cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

SAPUI5 App running on Portal - SSO?

Go to solution
Former Member

on ‎02-24-2014 7:30 PM

0 Kudos


Hey all,

Hoping someone can help me out.  Maybe this is simpler than I think or maybe I'm not looking at it from the right perspective.

We have a SAPUI5 application that runs on the gateway server and is accessible for mobile devices.  We also want to enable access to the end user's via the SAP Portal using Single Sign on.

We have end-to-end SSO working on the Portal from the desktop login (Kerberos) right through to the backend SAP ECC systems.

I've deployed the SAPUI5 app to the portal server and can access it directly from there via URL 'portalserver:port/Appname/index.html'.  I've also created a SAPUI5 iView and can access it that way as well.

The issue I have is that the app seems to be directly accessible via anonymous access, I don't get a login prompt even if I've turned off the browser SSO, the app just launches.

So, I have a few ideas but not sure if any of them will work:

- app was not developed by me but I'm thinking I can maybe wrap it in NWDS as a Portal application?  Then this would automatically include the portal authentication functionality?

- write additional code in the SAPUI5 app to do some kind of kerberos authentication

- deploy app to ABAP server and use security there to control access

Any other ideas or validation of my above thoughts would be helpful.

Thanks in advance,

Robin

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎02-27-2014 3:09 AM
0 Kudos

Hi Robin Schmidt,


Thanks for sparking this thought !!! Please check out my blog with reference to this -



Let me know if it helps.


BR,

Nagarajan.

Show replies
Show replies

Answers (6)

Answers (6)

Former Member
‎06-16-2014 1:29 PM
0 Kudos

Hi Robin,

Thanks for this information. Hope you can share what did you use for your app  - CLIENT-CERT or TICKET?

Show replies
Show replies
Former Member
‎06-16-2014 5:02 PM
0 Kudos

Hi Melanie,

We ended up going with the TICKET method.  This means that the user has to access a Portal or other Java Netweaver stack to generate the MYSAPSSO2 ticket, then access the app.  This secures the app in that only those who have successfully authenticated against our Portal can access it.

We chose the TICKET over the CLIENT-CERT method mainly due to inconsistency in testing the CLIENT-CERT with different browsers and browser versions.  The TICKET method was more consistent in the different scenarios.

Regards,
Robin

Former Member
‎03-18-2014 5:42 PM
0 Kudos

Thanks for all the help guys, really appreciate it.

So I thought I'd update this thread with the results of my findings.

I didn't go the Java route as Robin suggested so I can't comment on the effectiveness of that solution.

I also didn't use the Generic HTML component as Dror suggested.

I went with the web.xml option that Nagarajan suggested.

So, here are my test results.  I tested the BASIC, CLIENT-CERT, and TICKET authorization methods.  I had to use IE8 as this is the corporate standard at the moment so also tested Firefox to get real UI5 results as IE8 does not fully support it.

Test

Auth-method

Browser

Logged into Portal

EIWA*

Result

1a

BASIC

IE

No

On

Prompted for pw but even with ID/PW still not logged in

1b

BASIC

Firefox

No

n/a

Prompted for pw but even with ID/PW still not logged in

2a

BASIC

IE

Yes

On

Prompted for pw but even with ID/PW still not logged in

2b

BASIC

Firefox

Yes

n/a

Prompted for pw but even with ID/PW still not logged in

3a

CLIENT-CERT

IE

No

On

Security warning message and then App is launched

3b

CLIENT-CERT

Firefox

No

n/a

Unable to Connect error

4a

CLIENT-CERT

IE

Yes

On

Security warning message and then App is launched

4b

CLIENT-CERT

Firefox

Yes

n/a

Unable to Connect error

5a

TICKET

IE

No

On

App is launched

5b

TICKET

Firefox

No

n/a

App is not launched – auth error after refresh

6a

TICKET

IE

No

Off

App is not launched – auth error after refresh

7a

TICKET

IE

Yes

On

App is launched

7b

TICKET

Firefox

Yes

n/a

App is launched


* EIWA = Enable Integrated Windows Authentication in IE Options.

The security warning using CLIENT-CERT I believe is because we are not using SSL for our Portal.  The CLIENT-CERT appears to require SSL.

We need to continue testing with mobile devices now and then will determine if we're going to use CLIENT-CERT or TICKET.  If we use the TICKET option then we may have to use a java redirect to generate the TICKET and then re-route to the app.

Cheers,

Robin

Show replies
Show replies
Former Member
‎02-28-2014 7:01 PM
0 Kudos

Thanks for all the ideas guys.  I'm testing them out to see which way is going to work for me and I'll report back.

Appreciate the help so far!

Regards,
Robin

Show replies
Show replies
dror_last
Active Participant
‎02-25-2014 3:56 PM
0 Kudos

Please check out Using the Generic HTML Portal Component - Portal - SAP Library

It allows to create a Portal Component based on UI5 code without having the original application in place.

Show replies
Show replies
rajendrengovend
Participant
‎02-25-2014 4:44 AM
0 Kudos

Hi Robin,

What version of the Portal are you accessing? Netweaver 7.3 SP9 Portal, there's a SAPUI5 portal page template out of the box. Apart from that you can use a URL iView that can point to your UI5 app. Then configure the permissions of that iView to suit your requirements. This will enforce security around the app. Use quick links to navigate to your iView. I just found this as well,

Regards,

Raj

Show replies
Show replies
Qualiture
Active Contributor
‎02-25-2014 7:45 AM
0 Kudos

Hi Raj (This is the other Robin )

The problem I see with that approach is, while the iView itself enforces authorization, the direct link to the SAPUI5 application can still be accessed anonymously. Furthermore, although you're logged in to the portal as an Authenticated User, from the SAPUI5 application's perspective you're still logged on as Guest

Former Member
‎02-25-2014 7:50 AM
0 Kudos

Thanks Robin, you beat me to it.  You're right, the issue is that the link will still be accessible by using the direct link.

I will take a look at the code and see about adding the code you referenced above.  I didn't write the original app so I'll have to import it and take a look. 

Thanks, will keep you posted.  Appreciate the replies so far. 

Regards,
Robin

rajendrengovend
Participant
‎02-25-2014 10:59 PM
0 Kudos

Hi Robin,

Yes, I missed that part out. You can either go with wrapping your UI5 app with a Java Web project or Portal component. If you are using Portal version < 7.3 then I would go with the web project route since from 7.3 PAR developments are no longer supported. To speed it up, Eclipse provides a plugin that creates the UI5 web project for you with all the dependencies.

Raj

Qualiture
Active Contributor
‎02-24-2014 8:20 PM
0 Kudos

Hi Robin 😉

I cannot tell if your SAPUI5 application also has some Java dependencies or code, but if it has, this is what needs to be done:

What's missing in your setup is adding an J2EE authentication filter (see http://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html)

The doFilter() action should ideally have an implementation like this:



  public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {


      HttpServletRequest  hsRequest  = (HttpServletRequest)request;


      HttpServletResponse hsResponse = (HttpServletResponse)response;




      IUser user = UMFactory.getAuthenticator().getLoggedInUser(hsRequest, hsResponse);


     


      if (user == null) {


          UMFactory.getAuthenticator().forceLoggedInUser(hsRequest, hsResponse);


          return;


      }


      else {


          chain.doFilter(request, response);


      }


  }

In your SAPUI5 application's web.xml file, add a reference to your filter:



<filter>


  <filter-name>Authentication</filter-name>


  <filter-class>com.yourcompany.YourAuthenticationFilter</filter-class>


</filter>


<filter-mapping>


  <filter-name>Authentication</filter-name>


  <url-pattern>/*</url-pattern>


</filter-mapping>

If you're on ABAP only, then unfortunately I cannot be of help but I'm sure other would be 🙂

Show replies
Show replies
Ask a Question