Skip to Content
Author's profile photo Former Member

Anonymous SOAP calls in SAP PI

Best practice in SOAP calls is to provide at least user and password to authenticate call. Unfortunately sometimes the client systems do not provide the option to send credential in SOAP calls.

This issue have been discussed in previous Blogs like  A closer look at SOAP Sender authentication , but the solutions provided are either not supported by SAP PI single stack or they are too dangerous because disable SOAP authentication at adapter level.

One option we have found quite interesting in a recent project is to use SAP Web Dispatcher to allow anonymous SOAP calls to specific services.

Overview.png

The idea is the following:

1. We define a new endpoint for the anonymous service,  for instance /xi/project1/service1

2. Rewrite the end new endpoint to the SOAPAdapter URL related to the service

3. Add header authentication for the endpoint.

Let have a look in detail.

1. The first thing to find out  what the URL for the service call is.

This URL has the format

http://<server>:<port>

/XISOAPAdapter/MessageServlet?senderParty=<SENDER_PARTY>&senderService=<SENDER_SERVICE>&receiverParty=<RECEIVER_PARTY>&receiverService=<RECEIVER_SERVICE>&interface=<INTERFACE>&interfaceNamespace=<INTERFACE_NAME_SPACE>


for instance


http://myserver.com:50000/XISOAPAdapter/MessageServlet?senderParty=&senderService=BC_MYBC&receiverParty=&receiverService=&interface=BookingUpdate&interfaceNamespace=http://mycompany.com/booking


There are several places where you can find this, one of them is in Display WSDL for the ICO.


2. HTTP Basic Authentication is constructed as follows:

  • Username and password are combined into a string “username:password”
  • The resulting string is then encoded using the Base64
  • The authorization method and a space i.e. “Basic ” is then put before the encoded string.

For the values pouser and mypassword the string will be “Basic cG91c2VyOm15cGFzc3dvcmQ=”

3. Update modification handler rules for SAP Web Dispatcher.

The documentation is here  Modification of HTTP Requests – SAP Web Dispatcher – SAP Library

In Unix the file is something like /usr/sap/<SID>/SYS/global/security/data/icm_filter_rules.txt

You can add 3 rules similar to these ones:

if %{PATH} stricmp “/xi/project1/service1

SetHeader Authorization “Basic cG91c2VyOm15cGFzc3dvcmQ=”

RegRewriteUrl ^/xi/project1/service1 /XISOAPAdapter/MessageServlet?senderParty=&senderService=BC_MYBC&receiverParty=&receiverService=&interface=BookingUpdate&interfaceNamespace=http://mycompany.com/booking” [qsreplace]

4. Logon to Web Dispatcher Administrator

http://<server>:<port>/sap/admin    for instance http://myserver:50000/sap/admin

Select HTTP Handler -> Modification Handler

Press Reload Rule File

5. In the SAP call for this service replace the end point with the new one, for instance /xi/project1/service1

And hopefully it will work without user and password 🙂

Assigned Tags

      5 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Former Member
      Former Member

      Nice solution and Thanks for sharing Brian Amo

      Since SOAP call becomes anonymous, from a security point of view we should put a firewall restriction atleast to accept soap messages from trusted systems

      Best Regards,

      Praveen Gujjeti

      Author's profile photo Dipen Pandya
      Dipen Pandya

      Nice & Helpful.

      I was looking for the same.

      Thanks a lot.

      Regards,

      Dipen.

      Author's profile photo Prasad Babu Koribilli
      Prasad Babu Koribilli

      Thanks for the good tip and detailed blog.

      Regards,

      Prasad.

      Author's profile photo Former Member
      Former Member

      Hi Brian,

      I am Emili, I used to work in CSC long time ago..

      It has been very usefull since the sintaxis in help.sap was using VARIABLE HEADER:Name ???

      Thanks a lot for your post!!

      Author's profile photo Marcelo M Bovo
      Marcelo M Bovo

      Great, but couldn’t you just have set the auth header without changing the URL

      Something like:

      if %{PATH} regimatch “senderService=BC_MYBC&receiverParty=&receiverService=&interface=BookingUpdate&interfaceNamespace=http://mycompany.com/booking“
      
      SetHeader Authorization “Basic cG91c2VyOm15cGFzc3dvcmQ=”

       

      thanks