Single Sign On to BSP pages
With the new NetWeaver SSO 2.0 it is now possible to configure the ABAP stack to support SPNego. So the workaround outlined in this blog is no longer required. If you want more information, please visit http://scn.sap.com/community/netweaver-sso and look at the videos here: http://scn.sap.com/docs/DOC-40178
Single Sign On (SSO) to (BSP-) pages on an ABAP server cannot be achieved easily. One way to access these pages via SSO is to use X.509 certificate. Unfortunately this quite often cannot be done or is complicate.
In the following steps I want to outline, how this can also be done using a SPNego-Configured J2EE Engine as a “gateway”.
Unlike the idea that is described in this blog all the links to BSP pages that you might have already sent out to your users do not have to be changed. The ABAP system itself will make sure that the user is authenticated automatically.
Let’s start with a BSP page that you have on your ABAP system:
Right now when you call this page, you are prompted to enter a username and password:
Only then can you see the content:
In order to get SSO to this BSP we are going to use SPNego which has to be configured on a J2EE Engine “somewhere” in your network. In order to do that, just follow the SPNego Wizard. Then make sure that you enable a trust between the J2EE Engine and the ABAP system (just import the J2EE certificate via STRUSTSSO2 on the ABAP side, see help.sap.com)
Now we come to the first important part: deploy a custom JSP on the J2EE Engine. I will use a new “redirect application” which contains this JSP (I like to have an extra application so that I can enable SPNego only/especially for this). This application is almost the same as mentioned and explained in this blog. The main difference is the JSP page main.jsp:
(you don’t have to use this redirectApplication: if your J2EE Engine is already configured for SPNego and you have for example assigned the SPNego Template already to the Ticket component, then you can put this JSP file directly on the filesystem. You could for example place it in the irj folder in a portal that is already configured for SPNego)
The lines IUser user are required to make sure that even if the location on the server (e.g. /irj/…) does not require authorization it still forces to user to authenticate and get a SAPLogonTicket.
Then assign the SPNego template to the RedirectApp Application…
…and assign the Group “Everyone” to the DefaultSecurityRole of the RedirectApp.
Now the redirect application uses SPNego to authenticate any calls. That’s it on the J2EE side.
Let’s take a look at the ABAP side. Go to transaction SICF and search for the BSP file we want to access via SSO:
Double click on zsso2bsp:
On the Error Page tab enter “2” for the status (which means “this page has moved temporarily/permanently, HTTP Error code 307), paste the following redirect URL:
and select “Form Fields (Text form)”
(again a comment when using an already configured “SPNego-Portal”: the URL would be something like http://j2ee-server:50000/irj/main.jsp?PROT=HTTP&BACK2HOST=ABAP-SERVER:8000&TO=<%=PATHTRANS%> )
n this rather long URL we pass several parameters to the JSP page:
PROT: this is the protocol used for calling the BSP. I found it easier to pass this independent from the “BACK2HOST” since otherwise I would have to urlencode “:” and “/”.
BACK2HOST: This is the hostname of the BSP
TO: this is the path to the BSP (available in the ABAP varaible PATHTRANS)
In addition to that by selecting “Form Fields (Text Form)” we get all the additional parameters that might be sent when the BSP was called in the sap-ffield. So in this example sap-client=400&dummy=123
We use these parameters in the JSP to compile a new URL
String newURL = prot + “://” + backToHost + to + “?” + sapField;
that we then use to redirect back to the calling ABAP server:
(to be honest, I tried to get all this information from the default header variables like “referer” in the HTTP stream and set it automatically on the JSP, but I was not able to do that…)
We are done! Now call the BSP page again:
Everything looks fine now. The page was displayed without any userinput.
As a final steps, let’s take a closer look to what just happened. I use HTTPWatch for this.
Here we call the BSP page. Since we configured it to response with a “Moved temporarily/permanently” in case of any Error the ABAP server returns a 307 and redirects the request to
Now we are on the J2EE Engine. Of course here the authentication also does not work. But since we have configured SPNego the J2EE Engine returns an Error code 401 with WWW-Authenticate: Negotiate which asks the client for authentication
The client returns a Kerberos token (YIIE8Q…) and the J2EE Engine sets a MYSAPSSO2 cookie and executes the JSP pages. In the last step of the JSP page we perform a response.sendRedirect(newURL); which returns us to the originally called URL of the BSP page (here you might encounter issues when the J2EE Engine and the ABAP system are not in the same domain, since cookies are not sent cross domains without additional configuration)
We are back on the ABAP system. This time we have a MYSAPSSO2 cookie and since the ABAP system trusts the J2EE Engine we are logged on. We get a “session key” (…/sap(bD1kZSZjPTQwMA==)/bc/…) and are directed to the \ final target.
Now we get an HTTP Return Code 200, meaning that everything is fine. In the next steps already cached content is loaded and the BSP page is displayed.
That’s it! As you can see the idea is pretty simple and the content of the JSP is also very simple. You can extend the JSP (for example if you are running a dual stack installation where ABAP and Java are on the same server you can remove quite a lot of parameters that are passed) — so there is a lot of room to improve.
If you want to take a deeper look, please also visit the following blogs:
For Configuring SPNego:
Configuring and troubleshooting \ SPNego — Part 1
Configuring and troubleshooting \ SPNego — Part 2
Configuring and troubleshooting \ SPNego — Part 3
Configuring SPNego with ABAP \ datasource
Configuring SPNego with ABAP \ datasource — Part 2
For the general redirect idea: \
Single Sign On to BSP pages from \ Duet’s Action Pane