little coding effort, by using the UMFactory.getAuthenticator().forceLoggedInUser(HttpServletRequest req, HttpServletResponse res) method. Refer to [http://help.sap.com/javadocs/NW04S/current/se/com/sap/security/api/IAuthentication.html#forceLoggedInUser%28javax.servlet.http.HttpServletRequest,%20javax.servlet.http.HttpServletResponse%29|http://help.sap.com/javadocs/NW04S/current/se/com/sap/security/api/IAuthentication.html#forceLoggedInUser%28javax.servlet.http.HttpServletRequest,%20javax.servlet.http.HttpServletResponse%29].

The good of this method is, that a user with correct j_user and j_password parameters in the current HttServletRequest-object gets automatically logged in. If the j_user and j_password parameters are not ocrrect, the logon formulat gets automatically displayed (refer to documentation).

So you could develop a simple servlet and do something like that in its doGET/doPOST methods:


...
IUser user = UMFactory.getAuthenticator().forceLoggedInUser(request, response);
if (user == null) {
       return;
} else {
       response.sendRedirect("Your WebDynpro URL");
}
....

You would call it simply like that:

http://hostname:port/MyLogonServlet/Logon?j_user=userid&j_password=pwd

Hope it helps you moving forward...

Former Member
‎09-03-2010 4:50 AM
0 Kudos

Hi Andrea,

My question to Patrick is not a proposed solution. I'm asking because I googled a German forum which mentioned about base64 encode on redirectURL. I had tried several ways to encode the URL but still no luck.

Actually we are also facing the same problem (using redirectURL to access a BSP) after portal applied security patch. Now we have a first workaround by using "forcedURL" URL iView. For example, the original URL is like this and now it does not work:

http://devportal:8280/logon/logonServlet?redirectURL=%2F%2Febpdev01.xxx:8000%2Fsap%2Fbc%2Fbsp%2Fsap
%2Fzmm_pr_workflow%2Fapprove_pr.htm%3Fsap-client%3D100%26i_wiid%3D000005083236%26i_aprsq%3D1
%26i_banfn%3D0010317218

1. Portal Content Admin define a new role ABC

2. Define a URL iView (using wizard), change properties "Forced URL" = yes, "Forced URL - Parameter Name" = forcedURL

3. Assign the iView delta link to the new role

Now we can access the BSP by URL:

http://devportal:8280/irj/portal/index.html?NavigationTarget=ROLES://portal_content/xxx.ABC/iView/zmm_pr_workflow&forcedURL=%2F%2Febpdev01.xxx:8000
%2Fsap%2Fbc%2Fbsp%2Fsap%2Fzmm_pr_workflow%2Fapprove_pr.htm%3Fsap-client%3D100%26i_wiid
%3D000005083236%26i_aprsq%3D1%26i_banfn%3D0010317218

Please see if this also work in your case.

Regards,

Donald

Ask a Question