SAPUI5, ODATA and anonymous database access in the HCP: How to do it
The HANA Cloud Platform trial account is free of charge. This is possible because multiple developers work on the same databases in parallel. For that reason, additional safety measures have been implemented. This makes the application development quite tricky sometimes. A couple of weeks ago I developed an SAPUI5 application using my HANA Cloud Platform trial account. When I wanted to receive data from the database, it was not working. The process of figuring out the problem and solving it took quite some time but I came up with a solution. Jamie Wiseman from the SAP HANA Academy team encouraged me to explain my solution in the SCN, so that’s what I am going to do
The issue
My SAPUI5 Application accesses a database table containing Geodata. The standard way of doing this in SAP HANA is creating and using an ODATA service. Creating an ODATA service in SAP HANA is very easy: You simply need to create another file (file extension .odata) in your XS or SAPUI5 package and insert something like:
service {
“SCHEMA”.”TABLE” as “Geodata” keys generate local “GENERATED_ID”;
}
At first you of course should test the ODATA interface. You can do this by just calling it in your browser. The URL is like:
https://s1hanaxs.hanatrial.ondemand.com/path/to/your/package/odataservice.xsodata/ servicename?json&$select=COLUMN,COLUMN,…
Be careful when you test your service. When I did it on my laptop, I had no problems. My SAPUI5 app however seemed to be unable to access data. Using a different browser, I finally understood the issue: Normally, I have to logon with my S-User first.
ODATA access will trigger S-USER Logon process
The other browser had the SAP Certificates for automated logon installed, so testing with it had always worked. This by the way also applies to the SAPUI5 application itself. If you want to be able to access it without logging on with your S-User, it does not work out of the box.
First problems
At first, I looked at the settings for authentication in the SAP HANA Cloud Platform Cockpit (Trust). Unfortunately, your only alternative to the authentication via S-User is setting up a connection to another trusted identity provider. I am no expert on this, but I guess it would be a lot of work and at the end also require some sort of authentication which is not supported by a standard SAPUI5 application. So this approach is a dead end.
My second try was using SQLCC which is described very well in a video from the SAP HANA Academy. For this approach, your database user needs certain privileges (role sap.hana.xs.admin.roles::SQLCCAdministrator). These privileges could be used to basically become administrator if you use them right. As the trial instances (just the trial instances) of the HANA Cloud Platform are used by multiple developers in parallel, they don’t have these privileges. Another dead end.
Anonymous access to SAPUI5 application
My first step to success was a thread on saphana.com with a solution for anonymous access very similar to the full SQLCC approach. It uses the .xsaccess file in the project. HANA development projects including ODATA services or SAPUI5 applications always need two files to work: “.xsapp” and “.xsaccess”
.xsaccess – as the name says – can contain options for the accessing the application. To enable anonymous access, you have to adjust your file like this:
{
“anonymous_connection”: “path.to.your.package::anonuser”,
“authentication” : null,
“exposed”: true
}
Then you have to create a database user using XS development. You can this by creating a file with the name “username.xssqlcc”. I used the name “anonuser” in .xsaccess, so the filename has to be “anonuser.xssqlcc”. There is not a lot of content, but you can insert a description. Just remember To have brackets in the file:
{
“description” : “Anon SQL connection”
}
Now you can access your development projects in this package without having to authenticate with your S-User. It works fine for the SAPUI5 applications. However, access to the database is still not possible. If you try to access the ODATA service like I described, you will no longer see a logon screen. Instead you won’t see anything. By using the development tools of your browser, you can examine the response from the server and see something like this:
Accessing with an anonymous database user does not work for ODATA
Error 500 makes it clear: Using ODATA services anonymously does not work in the HANA Cloud Platform. So I found a different solution. (However: If someone knows a solution for ODATA, please tell me in the comments )
Anonymous access to SAP HANA
My next idea was to develop a database interface like odata on my own. As I was already using an XS application project in the HANA Cloud Platform, I tried to do it with XS. Remember that you have to enable anonymous access to the XS application itself before an SAPUI5 application would be able to use it. If you want to access the database out of XS, you do something like:
var conn = $.db.getConnection();
var pstmt = conn.prepareStatement( “select * from NEO_ET72UJMG1CL4IUODE1NJVKJ1O.ADACALL” );
var rs = pstmt.executeQuery();
The problem with that is the first statement. It will not work if you call it using anonymous access. Instead you will get an error code 500 like you did with ODATA. The only way around this is using SQLCC, which is not possible with an SAP HANA Cloud Platform trial account (see “First problems”).
The key to success is the JAVA development in the SAP HANA Cloud Platform. If you access the database out of a JAVA application, it does not require any authentication. This is even the default setting. Using JAVA, you can easily write a little webservice that transfers the data you need to the SAPUI5 application.
A little issue remains: I wanted to be able to create HANA Views on top of my tables. It is important to understand that the standard database schemas of JAVA and XS applications are fundamentally different. The first sign for that are different database versions:
XS and JAVA Schemas are located on different databases
That means you not only have different schemas but actually different databases. Therefore it is not possible to access a table in a JAVA schema out of an XS application using a XS schema. Also, you have far more privileges in the XS schema. The most important one is the privilege to create packages and develop XS and SAPUI5 applications as well as HANA Views in them.
To combine the benefits of anonymous database access and HANA Views as well as XS development, I simply changed the schema binding of my JAVA webservice to the XS schema.
Changing the schema binding combines the benefit of JAVA and XS in the HCP
You can change the schema binding of your JAVA application in the HANA Cloud Platform Cockpit. In the menu on the left side, select “JAVA Applications” and then select your application. On the left side, click on “Schmema Bindings”. Now delete the old schema binding and create a new binding to your XS schema.
As far as I can tell, there is no benefit from using the JAVA schema over the XS schema (again, please correct me if I’m, wrong). Of course you can also establish multiple bindings for one application if you like.
I hope I could help some of you to understand how anonymous access works. Please keep in mind that this issue only exists in the trial account. And please give me some feedback if you like
As you said , by default HCP uses SAML , is there any way to change the authentication menthod ?
No, the only possibility you have is to change from the SAP ID Service to another Corporate Identity Provider. But this also works with SAML 2.0
You can lookup the HANA Cloud Platform Documentation for more details: https://help.hana.ondemand.com/help/SAP_HANA_Cloud_Platform.pdf
The relevant part is chapter 1.1.1.4 "Identity Service".
Thank you for the post. It is good to have this information in one place.
Can you tell us how you redirected the java application to the hana xs db instance?
Also, how much build in functionality did you loose by writing your oData in java vs. using basic xsodata, specifically $ URL options such as $orderby, $filter and $select?
Hi Rob,
I've added a little section under the last picture about how to change the schema binding (redirecting the java application to the hana xs db instance).
About your second question: You don't loose any functionality. Actually you can develop your interface exactly as you need it, without any limitations. However, depending on your needs, it will take some time to develop the functionalities. A normal orderby, select or filter as you mentioned it should not be to hard to develop. With the HCP JAVA development you can easily use GET parameters and therefore work the same way as the ODATA service.
Regards,
Steve
Hi Steve,
thank you for the detailed description. I hope that perhaps Martin Raepple knows a solution how the HANA xsodata service from the HANA trial could be used in a SAPUI5 application developed on the "same" platform.
Best regards
Gregor
Dear Steve,
to avoid the creation of a Java layer in front of the HANA tables I've started the project SAP HANA Cloud Tial Authentication Proxy for HANA XS Services on GitHub. Perhaps you like to contribute.
Best regards
Gregor
Hi Gregor,
that sounds just like a #sitFRA (http://www.sitfra.de) session topic - maybe for the short (15 minutes) type...
Viele Grüße
Hendrik
Let's see how it progresses. Plan B would be Fiori on Demand or WebIDE.
The WebIDE showcase slot is already gone... Fiori on Demand - in HCP me thinks - sounds like a nice addition.. looking forward to whichever will make the race 😉
can anybody please provide information on how to access database developed on hcp and access in java application on hcp.
Dear Kelly,
please read the documentation, use the search and if you then still have questions post in the forum instead of commenting to a Blog.
Best regards
Gregor
Hi Steve,
Thanks for you great blog.
I am now building a native android application to consume xsjs resides on HCP under trial account. But got stuck at the authentication issue. After reading your blog, I also want to have a try by setting my service anonymous accessible.
Per your solution, in order to achieve this what I need to do are:
Is my understanding correct?
Many thanks!
Hi Chris,
I haven't heard any new that the authentication at the HCP trial has changed. You still have to use my project gregorwolf/hanatrial-auth-proxy from GitHub.
Best regards
Gregor
Great blog! Just a quick question... When you access the Java app from the XSJS app, I assume you used a .xshttpdest file. Can you share the contents? I am having trouble getting connectivity. The Java app redirects to https, and so I think I need to set port to 443 and useSSL to true, but then I need to set up a trust...
Hi Michael,
for this example, I have used a sole SAPUI5 application. If you want to consume your JAVA webservice in XS, you are right. There is a guide for connectivity online: SAP HANA Cloud Platform I didn't to connect using https myself. But since the guide provided by SAP only explains the process for the productive, not the trial version - I think it's possible it is only supported for the productive version due to the necessary customizing. Maybe you can find an answer to this question if you ask in a seperate discussion.
Best Regards,
Steve