Learn more detail about Standard logon procedure
The motive to write this document is that during I deal with a HTTP 401 unauthorized error( detail explained in this document ), I would like to learn more about SAP standard logon procedure.
Use tcode SICF, navigate to icf node and click F1 on Procedure field, then we can find the documentation for Standard Logon Sequence.
The sequence of log on check in standard logon procedure are defined in SAP help:
- Logon using HTTP fields
- Logon with SSL certificates
- Logon using SAP Logon Ticket (‘SSO’)
- HTTP Basic Authentication
- Logon using SAP user password (SAP RFC logon)
- Logon using SAML
- Logon using user data stored in the service
So I would like to play around with these log on orders.
Case1: Directly open WSDL url in browser
The WSDL URL is: http://<XXXX>:50078/sap/bc/srt/wsdl/flv_10002A111AD1/bndg_url/sap/bc/srt/rfc/sap/zws_add/506/zjerry1/jerry1?sap-client=506
After I paste it into browser address bar and press enter key, I could see the expected WSDL content. However I observed a HTTP 307 redirect in HTTP watch, and the final url in browser is also automatically changed to https.
This redirect behavior is defined in parameters which could be found in tcode SMICM
or RZ11 use parameter name icm/HTTP/redirect_0:
In this case, I didn’t specify any user & password but still I could get the WSDL content. According to SAP help “Logon using SAP Logon Ticket (MYSAPSSO2 cookie field). If no logon data is transferred as form fields or header fields, the system then tries to log on using a logon ticket. To enable this, the cookie field MYSAPSSO2 must be set.“
I could observe this Logon ticket usage in client side via HTTP watch:
If I disable my Certificate in browser settings via “Tools->Internet Settings->Content->Certificates” and then re launch the WSDL url in browser:
This time I observed a 401 unauthorized error in HTTP watch, accompanied with a pop up window asking for user and password.
After I input my user and password, I could see the WSDL content ( http response code: 200 ).
This time I could see The authorization method is changed to “Basic d2FuZ2plcjpTYXAxMjM0NQ==“,
The string “d2FuZ2plcjpTYXAxMjM0NQ==” is the Base64 encoding result on the concatenation of user name and password I input with “:”:
Case2: Access WSDL via cl_http_client by code
I list the following scenarios about access to external WSDL url via ABAP code. Some might not be used in productive usage, but just used for study and verification purpose.
Variant a: none credentials specified in code
Execute the following small piece of code:
DATA: lo_http_client TYPE REF TO if_http_client, lv_status TYPE i, lv_sysubrc TYPE sysubrc, lv_url TYPE string. lv_url = 'http://<XXXX>:50056/sap/bc/srt/wsdl/flv_10002A111AD1/bndg_url/sap/bc/srt/rfc/sap/zweb_add/001/zweb_add/add?sap-client=001'. CALL METHOD cl_http_client=>create_by_url EXPORTING url = lv_url IMPORTING client = lo_http_client EXCEPTIONS argument_not_found = 1 plugin_not_active = 2 internal_error = 3 OTHERS = 4. ASSERT sy-subrc = 0. lo_http_client->request->set_method( if_http_request=>co_request_method_get ). CALL METHOD lo_http_client->send EXCEPTIONS http_communication_failure = 1 http_invalid_state = 2 http_processing_failed = 3. ASSERT sy-subrc = 0. CALL METHOD lo_http_client->receive EXCEPTIONS http_communication_failure = 1 http_invalid_state = 2 http_processing_failed = 3. IF sy-subrc <> 0. CALL METHOD lo_http_client->get_last_error IMPORTING code = lv_sysubrc message = DATA(ev_message). WRITE: / lv_sysubrc, 'error message:', ev_message COLOR COL_NEGATIVE. RETURN. ENDIF. WRITE: / 'WSDL got successful' COLOR COL_POSITIVE.
Once executed, the expected popup window appears since I didn’t specify any credentials in the code:
After I input the correct user and password, the code could successfully return the WSDL.
Variant b: disable the popup in code
The popup behavior could be suppressed via code lo_http_client->propertytype_logon_popup = if_http_client=>co_disabled. This new line must be added before send method is called.
Execution result: No popup window, and the call of lo_http_client->response->get_cdata( ) returns the following error html page:
Variant c: add code to support basic authentication
Add the following code before lo_http_client->send():
lo_http_client->request->set_authorization( auth_type = ihttp_auth_type_basic_auth username = 'WANGJER' password = 'Sap12345' ).
And WSDL content returned as expected:
Variant d: initialize http client via HTTP destination instead of url
Create a HTTP destination in tcode SM59:
Maintain the necessary user name and password for logon:
Then use method create_by_destination to initialize the http client instance. In this way it is not necessary to specify any credentials in ABAP code.
CALL METHOD cl_http_client=>create_by_destination EXPORTING destination = 'ZWS' IMPORTING client = lo_http_client EXCEPTIONS argument_not_found = 1 plugin_not_active = 2 internal_error = 3 OTHERS = 4.
Variant e: directly append user and password in url
Variant f: log on via SAP Logon Ticket
copy the value of Cookie field MYSAPOSS2 from HTTP watch into ABAP code: