Using Preview URLs to Launch EP iViews … Why It’s A Bad Idea
I have been writing a series of (very occasional) blogs about configuration issues which can cause lots of headaches for portal administrators and result in many support messages reaching SAP unnecessarily, based on my experience supporting the Enterprise Portal (the blogs are tagged as ‘ep-support’). These configuration issues can often be the hardest to spot, which can result in long-running messages which of course nobody wants to see.
In this blog I want to talk about the use of preview URLs to call iViews, often from custom applications. By preview URLs I mean a URL like:
It’s easy to get a URL like this, by simply previewing the iView from the portal content catalog – you can then copy the URL from the browser address bar. However, I don’t recommend you use such URLs! I’ve seen several issues with this approach recently.
Another example of issues with this approach is with launching transaction iViews. As a background, a recent security change to protect agains Cross-Site Request Forgery (XSRF) attacks on the ITS side requires that session termination notifications are sent by the portal to the backend between each start of an ITS service (even if the same service is restarted by clicking on the same navigation node again in the portal) – for further details you can refer to Note 1481392 ‘Cross Site Request Forgery Protection for ITS’. If that doesn’t happen, the ITS throws the dreaded ‘A:ITS_P:019 XSRF no sec_sesstoken’ error. You can refer to KBA 1697470 ”XSRF no sec_sesstoken’ error for ITS-based iViews in the Enterprise Portal’ for some known reasons for this error to occur, but a category of issues which can be hard to identify is caused precisely by calling the appintegrator in a non-standard way, without a navigation. I’ve encountered several cases where portal administrators used custom components to launch the application integrator, and either used preview URLs or direct URLs to the com.sap.portal.appintegrator.sap.Transaction component. The portal session release agent is triggered by a navigation – it listens for navigation events – but not by – for example – reloading an iFrame with an iView in preview mode as its content. So, this results in no session termination notification being sent to the ITS between application starts, and the mentioned error being returned by the ITS.
My short tip is: avoid using preview URLs or direct URLs to portal components unless you have a (very) good reason to do so. There is a lot of client-side handling triggered by navigation events, and its best not to bypass it. In general, the best way to launch an iView is to create a navigation to it, either by using the NavigationTarget syntax or the Navigation Client-Side API.