Skip to Content

The motive to write this document is that during I deal with a HTTP 401 unauthorized error( detail explained in this document ), I would like to learn more about SAP standard logon procedure.

Use tcode SICF, navigate to icf node and click F1 on Procedure field, then we can find the documentation for Standard Logon Sequence.

/wp-content/uploads/2014/05/clipboard1_457043.png

The sequence of log on check in standard logon procedure are defined in SAP help:

  1. Logon using HTTP fields
  2. Logon with SSL certificates
  3. Logon using SAP Logon Ticket (‘SSO’)
  4. HTTP Basic Authentication
  5. Logon using SAP user password (SAP RFC logon)
  6. Logon using SAML
  7. Logon using user data stored in the service

So I would like to play around with these log on orders.

Case1: Directly open WSDL url in browser

The WSDL URL is: http://<XXXX>:50078/sap/bc/srt/wsdl/flv_10002A111AD1/bndg_url/sap/bc/srt/rfc/sap/zws_add/506/zjerry1/jerry1?sap-client=506

After I paste it into browser address bar and press enter key, I could see the expected WSDL content. However I observed a HTTP 307 redirect in HTTP watch, and the final url in browser is also automatically changed to https.

/wp-content/uploads/2014/05/clipboard2_457044.png

This redirect behavior is defined in parameters which could be found in tcode SMICM

/wp-content/uploads/2014/05/clipboard3_457045.png

or RZ11 use parameter name icm/HTTP/redirect_0:

/wp-content/uploads/2014/05/clipboard4_457049.png

In this case, I didn’t specify any user & password but still I could get the WSDL content. According to SAP help “Logon using SAP Logon Ticket (MYSAPSSO2 cookie field). If no logon data is transferred as form fields or header fields, the system then tries to log on using a logon ticket. To enable this, the cookie field MYSAPSSO2 must be set.

I could observe this Logon ticket usage in client side via HTTP watch:

/wp-content/uploads/2014/05/clipboard5_457050.png

If I disable my Certificate in browser settings via “Tools->Internet Settings->Content->Certificates” and then re launch the WSDL url in browser:

/wp-content/uploads/2014/05/clipboard6_457051.png

This time I observed a 401 unauthorized error in HTTP watch, accompanied with a pop up window asking for user and password.

/wp-content/uploads/2014/05/clipboard7_457058.png

After I input my user and password, I could see the WSDL content ( http response code: 200 ).

This time I could see The authorization method is changed to “Basic d2FuZ2plcjpTYXAxMjM0NQ==“,

/wp-content/uploads/2014/05/clipboard8_457059.png

The string “d2FuZ2plcjpTYXAxMjM0NQ==” is the Base64 encoding result on the concatenation of user name and password I input with “:”:

/wp-content/uploads/2014/05/clipboard9_457060.png

Case2: Access WSDL via cl_http_client by code

I list the following scenarios about access to external WSDL url via ABAP code. Some might not be used in productive usage, but just used for study and verification purpose.

Variant a: none credentials specified in code

Execute the following small piece of code:

DATA:    lo_http_client TYPE REF TO if_http_client,
         lv_status      TYPE i,
         lv_sysubrc     TYPE sysubrc,
         lv_url         TYPE string.
lv_url = 'http://<XXXX>:50056/sap/bc/srt/wsdl/flv_10002A111AD1/bndg_url/sap/bc/srt/rfc/sap/zweb_add/001/zweb_add/add?sap-client=001'.
CALL METHOD cl_http_client=>create_by_url
  EXPORTING
    url                = lv_url
  IMPORTING
    client             = lo_http_client
  EXCEPTIONS
    argument_not_found = 1
    plugin_not_active  = 2
    internal_error     = 3
    OTHERS             = 4.
ASSERT sy-subrc = 0.
lo_http_client->request->set_method( if_http_request=>co_request_method_get ).
CALL METHOD lo_http_client->send
  EXCEPTIONS
    http_communication_failure = 1
    http_invalid_state         = 2
    http_processing_failed     = 3.
ASSERT sy-subrc = 0.
CALL METHOD lo_http_client->receive
  EXCEPTIONS
    http_communication_failure = 1
    http_invalid_state         = 2
    http_processing_failed     = 3.
IF sy-subrc <> 0.
  CALL METHOD lo_http_client->get_last_error
    IMPORTING
      code    = lv_sysubrc
      message = DATA(ev_message).
  WRITE: / lv_sysubrc, 'error message:', ev_message COLOR COL_NEGATIVE.
  RETURN.
ENDIF.
WRITE: / 'WSDL got successful' COLOR COL_POSITIVE. 

Once executed, the expected popup window appears since I didn’t specify any credentials in the code:

/wp-content/uploads/2014/05/clipboard10_457064.png

After I input the correct user and password, the code could successfully return the WSDL.

Variant b: disable the popup in code

The popup behavior could be suppressed via code lo_http_client->propertytype_logon_popup = if_http_client=>co_disabled. This new line must be added before send method is called.

Execution result: No popup window, and the call of lo_http_client->response->get_cdata( ) returns the following error html page:

/wp-content/uploads/2014/05/clipboard11_457065.png

Variant c: add code to support basic authentication

Add the following code before lo_http_client->send():

lo_http_client->request->set_authorization(
                   auth_type  = ihttp_auth_type_basic_auth
                   username   = 'WANGJER'
                   password   = 'Sap12345' ).

And WSDL content returned as expected:

/wp-content/uploads/2014/05/clipboard12_457066.png

Variant d: initialize http client via HTTP destination instead of url

Create a HTTP destination in tcode SM59:

/wp-content/uploads/2014/05/clipboard13_457070.png

Maintain the necessary user name and password for logon:

/wp-content/uploads/2014/05/clipboard14_457071.png

Then use method create_by_destination to initialize the http client instance. In this way it is not necessary to specify any credentials in ABAP code.

CALL METHOD cl_http_client=>create_by_destination
  EXPORTING
    destination        = 'ZWS'
  IMPORTING
    client             = lo_http_client
  EXCEPTIONS
    argument_not_found = 1
    plugin_not_active  = 2
    internal_error     = 3
    OTHERS             = 4.

Variant e: directly append user and password in url

/wp-content/uploads/2014/05/clipboard15_457072.png

Variant f: log on via SAP Logon Ticket

copy the value of Cookie field MYSAPOSS2 from HTTP watch into ABAP code:

/wp-content/uploads/2014/05/clipboard16_457076.png

/wp-content/uploads/2014/05/clipboard17_457077.png

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply