- SAP Community
- Products and Technology
- Technology
- Technology Q&A
- Single-Sign-On (SSO) configuration on JAVA Stack t...
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
Single-Sign-On (SSO) configuration on JAVA Stack through HTTP Header method
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 06-16-2008 4:19 PM
Hello SDN community,
in the context of a Proof of Concept, we are testing the integration of Microsoft Sharepoint Portal with SAP Backend (addin) systems.
As the architecture impose use an external scenario (access from the internet), we couldn't use the Kerberos (SPNego) solution and thus we chosed the http header solution which in short uses an intermediary web server (in this case the IIS of the MOSS solution) which will act as authority.
I miss information on how the workflow works for this http header authentication method. Through the visual administrator of the addin JAVA stack, it is possible to configure each application with a customized authentication (a choice of security modules). But this all that I know.
My task is to configure SSO. From a sharepoint portal, the user should be able to access Web Dynpros and BSPs. I imagine that the very first call to a webdynpro or bsp (or maybe when we log on the sharepoint portal), the request to the WDP or BSP will first be forwareded by the intermediary server to the JAVA stack (or is it the SAP dispatcher that has to be configured).
Is there an application to be built on the java stack to deal with the authentication, modify http header?
What will the Java stack return? a sap long ticket? a token?
How will the redirect work (to by example a BSP which is in the ABAP stack)?
SAP preconise to secure with SSL the link between the intermediary web server and the JAVA stack, is IP restriction also a solution?
A lot of questions about how this SSO http header should work,
I would be very greatful for any help, or info,
Kind regards,
Tanguy Mezzano
- SAP Managed Tags:
- SAP NetWeaver Application Server
Accepted Solutions (1)
Accepted Solutions (1)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Tanguy,
sorry for my late reply. A restart of your AppServer should be more than fine. Did your changes take effect now??
I'm on workshops for the next three weeks but I'll try to reply as soon as possible.
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Marcel,
I've set the domain relaxation to 1 as SAP supports tells me, but still nothing change. I the dispatcher http logs on the server I see that I still have .bbb.company.com as cookie domain.
I have of course restarted the sap j2ee server.
Is there another place where parameters influence domain relaxation?
Kind regards,
Tanguy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi again,
I really don't understand why this is not working. Maybe I'm not looking at the right place.
I have activated the logs, and I can see the http trace of the dispatcher, but even after restarting the engine, I see that the cookie delivered is still .bbbb.company.com with domain relaxation to 1.
Is there another part that might override this parameter? the descriptor of the servlet? a paramter in the dispatcher?
I'm sorry to insist but I'm really stuck.
Thanks anyway again for your interest,
Kind regards,
Tanguy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Answers (6)
Answers (6)
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Tanguy, that's nice.
Cheers
Marcel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Marcel!
Long time
I'm sure your experience could h e l p me once again, If you don't mind, I will r e w a r d points on all answers
The http header configuration did not work until the end The problem we faced was that the MYSAPSSO2 ticket was sent only for the first request, but for all other requests to the BSP application that are done automatically were sent without the ticket, so BSP pages were not correctly displayed.
Anyway, we changed technology and installed a Sun Java Access Manager system to use SAML authentication. The Java Stack has been configured and we can access servlets or Java WDP with SAML authentication. Here is the Logon Module configure:
Login Module
VerifyTicketLoginModule SUFFICIENT
SAMLLoginModule OPTIONAL
CreateTicketLoginModule SUFFICIENT
BasicPasswordLoginModule OPTIONAL
CreateTicketLoginModule SUFFICIENT
Now I'm trying to access Backend applications with SAML authentication, once again a redirection scenario is in place (the first jsp example you gave to me). But even if the trust relationship between backend and java stack is done, each I get a pop-up from the backend for Basic Pwd Authentication.
I have also in mind that there is the cookie domain problem, so I updated the parameter:
ume.logon.security.relax_domain.level to level 2 (and I set the parameter ume.logon.security.local_redirect_only to false), I restarted the Java Stack after that, but seems that parameters have not been updated:
[1222422413875][Sep 26, 2008 11:46:53 AM ] - CLIENT: 256, REPLY:
{HTTP/1.1 302 Found
Set-Cookie: MYSAPSSO2=AjExMDAgABBwb3J0YWw6REVNT19NT1NTiAAHZGVmYXVsdAEACURFTU9fTU9TUwIAAzAwMAMAA0pEMgQADDIwMDgwOTI2MDk0NgUABAAAAAgKAAlERU1PX01PU1P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0pEMjENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgwOTI2MDk0NjUzWjAjBgkqhkiG9w0BCQQxFgQUA8RhPIQSd0Hvy4MNDLDvxEvAG1IwCQYHKoZIzjgEAwQuMCwCFE2SiIKjzMYkMSSiS0yfaJwW%2FMLWAhQ1%2Fm9HI9K05yt93LoWVdAVIo2EXQ%3D%3D;path=/;domain=.bbbb.company.com;HttpOnly
Set-Cookie: saplb_*=(J2EE7854200)7854250; Version=1; Path=/
Server: SAP J2EE Engine/7.00
Content-Type: text/plain
Location: https://host.aaaa.company.com...
Content-Length: 0
Date: Fri, 26 Sep 2008 09:46:53 GMT
}
[1222422413875][Sep 26, 2008 11:46:53 AM ] - CLIENT: 256, REPLY:
{}
Could you think of something??
Thanks again for your time,
Tanguy Mezzano
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
are you sure that your trust relation is correctly configured and that your client is actually sending the MYSAPSSO2 Cookie to your backend?? (Use Sniffer or Firebug or similar tools to see the HTTP traffic).
Why are you using SAML now? If your problem was that the MYSAPSSO2 Cookie was not sent correctly than SAML will not solve your issues.
As far as I can see you're using the same approach as before but your Engine is now using the SAML Login Module to authenticate your user instead of Header Authentication Module correct?
Please explain in more detail what your scenario looks like?
- Request Flow
- Components involved
Do you have an image of your architecture?
Cheers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Marcel,
thx for replying.
Yes we encounter the same problem, you are correct, but SAML has been chosen for business reasons.
Indeed, I used a sniffer and I see that the cookie is not sent to backend:
Here I call the SSOredirect servlet configured with the SAML logon module
GET /SSOredirect/SSOredirect.jsp?redirectURL=http://backend.aaaa.company.com:1080/sap/bc/bsp/sap/bspApplication.do?sap-client=211&SAMLart=AAEVFPtvTWbcf6tErfETsmgRWt%2BmkXkzVZFswirDjNPRHzeCVC9lajAx HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-silverlight-2-b2, */*
Accept-Language: en-ca,fr-be;q=0.7,zh-cn;q=0.3
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: j2ee.bbbb.company.com:50000
Connection: Keep-Alive
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfczODIW7v22rw8m+gFzntfHz4WJOhyMTDnk=@AAJTSQACMDE=#
Here I get correclty authenticated, I get a SAP Logon Ticket and a redirection 302 but I see that the domain relaxtion has not been done!
HTTP/1.1 302 Found
Set-Cookie: MYSAPSSO2=AjExMDAgABBwb3J0YWw6REVNT19NT1NTiAAHZGVmYXVsdAEACURFTU9fTU9TUwIAAzAwMAMAA0pEMgQADDIwMDgwOTI2MTMwMgUABAAAAAgKAAlERU1PX01PU1P%2FAQQwggEABgkqhkiG9w0BBwKggfIwge8CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGBzzCBzAIBATAiMB0xDDAKBgNVBAMTA0pEMjENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgwOTI2MTMwMjQyWjAjBgkqhkiG9w0BCQQxFgQUDyA7NdmWOMWT2ash7mMoD8QIZ0YwCQYHKoZIzjgEAwQuMCwCFH7UhLTffgOjpNqp7Lx%2FUtw76ZBXAhQbOpoPAoWNpyZGoA8pIk5e8XbjTQ%3D%3D;path=/;domain=.bbbb.company.com;HttpOnly
Set-Cookie: saplb_*=(J2EE7854200)7854250; Version=1; Path=/
Server: SAP J2EE Engine/7.00
Content-Type: text/plain
Location: http://backend.aaaa.company.com:1080/sap/bc/bsp/sap/bspApplication.do?sap-client=211
Content-Length: 0
Date: Fri, 26 Sep 2008 13:02:42 GMT
Then I see in the logs, that it requests the backend application but without the logon ticket:
GET /sap/bc/bsp/sap/bspApplication.do?sap-client=211 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, application/x-silverlight, application/vnd.ms-powerpoint, application/vnd.ms-excel, application/msword, application/x-silverlight-2-b2, */*
Accept-Language: en-ca,fr-be;q=0.7,zh-cn;q=0.3
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; InfoPath.1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Host: backend.aaaa.company.com:1080
Connection: Keep-Alive
Cookie: amlbcookie=01; iPlanetDirectoryPro=AQIC5wM2LY4SfczODIW7v22rw8m+gFzntfHz4WJOhyMTDnk=@AAJTSQACMDE=#
and of course I am not authorised:
HTTP/1.1 401 Unauthorized
set-cookie: sap-usercontext=sap-client=211; path=/
content-type: text/html; charset=iso-8859-1
content-length: 28
sap-system: RD1
www-authenticate: Basic realm="SAP Web Application Server [RD1]"
sap-client: 360
server: SAP Web Application Server (1.0;620)
Enter User Name and Password
The SSOredirect servlet on java stack that does the redirection is:
String redirectURL = request.getParameter ("redirectURL");
response.sendRedirect (redirectURL);
The parameter: ume.logon.security.relax_domain.level is set to 2.
Best regards,
Tanguy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Marcel,
I think that it's my Java Stack that is not taking into account my changes in its configuration.
After that you update parameters in Visual Admin, what should I do beside restarting SAP systems?
I've changed ume.logon.httponlycookie to false also but I still see in the logs or with a sniffer:
domain=.bbbb.company.com;HttpOnly
instead of:
domain=.company.com
Argh, thanks for your input if you have time,
Tanguy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Here's the spec:
if (cookie.isDomainAttributeSpecified()
152 && (!cookie.getDomain().equals(host))) {
153
154 // domain must start with dot
155 if (!cookie.getDomain().startsWith(".")) {
156 throw new MalformedCookieException("Domain attribute \""
157 + cookie.getDomain()
158 + "\" violates RFC 2109: domain must start with a dot");
159 }
160 // domain must have at least one embedded dot
161 int dotIndex = cookie.getDomain().indexOf('.', 1);
162 if (dotIndex < 0 || dotIndex == cookie.getDomain().length() - 1) {
163 throw new MalformedCookieException("Domain attribute \""
164 + cookie.getDomain()
165 + "\" violates RFC 2109: domain must contain an embedded dot");
166 }
167 host = host.toLowerCase();
168 if (!host.endsWith(cookie.getDomain())) {
169 throw new MalformedCookieException(
170 "Illegal domain attribute \"" + cookie.getDomain()
171 + "\". Domain of origin: \"" + host + "\"");
172 }
173 // host minus domain may not contain any dots
174 String hostWithoutDomain = host.substring(0, host.length()
175 - cookie.getDomain().length());
176 if (hostWithoutDomain.indexOf('.') != -1) {
177 throw new MalformedCookieException("Domain attribute \""
178 + cookie.getDomain()
179 + "\" violates RFC 2109: host minus domain may not contain any dots");
180 }
181 }
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Tanguy,
the dot is absolutely correct for the domain value in the cookie (see RFC 2109)
Here's an extract of RFC 2109
Domain=domain
Optional. The Domain attribute specifies the domain for which the
cookie is valid. An explicitly specified domain must always start
with a dot.As far as I can see you are getting an error messaging regarding the Cookie because of an exception you are throwing yourself??
What I don't get is why are you using the Java Client to connect to Backend? Don't you want your client (Frontend Browser) to perform Single Sign On against your Backend? You could use a Java Servlet Application that serves as an Authenticator Servlet which is being accessed by your client (Browser) and in the Background your Servlet accesses the J2EE using the Header Variable in order to get the Cookie and fetch it from the Server response.
In your client response (the response from your Servlet App to the Frontend) you could send the Cookie to your Client (Browser). Furthermore the response could contain a redirect to your Backend and your client will follow the redirect and actually send the Cookie in order to authenticate via SSO.
This could something like this (Your Servlet):
public class AuthenticatorServlet extends javax.servlet.http.HttpServlet implements javax.servlet.Servlet {
static final long serialVersionUID = 1L;
..
protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
String REMOTE_USER = "";
String REDIRECT_URL = "";
try {
REMOTE_USER = request.getParameter("REMOTE_USER");
REDIRECT_URL = request.getParameter("redirectURL");
} catch(Exception Ex) {
Ex.printStackTrace();
}
// We get the cookies from the remote request and add them to our client response
org.apache.commons.httpclient.Cookie[] cookies = HTTPClient.request(REMOTE_USER);
for(int i=0; i<cookies.length; i++) {
javax.servlet.http.Cookie clientCookie = new javax.servlet.http.Cookie(cookies<i>.getName(),cookies<i>.getValue());
// Here you could fetch some additional info from your original cookie or set some parameters with
// custom values as you desire!
clientCookie.setDomain(".domain.com");
clientCookie.setPath("/");
response.addCookie(clientCookie);
}
response.sendRedirect(REDIRECT_URL);
}The HTTPClient Class is the class that creates a request to your J2EE in the background and could look something like this:
public class HTTPClient {
public static org.apache.commons.httpclient.Cookie[] request(String REMOTE_USER) {
Cookie[] cookies = null;
// Define the url to your app on J2EE that is configured to use HTTP Header Authentication
String url = "http://<yourenginehost>:<yourengineport>/<yourengineapp>";
// Get initial state object
HttpState initialState = new HttpState();
// Create an instance of HttpClient.
HttpClient client = new HttpClient();
client.getHttpConnectionManager().getParams().setConnectionTimeout(30000);
client.setState(initialState);
// Create a method instance.
GetMethod method = new GetMethod(url);
// Provide custom retry handler is necessary
method.getParams().setParameter(HttpMethodParams.RETRY_HANDLER, new DefaultHttpMethodRetryHandler(3, false));
try {
// We add the Header for the Header Variable Login Module
method.addRequestHeader("REMOTE_USER", REMOTE_USER);
// Execute the method.
int statusCode = client.executeMethod(method);
if (statusCode != HttpStatus.SC_OK) {
System.err.println("Method failed: " + method.getStatusLine());
}
// Get all the cookies from the J2EE response
cookies = client.getState().getCookies();
} catch (HttpException e) {
System.err.println("Fatal protocol violation: " + e.getMessage());
e.printStackTrace();
} catch (IOException e) {
System.err.println("Fatal transport error: " + e.getMessage());
e.printStackTrace();
} finally {
// Release the connection.
method.releaseConnection();
}
return cookies;
}Hope this helps
Cheers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Marcel,
in fact I did succeed, the problem was that even after domain-relaxation done by the J2EE, I had to change the domain of th SAP cookie to the bbbb.domain.com to be understood (I would have thought that all hosts in/under domain .domain would have accepted such a cookie but it seems that no...).
Thanks for the last post with code but I have a few more questions.
My current scenario is: in a first request get a SAP Logon Ticket from the Java Stack, then change its domain and then directly call the backend with it.
So everything's is in a Java Client application without using any redirection.
If I understand you, you're solution is from the Browser call a servlet (which is deployed on the Java Stack and has no authentication schema) by passing to it our http header. That servlet will transfer the http header (with the HttpClient app) in order to get from the Java Stack a SAP Logon ticket, and then to redirect to the resource and by sending back the cookie in client browser. Am I correct?
This way of doing would simplify the calls for sso for each new application needing authentication, instead of having all code each time in it...
So my problem now, is how to call the servlet from the client browser:
I'm trying to call my servlet from the browser but I don't succeed. I am able to understand how to reach a jsp from the Java Stack, but not to reach a servlet. I don't find the path to my servlet:
<FORM method="POST" action="SSORedirect2" >
I see that my servlet is deployed, but I don't how what path to give to my form to invoke the servlet, here follows my web.xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE web-app (View Source for full doctype...)>
- <web-app>
<display-name>WEB APP</display-name>
<description>WEB APP description</description>
- <servlet>
<servlet-name>SSOredirect2</servlet-name>
<servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
</servlet>
- <servlet>
<servlet-name>SSORedirect2.jsp</servlet-name>
<jsp-file>/SSORedirect2.jsp</jsp-file>
</servlet>
- <security-constraint>
<display-name>SecurityConstraint</display-name>
- <web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
- <auth-constraint>
<role-name>DefaultSecurityRole</role-name>
</auth-constraint>
</security-constraint>
- <security-role>
<role-name>DefaultSecurityRole</role-name>
</security-role>
</web-app>
I have also to pass my http header and the redirectUrl in the GET request.
Thx for your input very helpful,
Tanguy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Tanguy,
to tell you the truth I'm really unsure about what you are trying to achieve. When I started posting to your thread I thought all you wanted was trying to access your J2EE engine via Browser and authenticate against the engine using HTTP Header Variables. Nevermind:
Here are some answers to your question:
in fact I did succeed, the problem was that even after domain-relaxation done by the J2EE, I had to change the domain of th SAP cookie to the bbbb.domain.com to be understood (I would have thought that all hosts in/under domain .domain would have accepted such a cookie but it seems that no...).The server does not care about the domain because Cookies in an HTTP Request do not contain any domain information. The domain is just important when the Cookie is set by the server so your Client (Browser) will know in which cases the Cookie may be sent or not. So if your domain is xxx.yyy.domain.com and your cookie is issued to .domain.com then your Browser will definitely sent it to all hosts under .domain.com (This includes xxx.yyy.domain.com etc.)
My current scenario is: in a first request get a SAP Logon Ticket from the Java Stack, then change its domain and then directly call the backend with it.You can do that but there is no Client involved in this scenario. So this is useful if you just want to test the functionality (e.g. authentication to J2EE using Header Variables (This works finally!!!) and then use the fetched Logon Ticket to test SSO against any trusted Backend!!)
So everything's is in a Java Client application without using any redirection.
If I understand you, you're solution is from the Browser call a servlet (which is deployed on the Java Stack and has no authentication schema) by passing to it our http header.
No, you should initially authenticate somewhere! I thought that maybe you had some resource you access before accessing the Java Stack. This could be any application (e.g. deployed on a Tomcat or JBOSS or other server or if you like even SAP J2EE). After authenticating there you are aware of the username and could use it to procceed (e.g. Authenticate against the J2EE using the same user and HTTP Header authentication for that particular user!)
That servlet will transfer the http header (with the HttpClient app) in order to get from the Java Stack a SAP Logon ticket, and then to redirect to the resource and by sending back the cookie in client browser. Am I correct?This was just a suggestion because I realized that there was no Client ever involved in any of your testing (looked strange to me!). I was just thinking that it would be easier for you to just get the Cookie into your Browser so your Browser would do the rest for you (in your case finally send the Logon Ticket Cookie to your Backend to test SSO using Logon Tickets!).
The AuthenticatorServlet somehow serves as a Proxy to your client because your client is not able to set the Header Variable. That's why I initially suggested to use a Proxy (e.g. Apache) for that purpose. The problem is just that if you use a Proxy you will have to tell it somehow which username it should set in the Header Variable (e.g. using a URL Parameter or using a personalized client certificate and fetch the username (e.g. cn=<username> from the certificate!)
This way of doing would simplify the calls for sso for each new application needing authentication, instead of having all code each time in it...I'm stuck again! Do you want to authenticate an End User or do you want to authenticate an application that needs to call any resources in your Backend that requires authentication?
So my problem now, is how to call the servlet from the client browser:
I'm trying to call my servlet from the browser but I don't succeed. I am able to understand how to reach a jsp from the Java Stack, but not to reach a servlet. I don't find the path to my servlet:
<FORM method="POST" action="SSORedirect2" >A JSP is a servlet too. There is just no JAVA Class involved!
You do not need any POST Request to invoke a Servlet.
I see that my servlet is deployed, but I don't how what path to give to my form to invoke the servlet, here follows my web.xml
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE web-app (View Source for full doctype...)>
- <web-app>
<display-name>WEB APP</display-name>
<description>WEB APP description</description>
- <servlet>
<servlet-name>SSOredirect2</servlet-name>
<servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
</servlet>
- <servlet>
<servlet-name>SSORedirect2.jsp</servlet-name>
<jsp-file>/SSORedirect2.jsp</jsp-file>
</servlet>
- <security-constraint>
<display-name>SecurityConstraint</display-name>
- <web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
- <auth-constraint>
<role-name>DefaultSecurityRole</role-name>
</auth-constraint>
</security-constraint>
- <security-role>
<role-name>DefaultSecurityRole</role-name>
</security-role>
</web-app>If you have an AuthenticatorServlet Class all you need is to add the Servlet Mapping in your web.xml file
e.g.
<servlet>
<description>
</description>
<display-name>AuthenticatorServlet</display-name>
<servlet-name>AuthenticatorServlet</servlet-name>
<servlet-class>com.atosorigin.examples.AuthenticatorServlet</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>AuthenticatorServlet</servlet-name>
<url-pattern>/AuthenticatorServlet</url-pattern>
</servlet-mapping>You can directly call the Servlet in your Browser by calling the URL provided in the url-pattern of your Servlet mapping ( in this case /AuthenticatorServlet). The engine will invoke the Class "com.atosorigin.examples.AuthenticatorServlet" in the background and do whatever you defined there!
I have also to pass my http header and the redirectUrl in the GET request.If you like! I just suggested this for testing purposes. As I stated before you need a way to tell your proxy (or in your case AuthenticatorServlet) which user should be set when calling the Engine in order to authenticate using HTTP Header. You could use the URL Paramater to define the user you actually want to use when you set the Header Variable.
I just introduced the redirectURL because you were talking about redirects all the time. So if you finally want to call the Backend you could define the Backend URL in the redirectURL Parameter and the Servlet will make sure that you are redirected to this location after the whole process!
Thx for your input very helpful,But again 0 points
Cheers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Marcel,
no it's still not working. We are struggling with the SAP Logon Ticket, when I use your code as it is, I only get the Set-Cookie for JSESSIONID and for saplb_*. I see them with the fiddler tool but when I change the java code and output with strings, I see that I get the SAP Logon Ticket and that I have to add it by hand to my new http request. The redirect method seems not to pass the cookie along. With my client java application, I succeed to see the BSP/Web dynpro html code in the http body but when trying through a servlet the cookie seem not to be redirected automatically.
If you have an idea... I have activated http logs on my backend but the level is not detailed enough to see the headers parameters.
Best regards,
Tanguy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Marcel,
I am calling the SAP Backend with <server>:<port> since the beginning... but after seeking the web, I've read that the java class HttpUrlConnection might not be to basic and that it maybe don't forward cookie info when there is redirection. I've dowloaded then the apache HttpClient and give it a try and here's what I get. I still have same answer from the SAP Backend but I get this error msg as well:
11-juil.-2008 11:51:41 org.apache.commons.httpclient.HttpMethodBase processCookieHeaders
ATTENTION: Cookie rejected: "$Version=0; MYSAPSSO2=AjExMDCIAAdkZWZhdWx0AQAJREVNT19NT1NTAgADMDAwAwADSkQyBAAMMjAwODA3MTExMDAwBQAEAAAACAoACURFTU9fTU9TU%2F8BBTCCAQEGCSqGSIb3DQEHAqCB8zCB8AIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHQMIHNAgEBMCIwHTEMMAoGA1UEAxMDSkQyMQ0wCwYDVQQLEwRKMkVFAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wODA3MTExMDAwMTRaMCMGCSqGSIb3DQEJBDEWBBTjENJ!!WXQqzBk%2FFkDRHvKR2Wz7zAJBgcqhkjOOAQDBC8wLQIUYjTKrBUYQidt!QlXSxIkKE6recsCFQCM8AkLarqs%2FHFWh1wH0rRg3L63zA%3D%3D; $Path=/; $Domain=.atosorigin.com". Domain attribute ".atosorigin.com" violates RFC 2109: host minus domain may not contain any dots
Any idea?
Regards,
Tanguy
Edited by: Tanguy Mezzano on Jul 11, 2008 12:01 PM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
I have implemented this solution.
What you absolutely need is an intermediary server that adds the appropriate header to the request (I used Apache).
In your case:
Client -> Intermediary Server (ISS) adds the Request Header (e.g. REMOTE_USER: SAP J2EE
On the SAP J2EE you can use any application but since you want to redirect to an ABAP Stack or a BSP I suggest you create a custom application (All you need is a JSP that performs a redirect to a configurable resource (in your case your BSP on the ABAP Stack)
Here is a sample code for such a JSP:
<%@ page language="java" %>
<%
String redirectURL = request.getParameter ("redirectURL");
response.sendRedirect (redirectURL);
%>This is all you need. You built an Enterprise Application using NWDS and deploy it to your J2EE Engine
Let's assume the application is called SSOredirect then you can call it using the following URL
http:// See the following documentation to make this work:
http://help.sap.com/saphelp_nw70/helpdata/EN/68/5ddc40132a8531e10000000a1550b0/frameset.htm
As you already noticed SAP suggests to use mutual authentication to make this more secure which means that your intermediary server uses SSL to communicate with the J2EE and performs Authentication using a client certificate (In this case you will have to use/add the ClientCertLoginModule to your logon stack and you will have to confgure some more on your J2EE in order to make this work. For the beginning you should cope with the HeaderVariableLoginModule and make it work and when it works start to make your scenario more secure.)
It's a matter of security but I guess you can use another module to achieve an additional amount of security. There is a module called IPHeaderVariableLoginModule provided by a guy called Jörg Wulftange who works for Platinion. It extends the SAP HeaderVariableLoginModule and uses an IP List to make sure that only configured Hosts are recongnized within the module. In this scenario you would add the IP of your IIS to the IP List and only this host will be recognized when performing Authentication based on the Header Variable
There is a useful document on the SDN that explains the Module and its usage:
You can consider using this.
Now we come to your authentication to the ABAP Stack:
When Header Variable Login works all you have to do is adding the
CreateTicketLoginModule after the IPHeaderVariableLoginModule ot HeaderVariableLoginModule in the JAAS Logon Stack of your SSOredirect Application
Your application will create a logon ticket (MYSAPSSO2 Cookie) that can be used to authenticate to your ABAP Backend (I assume you already configured your Backend to accept logon tickets and you added the J2EEs certificate to the Trust Store of your Backend using Transaction strustsso2)
That's all
Hope this helps
If you need additional help let me know (reward points for useful posts are always appreciated )
Cheers
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Marcel,
yes, sorry! Your post did help me a lot, I was coming back to you. We are still doing a lot of tests, most of what you explained has been configured except the IP restriction module (we will configure this at the end to avoid any other new problems).
But I have 2 problems:
1) We have deployed a web dynpro on the Java Stack, it has its Security Provider configured with HttpHeader module. When I surf to that web dynpro (thus without adding a header), I am redirected to a BasicPassword Logon page what is normal and this works. But when I try to connect to the web dynpro url with a Java Application by adding an http header: myheader = myID I don't get anything back from the Java Stack. Maybe I am not writting correctly my Java application with http header...
2) When I deploy the redirect JSP on the Java stack, I have configured its Sercurity Provider with httpheader but it doesn't seem to take effect as when I surf on the url, I get directly to the page...
I will definitely reward you with points,
Thanks a lot for your help,
Regards,
Tanguy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Tanguy,
1) We have deployed a web dynpro on the Java Stack, it has its Security Provider configured with HttpHeader module. When I surf to that web dynpro (thus without adding a header), I am redirected to a BasicPassword Logon page what is normal and this works. But when I try to connect to the web dynpro url with a Java Application by adding an http header: myheader = myID I don't get anything back from the Java Stack. Maybe I am not writting correctly my Java application with http header...
Can you call any other webdynpro application using your Java Code? You should at least get some initial page and/or the 401 Return Code for Basic Authentication. Maybe you are being redirected and your Code does not follow redirects?? Try using a sniffer to sniff the communication or use Apache Jakarta Commons TCP Mon to see outgoing and incoming HTTP traffic. The tool serves as a proxy and you will configure it to connect to your backend while your JAVA Code does not create a connection to your backend but to TCPMon instead in order to see the communication!
=> see https://tcpmon.dev.java.net/
or http://ws.apache.org/commons/tcpmon/download.cgi
2) When I deploy the redirect JSP on the Java stack, I have configured its Sercurity Provider with httpheader but it doesn't seem to take effect as when I surf on the url, I get directly to the page...
make sure that you have configured the Security Constraints and the secured resources for you web application. If it does not contain any the Logon Stack is not processed and you can access your application without authentication.
You have to make changes to your web-j2ee-engine.xml and web.xml (using NWDS) in order to achieve this.
Here are very basic samples for both files:
web-j2ee-engine.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-j2ee-engine SYSTEM "web-j2ee-engine.dtd">
<web-j2ee-engine>
<security-role-map>
<role-name>DefaultSecurityRole</role-name>
</security-role-map>
<login-module-configuration/>
</web-j2ee-engine>web.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<display-name>WEB APP</display-name>
<description>WEB APP description</description>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
<security-constraint>
<display-name>My Test Web APP Protected Area</display-name>
<web-resource-collection>
<web-resource-name>WebResource</web-resource-name>
<url-pattern>/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DefaultSecurityRole</role-name>
</auth-constraint>
</security-constraint>
<security-role>
<role-name>DefaultSecurityRole</role-name>
</security-role>
</web-app>Hope this helps (You can reward points for every single useful answer )
Cheers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello,
well, I really have difficulties to set up that http header authentication. But you are of great help. I've added descriptors and yes only when they are configured will the jsp authentication work.
I have configured the auth. template stack as follows:
EvaluateTicket - Sufficient
HttpHeader - Optional
CreateTicket - Optional
BasicLoginPwd - Requisite
CreateTicket - Optional
I am now trying to test the http header with a java application, I am using HttpUrlConnection class but always get 401 error msg. I'm not sure of my code. I have added in the login module stack HttpHeader - Optional the variable: Header = myVar. Thus in my java code which is making the Http request call I have the line:
conn.addRequestProperty("myVar","userID");
Is this the right why to test Http Header Authentication?
Thx for your help,
Tanguy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
I've not used this class yet but if it is intended to create a connection and perform a request than it looks alright. You should have a look at your dispatcher log on J2EE to see if your header is properly set and reaches the J2EE as intended:
It is located under:
/usr/sap/<SID>/JC<XX>/j2ee/cluster/dispatcher/log/services/http
Open the latest req_resp.X.trc file (All requests, responses and headers can be logged here so you can see if your request actually contains the header you are adding in your request!)
If you cannot see anything here you have to enable logging.
In this case start Visual Admin and call the HTTP Provider Service of your Dispatcher Node. In the Properties set the Property HttpTrace to enable (I think default is disable)
Everything should be logged now (Don't do this in production environment since it has an impact on performance)
If this works we have a look at your module stack (If your app does not work let me know. I can send you a sample code using Apache Commons HTTP Client!)
I have configured the auth. template stack as follows:
EvaluateTicket - Sufficient
HttpHeader - Optional
CreateTicket - Optional
BasicLoginPwd - Requisite
CreateTicket - Optional
I guess the JAAS Flag for the first occurance of CreateTicket should be sufficient and not optional. Otherwise you will always run into BasicLogin even if HttpHeader and CreateTicket already succeeded. I think that is not what you want.
I guess that you are not sending any Basic Credentials from your java application and that is why you keep getting the 401 response (Authentication required)
Here is a helpful explanation of the JAAS Flags:
http://java.sun.com/j2se/1.4.2/docs/api/javax/security/auth/login/Configuration.html
Here is an extract:
3) Sufficient - The LoginModule is not required to
succeed. If it does succeed, control immediately
returns to the application (authentication does not
proceed down the LoginModule list).
If it fails, authentication continues down the
LoginModule list.4) Optional - The LoginModule is not required to
succeed. If it succeeds or fails,
authentication still continues to proceed down the
LoginModule list.The best way to see which modules in the stack are processed and if authentication succeeds is to increase the loglevel (severity) of some log locations:
Increase the following locations to all using log configurator service in visual admin (this works on the fly and there is no restart necessary)
- com.sap.security.server.jaas
- com.sap.engine.services.security
After increasing the severity check your security log under /usr/sap/<SID>/JC<XX>/j2ee/cluster/serverX/log/system in order to see how the modules in your stack are processed!
Hope this helps (Please reward points if helpful
Cheers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Thx for the logging, it's wonderfull , I'm getting this error:
{HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Upload Protected Area"
Do you have idea what is it related to?
Well, after updating the severity as you suggested to me, I see the server logs:
2. com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUISITE Cannot load login module class.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false false
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok true true
5. com.sap.security.core.server.jaas.CreateTicketLoginModule OPTIONAL ok false
Central Checks true #
#1.5 #000C299F469E007200000000000011180004512126039C3F#1215102720380#/System/Security/Audit/J2EE##com.sap.engine.services.security.roles.SecurityRoleImpl#J2EE_ADM_JD2#41##n/a##8fa24ac0491d11ddb9c8000c299f469e#SAPEngine_Application_Thread[impl:3]_10##0#0#Info#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#all#
#1.5 #000C299F469E007200000001000011180004512126039D10#1215102720380#/System/Security/Audit/J2EE##com.sap.engine.services.security.roles.SecurityRoleReference#J2EE_ADM_JD2#41##n/a##8fa24ac0491d11ddb9c8000c299f469e#SAPEngine_Application_Thread[impl:3]_10##0#0#Info#1#com.sap.engine.services.security.roles.SecurityRoleReference#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}] referencing J2EE security role [{3} : {4}].#5#ACCESS.OK#service.naming#jndi_get_initial_context#SAP-J2EE-Engine#all#
#1.5 #000C299F469E00720000000200001118000451212603A50F#1215102720380#/System/Security/Audit/J2EE##com.sap.engine.services.security.roles.SecurityRoleImpl#J2EE_ADM_JD2#41##n/a##8fa24ac0491d11ddb9c8000c299f469e#SAPEngine_Application_Thread[impl:3]_10##0#0#Info#1#com.sap.engine.services.security.roles.SecurityRoleImpl#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#administrators#
#1.5 #000C299F469E00720000000300001118000451212603A5D0#1215102720380#/System/Security/Audit/J2EE##com.sap.engine.services.security.roles.SecurityRoleReference#J2EE_ADM_JD2#41##n/a##8fa24ac0491d11ddb9c8000c299f469e#SAPEngine_Application_Thread[impl:3]_10##0#0#Info#1#com.sap.engine.services.security.roles.SecurityRoleReference#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}] referencing J2EE security role [{3} : {4}].#5#ACCESS.OK#service.naming#jndi_all_operations#SAP-J2EE-Engine#administrators#
#1.5 #000C299F469E004E0000003200001118000451212604B4AD#1215102720442#/System/Security/Audit/J2EE##com.sap.engine.services.security.roles.SecurityRoleReference#J2EE_ADM_JD2#41##n/a##612707d0491d11dd9c00000c299f469e#SAPEngine_Application_Thread[impl:3]_15##0#0#Info#1#com.sap.engine.services.security.roles.SecurityRoleReference#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}] referencing J2EE security role [{3} : {4}].#5#ACCESS.OK#service.naming#jndi_get_initial_context#SAP-J2EE-Engine#all#
#1.5 #000C299F469E004E0000003300001118000451212604B5DD#1215102720442#/System/Security/Audit/J2EE##com.sap.engine.services.security.roles.SecurityRoleReference#J2EE_ADM_JD2#41##n/a##612707d0491d11dd9c00000c299f469e#SAPEngine_Application_Thread[impl:3]_15##0#0#Info#1#com.sap.engine.services.security.roles.SecurityRoleReference#Java###{0}: Authorization check for caller assignment to J2EE security role [{1} : {2}] referencing J2EE security role [{3} : {4}].#5#ACCESS.OK#service.naming#jndi_all_operations#SAP-J2EE-Engine#administrators#
Finally I see that we are not far from the problem, how come the http header login module cannot load?
Without you I would have never found for sure ^^
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Tanguy,
Yes, logging is cool stuff
The 401 is the engine response code because you are running into BasicPasswordLogin again:
2. com.sap.security.core.server .jaas.HeaderVariableLoginModule REQUISITE Cannot load login module class.
3. com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT ok false false
4. com.sap.engine.services.security.server.jaas.BasicPasswordLoginModule SUFFICIENT ok true trueHeaderVariable (2) and CreateTicket (3) fail so you run into Basic (4) and the engine sends a 401 indicating that authentication is required.
{HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm="Upload Protected Area"The fact that your login module cannot load appears to me as follows:
Assuming that your Post does not contain any copy and paste errors I guess you have added the HeaderVariableLogin Module manually in security Provider / UserManagement / Manage Security Stores (Was the module not listed??)
com.sap.security.core.server .jaas.HeaderVariableLoginModulehaving a closer look at your class there seems to be a space between server and .jaas
(This happens often when you type the classname yourself! It happend to me as well
Try correcting this by accessing Security Provider > Runtime > User Management
Klick on Manage Security Stores (Switch to Edit Mode)
Unfortunately you cannot edit the Login Module and change the class name so remove the HeaderVariableLoginModule from the list and add it again. Make sure that the class name is correct (com.sap.security.core.server.jaas.HeaderVariableLoginModule) no spaces!!
This should help (Don't forget reward points for helpful answers )
Cheers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Marcel,
Indeed, I found the error in the login module, there was a space inserted and it couldn't load the class. I am now able to authenticate with http header on a simple jsp which has been deployed on the Java Stack, I can see that SAP Logon Ticket has been created. Now I am trying to test the SSO on a backend BSP application. Backend system is configured to accept logon tickets (transaction RZ11) and has the certificate of the Java Stack (transaction strustsso2). I am now using the jsp application redirect but it doesn't seem to forward the SAP Logon ticket as I get for result an error page indicating that SSO is not possible:
SSO logon not possible; logon tickets not activated on the server
Choose "Logon" to continue A dialog box appears in which you can enter your user and password
No switch to HTTPS occurred, so it is not secure to send a password
Is it because with the jsp I am not passing the sap logon ticket in the header?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Tanguy,
SSO logon not possible; logon tickets not activated on the server
this looks more like login tickets are not being accepted by your server!
Which parameter did you set in rz11?
It should be
login/accept_sso2_ticket with value 1
Do you have that?
How did you verify that the Logon Ticket has been issued?
If you imported your engine certificate into SAP Backend using strustsso2 (certificate List and ACL) and you are sure that the Ticket is in your browser (Cookie MYSAPSSO2) all you have to do is call the Backend BSP manually using the same Browser Session. This way you can see if it works and if it does it will also work when redirecting from your JSP.
The redirect is followed by your browser and since the Cookie is stored in your browser it will also be sent to your backend
BUT: The cookie will only be sent to your backend if it has the same domain suffix as your engine. So make sure you call your hosts with full qualified name
e.g.
your engine host:
http://enginehost.domain.com/irj/portal dont'use http://enginehost/irj/portalBackend
http://sapbackend.domain.com/sap/bc/....otherwise it won't work (e.g. your backend uses domain2.com instead of domain.com)! To see if the Cookie is actually sent you can use Firebug or HttpFox. These are free extensions for Mozilla Firefox. You can install them and you will be able to see the HTTP Traffic without using any sniffers like Wireshark or tcpdump.
Cheers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Marcel,
thx for your input, I am still trying to make this work. We're close to the goal:
I have checked configurations in RZ11 and STRUSTSSO2, and everything seems ok.
I copy/paste my dispatcher http log here under, we see that the http header parameter is passed, we see that I get http redirection request with the SAP Logon Ticket but finally we are not correctly redirected, it might be the last thing you explained about the domain suffix.
My engine host:
http://enginehost.aaaa.domain.com:50000
My backend:
http://sapbackend.bbbb.domain.com:1080
[1215681331821][Jul 10, 2008 11:15:31 AM ] - CLIENT: 34304, REQUEST:
{GET /SSOredirect/SSOredirect.jsp?redirectURL=http%3A%2F%2Fsapbackend.bbbb.domain.com%3A1080%2Fsap%2F... HTTP/1.1
http_header: MYHEADER
User-Agent: Java/1.6.0_05
Host: enginehost.aaaa.domain.com:50000
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: keep-alive
}
[1215681331961][Jul 10, 2008 11:15:31 AM ] - CLIENT: 34304, REPLY:
{HTTP/1.1 302 Found
Set-Cookie: MYSAPSSO2=AjExMDCIAAdkZWZhdWx0AQAJREVNT19NT1NTAgADMDAwAwADSkQyBAAMMjAwODA3MTAwOTE1BQAEAAAACAoACURFTU9fTU9TU%2F8BBDCCAQAGCSqGSIb3DQEHAqCB8jCB7wIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHPMIHMAgEBMCIwHTEMMAoGA1UEAxMDSkQyMQ0wCwYDVQQLEwRKMkVFAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wODA3MTAwOTE1MzFaMCMGCSqGSIb3DQEJBDEWBBT%2FQM2W6CXJebxMK0E1pgU!nxmzCDAJBgcqhkjOOAQDBC4wLAIUSq4ZWgQlk66K73RVmMXTAW%2FeCxoCFAnJ8F0q!HwzmtqeWj2RdFYve3dA;path=/;domain=.aaaa.domain.com;HttpOnly
Set-Cookie: JSESSIONID=(J2EE7854200)ID0664447950DB00280758538171157282End; Version=1; Domain=.aaaa.domain.com; Path=/
Set-Cookie: saplb_*=(J2EE7854200)7854250; Version=1; Path=/
Server: SAP J2EE Engine/7.00
Content-Type: text/plain
Location: http://sapbackend.bbbb.domain.com:1080/sap/...
Content-Length: 0
Date: Thu, 10 Jul 2008 09:15:31 GMT
}
[1215681331961][Jul 10, 2008 11:15:31 AM ] - CLIENT: 34304, REPLY:
{}
Where do you think the problem could come from?
Again, thanks for your help.
Regards,
Tanguy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi Tanguy,
yes seems like we are really close.
Having a look at your dispatcher log it really seems like you are having problems with your domains but we can solve this:
You wrote that your backend is in domain
bbbb.domain.comwhile your portal is in
aaaa.domain.comand your cookie is issued for domain
.aaaa.domain.comThis means that this cookie will never be sent to your backend
You can configure your cookie domain by adjusting the relax domain in the UME Configuration
Have a look at this documentation under help.sap.com
http://help.sap.com/saphelp_nw70/helpdata/EN/5e/473d4124b08739e10000000a1550b0/frameset.htm
You have to achieve that your cookie will be issued to .domain.com so it will be sent to your backend as well.
- Start the Visual Admin
- Start the ConfigurationAdapter Service
- Navigate to "cluster_data" > "server" > "cfg" > "services" > "PropertySheet com.sap.security.core.ume.service" and adjust the value of the UME Parameter "ume.logon.security.relax_domain.level" (default is 1 and in your case it should be set to 2 because it relaxes counting the dots from left to right so sapbackend.bbbb. will be relaxed and domain.com remains)
- Save your changes
The cookie should now be issued to .domain.com
Another way to achieve this is to configure the cookie domain in your web-j2ee-engine.xml (You can find it in ConfigurationAdapter under "cluster_data" -> "server" -> "persistent" -> "servlet_jsp")
see http://help.sap.com/saphelp_nw70/helpdata/EN/4e/a4ff3040d9924fb87686612001d425/frameset.htm
Also see SAP Note (791765)
This could look something like that:
<cookie-config>
<cookie>
<type>SESSION</type>
<domain>.domain.com</domain>
</cookie>
<cookie>
<type>APPLICATION</type>
<domain>.domain.com</domain>
</cookie>
</cookie-config>SAP Note 791765 describes where to put this in your web-j2ee-engine.xml
The first approach should fit your needs for now!
Hope this finally helps (Don't forget my points this time )
Cheers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Marcel,
I've done the change but it still doesn't work grr. In my java application which calls the jsp with http header, I realized that I am always getting a response in the console with this header and the html page of SAP that says:
SSO logon not possible; logon tickets not activated on the server
I have to correct also and say that it's a SAP Netweaver Java Stack 7.0 that issues the SAP Logon Ticket and that there are no SAP Portal installed on it.
Here follows the http header I get as response on my client machine
null : [HTTP/1.1 200 OK]
content-type : [text/html; charset=utf-8]
cache-control : [no-cache]
set-cookie : [sap-usercontext=sap-client=400; path=/]
content-length : [13096]
server : [SAP Web Application Server (1.0;700)]
pragma : [no-cache]
Here is the dispatcher log after restarting java stack and redoing the test (we can see that the MYSAPSSO2 ticket has the asked domain):
[1215695406114][Jul 10, 2008 3:10:06 PM ] - CLIENT: 1024, REPLY:
{HTTP/1.1 302 Found
Set-Cookie: MYSAPSSO2=AjExMDCIAAdkZWZhdWx0AQAJREVNT19NT1NTAgADMDAwAwADSkQyBAAMMjAwODA3MTAxMzEwBQAEAAAACAoACURFTU9fTU9TU%2F8BBTCCAQEGCSqGSIb3DQEHAqCB8zCB8AIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBMYHQMIHNAgEBMCIwHTEMMAoGA1UEAxMDSkQyMQ0wCwYDVQQLEwRKMkVFAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wODA3MTAxMzEwMDZaMCMGCSqGSIb3DQEJBDEWBBTOMz0pnQwNYObsQRl9A7P4fwRj!zAJBgcqhkjOOAQDBC8wLQIUdvNZbOJ8bMawUzPUTKt7OvVBTiwCFQCcrTj22hLz2dbtaGvKuByMP28mmA%3D%3D;path=/;domain=.domain.com;HttpOnly
Set-Cookie: JSESSIONID=(J2EE7854200)ID0437245150DB00271490616215334563End; Version=1; Domain=.aaaa.domain.com; Path=/
Set-Cookie: saplb_*=(J2EE7854200)7854250; Version=1; Path=/
Server: SAP J2EE Engine/7.00
Content-Type: text/plain
Location: http://sapbackend.bbbb.domain.com:1080/sap/...
Content-Length: 0
Date: Thu, 10 Jul 2008 13:10:06 GMT
}
[1215695406114][Jul 10, 2008 3:10:06 PM ] - CLIENT: 1024, REPLY:
{}
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi again,
if the client response you posted is the one returned by your backend this one is not interesting. Can you post the response that reached the client when accessing the SAP J2EE? Just to make sure that the response seen on the client matches the one logged on the dispatcher.
Do you have more than 1 application server on your backend?
Cheers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi again Marcel, thanks for helping me really
The answer I get back from my Java Application on my client when calling the JSP SSORedirect is as follows:
null : [HTTP/1.1 200 OK]
content-type : [text/html; charset=utf-8]
cache-control : [no-cache]
set-cookie : [sap-usercontext=sap-client=400; path=/]
content-length : [13096]
server : [SAP Web Application Server (1.0;700)]
pragma : [no-cache]
Here is the html code saying that: SSO logon not possible; logon tickets not activated on the server
Should I normally see the 302 http reply?
And yes we have several Backends,
Regards,
Tanguy
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hi,
this is the reply you are getting from your Backend. Otherwise the Server Header should contain
SAP J2EE Engine/7.00instead of
[SAP Web Application Server (1.0;700)]as you can see in your dispatcher log. This is already the response you are getting from your backend after bering redirected to
http://sapbackend.bbbb.domain.com:1080/sap/...by the redirect application. Can you see the 302 response in your client before actually following it?
(see dispatcher log)
Nevermind:
If you have more than one backend make sure that all application servers accept the logon tickets. If you activated this only in one profile (INSTANCE Profile) and you are using the message server port to access the backend you are probably accessing one server with the parameter not active??
Try the following:
After calling the J2EE that issues the logon ticket for .domain.com as you can see in the dispatcher log try to directly access (server http port, not message server port) any resource in the application server of which you know the parameter login/accept_sso2_ticket is set to 1. Just type the url and access any BSP on your WebAS that normally would ask for authentication and see what you get here
Cheers
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
May be this can give u a little idea
http://office.microsoft.com/download/afile.aspx?AssetID=AM102437461033
Go to the applicaition definition....for SAP reference.
And this is for SAP SSO
http://help.sap.com/saphelp_nw04s/helpdata/en/d0/a3d940c2653126e10000000a1550b0/frameset.htm
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
Hello Deepak,
thanks a lot for your answer! but I already knew these links.
But by reading them again, I can focus more my questions now, thanks:
I would like to understand more the Http Header SSO method:
When a sharepoint user access for the first time a Web Part that integrates a BSP application or Web Dynpro application, what kind of request should the Web Part do?
As it is the first time the user access that external system, it has to authenticate itself through the JAVA Stack which has configured that BSP or WDP application to use Http Header module authentication. How does this workds? The Web Part calls the BSP/WDP url, and is it the SAP dispatcher that redirects the http request to the java stack automatically or is there some programming involved?
How can I add BSP or WDP applications to the list of applications in the Visual Administrator to configure them with authentication?
Thanks in advance for you help!
Tanguy Mezzano
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
- SAP BW/4 - revamp and true to the line 2024 in Technology Blogs by Members
- Exploring GraphQL and REST for SAP Developers in Technology Blogs by SAP
- Deployment of Seamless M4T v2 models on SAP AI Core in Technology Blogs by SAP
- Integrating Smart contracts with SAPUI5 in Technology Blogs by Members
- Extract blob data (PDF) from CAPM using python library of Document information extraction service. in Technology Blogs by Members
| User | Count |
|---|---|
| 87 | |
| 10 | |
| 10 | |
| 10 | |
| 7 | |
| 6 | |
| 6 | |
| 5 | |
| 5 | |
| 4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.