Skip to Content

Resolving SAPUI5 to SAP Gateway cross site scripting (HTTP 101) challenges with SAP webdispatcher

I have been involved in a few SAPUI5 projects that connected to the backend (mainly to SAP ERP) via SAP Gateway. As long as the SAPUI5 runtime resides on the SAP Gateway server this works seamlessly. However once one divides them, e.g. to use the SAPUI5 Java runtime on a SAP PO J2EE server, cross site scripting issues tend to occur.

While one could resolve these issues with reverse proxies in software, e.g. Apache, or in hardware, e.g. F5 BIG-IP (both examples I have been seeing working), an alternative and much easier to configure solution is to use SAP webdispatcher.

Since release 7.20 SAP webdispatcher can be configured to connect to multiple back-ends and in case of SAP back-ends reads their configuration from the respective message servers as usual, thereby avoiding the sometimes complex rule definitions needed for other reverse proxy configurations.

And that is how simple it is:

  • Say the SAP Gateway server was with its message server listening on port 8100 with SID G11.
  • And theSAPUI5 server is with its message server listening on port 8101with SID J11.
  • While the SAP webdispatcher is on listening on port 80.

Then the only configuration one will have to add to the SAP webdispatcher profile would be:

wdisp/system_conflict_resolution = 1

# to choose rule one over rule two to avoid ambiguities

wdisp/system_0 = SID=G11, MSPORT=8100, SRCURL=/sap/

# to redirect requests starting with /sap/ to the gateway server

wdisp/system_1 = SID=D02,, MSPORT=8101, SRCURL=/

# to redirect request not starting with /sap/, i.e. UI5 requests, to the UI5 server

Please comment out the original profile settings for the single system connection. As a result you will see both systems in the SAP Web Administration Interface of SAP webdispatcher as well.

Finally, in the code, one would replace any direct reference to either with its port or with its port with where you could omit the port in case of port 80.

And that would be it. No more 101s.
You must be Logged on to comment or reply to a post.
  • Thanks Frank,

    I was facing the same issue, but still one concern: would it solve the packaged (hwc) sapui5 app issue also? Please share your input on this as well. However I am trying the same.

    Warm Regards


      • Hi Frank,

        Sure, I have deployed the UI5 App on the ECC Application Server, it is working fine. But now I want to package UI5 App with PhoneGap in Android ADT. This UI5 app consumes OData services from ECC back end. So when I try to call my exposed OData service it leads to CORS issue, but when I consume sample OData ““, it yields the results as expected.


        Warm Regards


        • Hello Hemendra,

          in an SAP environment I would prefer Cordova with the SAP Kapsel plug-in over PhoneGap. If you then route your OData services via SMP, there should be no Cross-Site-Scripting issues.

          Best regards


          • Hi Frank,

            In that case client has to buy the SMP licenses, so some of the clients are not willing to put money in SMP licenses. However I know technically and functionally, the suggested combination is the preferred one.


            Warm Regards