Best practice in SOAP calls is to provide at least user and password to authenticate call. Unfortunately sometimes the client systems do not provide the option to send credential in SOAP calls.

This issue have been discussed in previous Blogs like  A closer look at SOAP Sender authentication , but the solutions provided are either not supported by SAP PI single stack or they are too dangerous because disable SOAP authentication at adapter level.

One option we have found quite interesting in a recent project is to use SAP Web Dispatcher to allow anonymous SOAP calls to specific services.

Overview.png

The idea is the following:

1. We define a new endpoint for the anonymous service,  for instance /xi/project1/service1

2. Rewrite the end new endpoint to the SOAPAdapter URL related to the service

3. Add header authentication for the endpoint.

Let have a look in detail.

1. The first thing to find out  what the URL for the service call is.

This URL has the format

http://<server>:<port>

/XISOAPAdapter/MessageServlet?senderParty=<SENDER_PARTY>&senderService=<SENDER_SERVICE>&receiverParty=<RECEIVER_PARTY>&receiverService=<RECEIVER_SERVICE>&interface=<INTERFACE>&interfaceNamespace=<INTERFACE_NAME_SPACE>


for instance


http://myserver.com:50000/XISOAPAdapter/MessageServlet?senderParty=&senderService=BC_MYBC&receiverParty=&receiverService=&interface=BookingUpdate&interfaceNamespace=http://mycompany.com/booking


There are several places where you can find this, one of them is in Display WSDL for the ICO.


2. HTTP Basic Authentication is constructed as follows:

  • Username and password are combined into a string “username:password”
  • The resulting string is then encoded using the Base64
  • The authorization method and a space i.e. “Basic ” is then put before the encoded string.

For the values pouser and mypassword the string will be “Basic cG91c2VyOm15cGFzc3dvcmQ=”

3. Update modification handler rules for SAP Web Dispatcher.

The documentation is here  Modification of HTTP Requests – SAP Web Dispatcher – SAP Library

In Unix the file is something like /usr/sap/<SID>/SYS/global/security/data/icm_filter_rules.txt

You can add 3 rules similar to these ones:

if %{PATH} stricmp “/xi/project1/service1

SetHeader Authorization “Basic cG91c2VyOm15cGFzc3dvcmQ=”

RegRewriteUrl ^/xi/project1/service1 /XISOAPAdapter/MessageServlet?senderParty=&senderService=BC_MYBC&receiverParty=&receiverService=&interface=BookingUpdate&interfaceNamespace=http://mycompany.com/booking” [qsreplace]

4. Logon to Web Dispatcher Administrator

http://<server>:<port>/sap/admin    for instance http://myserver:50000/sap/admin

Select HTTP Handler -> Modification Handler

Press Reload Rule File

5. In the SAP call for this service replace the end point with the new one, for instance /xi/project1/service1

And hopefully it will work without user and password 🙂

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Praveen Gujjeti

    Nice solution and Thanks for sharing Brian Amo

    Since SOAP call becomes anonymous, from a security point of view we should put a firewall restriction atleast to accept soap messages from trusted systems

    Best Regards,

    Praveen Gujjeti

    (0) 
  2. Emili Delgado

    Hi Brian,

    I am Emili, I used to work in CSC long time ago..

    It has been very usefull since the sintaxis in help.sap was using VARIABLE HEADER:Name ???

    Thanks a lot for your post!!

    (0) 

Leave a Reply