on 02-24-2014 7:30 PM
Hey all,
Hoping someone can help me out. Maybe this is simpler than I think or maybe I'm not looking at it from the right perspective.
We have a SAPUI5 application that runs on the gateway server and is accessible for mobile devices. We also want to enable access to the end user's via the SAP Portal using Single Sign on.
We have end-to-end SSO working on the Portal from the desktop login (Kerberos) right through to the backend SAP ECC systems.
I've deployed the SAPUI5 app to the portal server and can access it directly from there via URL 'portalserver:port/Appname/index.html'. I've also created a SAPUI5 iView and can access it that way as well.
The issue I have is that the app seems to be directly accessible via anonymous access, I don't get a login prompt even if I've turned off the browser SSO, the app just launches.
So, I have a few ideas but not sure if any of them will work:
- app was not developed by me but I'm thinking I can maybe wrap it in NWDS as a Portal application? Then this would automatically include the portal authentication functionality?
- write additional code in the SAPUI5 app to do some kind of kerberos authentication
- deploy app to ABAP server and use security there to control access
Any other ideas or validation of my above thoughts would be helpful.
Thanks in advance,
Robin
Hi Robin Schmidt,
Thanks for sparking this thought !!! Please check out my blog with reference to this -
Let me know if it helps.
BR,
Nagarajan.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Robin,
Thanks for this information. Hope you can share what did you use for your app - CLIENT-CERT or TICKET?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Melanie,
We ended up going with the TICKET method. This means that the user has to access a Portal or other Java Netweaver stack to generate the MYSAPSSO2 ticket, then access the app. This secures the app in that only those who have successfully authenticated against our Portal can access it.
We chose the TICKET over the CLIENT-CERT method mainly due to inconsistency in testing the CLIENT-CERT with different browsers and browser versions. The TICKET method was more consistent in the different scenarios.
Regards,
Robin
Thanks for all the help guys, really appreciate it.
So I thought I'd update this thread with the results of my findings.
I didn't go the Java route as Robin suggested so I can't comment on the effectiveness of that solution.
I also didn't use the Generic HTML component as Dror suggested.
I went with the web.xml option that Nagarajan suggested.
So, here are my test results. I tested the BASIC, CLIENT-CERT, and TICKET authorization methods. I had to use IE8 as this is the corporate standard at the moment so also tested Firefox to get real UI5 results as IE8 does not fully support it.
Test | Auth-method | Browser | Logged into Portal | EIWA* | Result |
1a | BASIC | IE | No | On | Prompted for pw but even with ID/PW still not logged in |
1b | BASIC | Firefox | No | n/a | Prompted for pw but even with ID/PW still not logged in |
2a | BASIC | IE | Yes | On | Prompted for pw but even with ID/PW still not logged in |
2b | BASIC | Firefox | Yes | n/a | Prompted for pw but even with ID/PW still not logged in |
3a | CLIENT-CERT | IE | No | On | Security warning message and then App is launched |
3b | CLIENT-CERT | Firefox | No | n/a | Unable to Connect error |
4a | CLIENT-CERT | IE | Yes | On | Security warning message and then App is launched |
4b | CLIENT-CERT | Firefox | Yes | n/a | Unable to Connect error |
5a | TICKET | IE | No | On | App is launched |
5b | TICKET | Firefox | No | n/a | App is not launched – auth error after refresh |
6a | TICKET | IE | No | Off | App is not launched – auth error after refresh |
7a | TICKET | IE | Yes | On | App is launched |
7b | TICKET | Firefox | Yes | n/a | App is launched |
* EIWA = Enable Integrated Windows Authentication in IE Options.
The security warning using CLIENT-CERT I believe is because we are not using SSL for our Portal. The CLIENT-CERT appears to require SSL.
We need to continue testing with mobile devices now and then will determine if we're going to use CLIENT-CERT or TICKET. If we use the TICKET option then we may have to use a java redirect to generate the TICKET and then re-route to the app.
Cheers,
Robin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for all the ideas guys. I'm testing them out to see which way is going to work for me and I'll report back.
Appreciate the help so far!
Regards,
Robin
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Please check out Using the Generic HTML Portal Component - Portal - SAP Library
It allows to create a Portal Component based on UI5 code without having the original application in place.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Robin,
What version of the Portal are you accessing? Netweaver 7.3 SP9 Portal, there's a SAPUI5 portal page template out of the box. Apart from that you can use a URL iView that can point to your UI5 app. Then configure the permissions of that iView to suit your requirements. This will enforce security around the app. Use quick links to navigate to your iView. I just found this as well,
Regards,
Raj
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Raj (This is the other Robin )
The problem I see with that approach is, while the iView itself enforces authorization, the direct link to the SAPUI5 application can still be accessed anonymously. Furthermore, although you're logged in to the portal as an Authenticated User, from the SAPUI5 application's perspective you're still logged on as Guest
Thanks Robin, you beat me to it. You're right, the issue is that the link will still be accessible by using the direct link.
I will take a look at the code and see about adding the code you referenced above. I didn't write the original app so I'll have to import it and take a look.
Thanks, will keep you posted. Appreciate the replies so far.
Regards,
Robin
Hi Robin,
Yes, I missed that part out. You can either go with wrapping your UI5 app with a Java Web project or Portal component. If you are using Portal version < 7.3 then I would go with the web project route since from 7.3 PAR developments are no longer supported. To speed it up, Eclipse provides a plugin that creates the UI5 web project for you with all the dependencies.
Raj
Hi Robin 😉
I cannot tell if your SAPUI5 application also has some Java dependencies or code, but if it has, this is what needs to be done:
What's missing in your setup is adding an J2EE authentication filter (see http://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html)
The doFilter() action should ideally have an implementation like this:
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
HttpServletRequest hsRequest = (HttpServletRequest)request;
HttpServletResponse hsResponse = (HttpServletResponse)response;
IUser user = UMFactory.getAuthenticator().getLoggedInUser(hsRequest, hsResponse);
if (user == null) {
UMFactory.getAuthenticator().forceLoggedInUser(hsRequest, hsResponse);
return;
}
else {
chain.doFilter(request, response);
}
}
In your SAPUI5 application's web.xml file, add a reference to your filter:
<filter>
<filter-name>Authentication</filter-name>
<filter-class>com.yourcompany.YourAuthenticationFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>Authentication</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
If you're on ABAP only, then unfortunately I cannot be of help but I'm sure other would be 🙂
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
86 | |
10 | |
10 | |
9 | |
6 | |
6 | |
6 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.