Cross-Origin Resource Sharing (CORS) is a W3C spec that allows cross-domain communication from the browser. By building on top of the AJAX/XMLHttpRequest object, CORS allows developers to work in the same coding paradigm as with same-domain requests. CORS has started to play a more and more important role in today’s web and cloud based applications, while our web applications are trending towards system/data integration across domains. Web application servers that support CORS make it possible for a clean architecture, without using reverse proxies or other forms of middle tier.

A majority of SAP applications reside on top of the SAP NetWeaver Application Server platform, from which many web applications retrieve data. If the data retrieval needs to happen in the web browser with AJAX calls, the traditional method to bypass web browser’s Same Origin Policy is to setup a reverse proxy in front of both the web server and the SAP NetWeaver Application Server, so that they appear to the web browser as if they shared the same host name. While this may be a handy workaround, it does not only have a higher TCO for maintaining the solution, but also causes implications on SSL, authentication and Single Sign-On options.

But as a matter of fact, it is technically possible to configure SAP NetWeaver Application Server to support CORS, so that your web application landscape can be greatly simplified as below:

 

The trick is simple. Add a rewrite rule for NetWeaver’s ICM component, so that it returns the necessary CORS headers.

First, configure the NetWeaver Application Server’s profile, enable HTTP rewriting and point to the action/rewrite file. In the below example on a Windows installation, the action file is the rewrite.txt file.

icm/HTTP/mod_0 = PREFIX=/,FILE=D:\usr\sap\<SID>\SYS\profile\rewrite.txt

In the action file, maintain the following settings to inject the necessary CORS headers. Make sure you specify your web server’s URL as the value of the Access-Control-Allow-Origin header.

SetResponseHeader Access-Control-Allow-Origin https://<YourWebServerHost>
SetResponseHeader Access-Control-Allow-Credentials true
SetResponseHeader Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS"
SetResponseHeader Access-Control-Allow-Headers "X-Csrf-Token, x-csrf-token, x-sap-cid, Content-Type, Authorization"
SetResponseHeader Access-Control-Expose-Headers x-csrf-token

 

Restart the NetWeaver Application Server, and you are all set.

 

In a large deployment of SAP NetWeaver landscape, it is often the case that there are multiple server nodes and a load balancer such as SAP Web Dispatcher sits in front of the multiple server nodes. In this case, you can turn on CORS support on the SAP Web Dispatcher instead of on each and every server node. With the latest version of Web Dispatcher (7.49 PL112 or above), it offers more granular support (comparing to NetWeaver’s ICM component) on where the CORS requests come from so that it can act accordingly. Here is an example:

if %{HEADER:ORIGIN} = https://<WebServer1> [OR] 
if %{HEADER:ORIGIN} = https://<WebServer2>
  begin
         SetResponseHeader Access-Control-Allow-Origin %{HEADER:ORIGIN}
         SetResponseHeader Access-Control-Allow-Credentials true
         SetResponseHeader Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS"
         SetResponseHeader Access-Control-Allow-Headers "X-Csrf-Token, x-csrf-token, x-sap-cid, Content-Type, Authorization"
         SetResponseHeader Access-Control-Expose-Headers x-csrf-token
  end

 

Start enjoying the beauty and simplicity of CORS!

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply