Authenticating a consumer for access to SAP Business ByDesign depends on the concrete way chosen and them used technology. The following example shows how to login to ByDesign – with username and password – with JavaScript.

JavaScript does not allow unrestricted cross site calls. If you execute your script somewhere, the application can talk to the server it was started on (SCP account, some server, localhost), but it cannot call other systems.

This is for security reasons.

For testing purposes, you can disable security in some browsers, e.g. in Google Chrome. You can do this by closing all open Google Chrome instances and starting it from the command line (e.g. Win+R) with

chrome.exe –disable-web-security –user-data-dir=c:\temp .

Cookies should be allowed.

If you host your application on the SAP Cloud Platform, you can use destinations to access your system conveniently.

var sHost = "https://YOUR_SERVER";
var sUser = "USERNAME";
var sPassword = "PASSWORD";

var sGetTokenModulePath = sHost + "/sap/ap/ui/login";
var sUrl, sXsrfToken;

function fMain(sXsrfToken) {
  // process app (main,...)
}

function handleLoginResponse(body) {
// If no redirect is needed this code is being executed
  alert("Handle login reps");
  if (!body.login) {
    alert("Login failed");

  } else {
    if (fMain) {
      fMain(); // Remote, login is done using form based login
    }
  }
}

function handleTokenReceived(data, textStatus, XMLHttpRequest) {
  var oResponseParameters = new Object();
  oResponseParameters.sysinfo = new Object();
  sXsrfToken = XMLHttpRequest.getResponseHeader("sap-xsrf"); 
  sURL = sHost;

  // Check if already authenticated
  if (XMLHttpRequest.responseText.indexOf("state=authenticated") === -1) {

    // not authenticated, login
    var xmlDoc = $.parseXML(XMLHttpRequest.responseText);

    $(xmlDoc).find("Data").each(function() {
      $(this).find("Element").each(function() {
        oResponseParameters.sysinfo[$(this).attr("name")] =
        $(this).attr("value");
      });
    });
    var sXsrfToken = oResponseParameters.sysinfo["sap-login-XSRF"];
    $.ajax({
      url: sGetTokenModulePath,
      type: "POST",
      dataType: "json",
      data: {
        "sap-alias": sUser,
        "sap-password": sPassword,
        "sap-login-XSRF": sXsrfToken
      },
      beforeSend: function(xhr) {
        xhr.setRequestHeader("x-sap-request-xsrf", "X");
      },
      success: handleLoginResponse,
      error: function(jqXHR, textStatus, errorThrown) {
        // error callback, also called when response is not in JSON format...
        if (fMain) {
          fMain(sXsrfToken); // Remote, form based login
        }
      }
    });
  } else { // authenticated, call app main
    fMain(sXsrfToken);
  }
}

function doLogin() {
  $.ajax({
    url: sGetTokenModulePath,
    type: "POST",
    beforeSend: function(xhr) {
      xhr.setRequestHeader("x-sap-request-xsrf", "X");
    },
    success: handleTokenReceived,
    error: function(jqXHR, textStatus, errorThrown) {
      alert("Get Login Token call failed");
    }
  });
}

It starts at doLogin().

  • A POST call with set header x-sap-request-xsrf is issued to fetch the CSRF protection token.
    • If it cannot be received, the script ends with an error message.
    • Otherwise handleTokenReceived() is executed. This checks, if the consumer is already logged in.
      • If the consumer is logged in, it just calls the main function fMain() that would realize the real app functionality. The security token is passed in, as it has to be supplied with every call that changes data in the system.
      • If the consumer is not yet logged in, the security token is extracted from the returned document, and a POST call to the login URL is executed, supplying username and password, secured by the just extracted security token.
        • If this fails the script exits with an error message.
        • Otherwise, the consumer is logged in, and the main function fMain() is executed.

If login issues occur during local testing, it is often either active security functionality or rejected cookies.

To report this post you need to login first.

2 Comments

You must be Logged on to comment or reply to a post.

  1. Oscar Espinar Lázaro

    Hi Thomas,

    Thanks so much for your blog series about HCP and ByD.

    This is a very useful docs for ones we want to develop HCP Mobile Apps using ByDesign as Backend.

    I was wondering if there is a way to read ByDesign Work Centers and Access Restriction assigned to the Identity used to login from your JavaScript sample.

    After a research I couldn’t find any Business Object in the repository with this information. I don’t know if this information could be exposed also as an oData Service.

    Thanks so much and regards,

    Óscar Espinar Lázaro

    (0) 

Leave a Reply