Authentication of UI based Application using custom login page & SAP PI user account.

It’s not very common to build custom user interface based applications and deploy on PI said that asdthey are not that uncommon also. There could be very valid business cases where there is a need to build UI based applications which allows business users/support teams, to login, inspect the data & take decision & these decision would influence the interface execution.

Let’s assume, there is a need then we need to develop Custom UI application & deploy on PI (Web AS JAVA).

First thing is to take care is to put a Login page for users & valid PI users should be able to login & use it.

So broadly speaking you might want to divide potential user into minimum two groups.

Group 1: One set of user who are potentially like business admins & have more options to do on application like deleting the records, or changing the status etc.

Group 2: Other set of users who can just view with READ only access they see things on application but not change anything.

So in a way, when user is authenticated, it’s just not the right password but also does the user has right roles.

When compared to EP portal application, FIORI User Interface application or UI5 on HANA, SAP PI is not friendly for developing UI based application when I say friendly I mean things like Login pages, session management has to be built developed, its like proper UI application running on any normal WebAS

For our UI application, I mainly covered below 4 scenarios.

Step 1: Check User account exists in the PI system.
Step 2: Check User is not locked by system.
Step 3: Check password entered is correct.
Step 4: Not authorised to login (Either role is missing or not in right Group)

Below are the screens shot to show the messages from UI for each step.

Sample Login page from our application:

Step 1: User ‘abc’ is not created in PI system

Step 2: User entered is locked

Step 3: User entered wrong password.

Step 4: Valid user and password entered but doesn’t have right roles.

API which provides access to UME of SAP PI:

tc~je~usermanagement~api.jar provides access to class which can get user details from UME store of SAP PI

Below are the import statements required

import com.sap.security.api.IUserAccount;
import com.sap.security.api.IUserFactory;
import com.sap.security.api.UMException;
import com.sap.security.api.UMFactory;

import com.sap.security.api.IRoleFactory;
import com.sap.security.api.IUser;
import com.sap.security.api.IGroup;
import com.sap.security.api.IRole;

Coding steps for each step mentioned above:

Step 1: check User entered is present in system

//This is running inside servlet so only require statements i have pasted 
String userName = request.getParameter("UserName");
IUserAccount chAcc = null;
chAcc = (IUserAccount) UMFactory.getUserAccountFactory().getUserAccountByLogonId(userName);		

//(IUserAccount) object provides complete access to user account.
//UMFactory is key class which links to UME			

Step 2: Check if User present is system is not locked?

String userName = request.getParameter("UserName");
IUserAccount chAcc = null;
chAcc = (IUserAccount) UMFactory.getUserAccountFactory().getUserAccountByLogonId(userName);
// Once (IUserAccount) object is available you can check if user is in locked status?			
if(chAcc.isLocked()) {
 status="N";
 error = "User Is Locked";
}

Step 3: Check if password entered is right one.

String userName = request.getParameter("UserName");
IUserAccount chAcc = null;
chAcc = (IUserAccount) UMFactory.getUserAccountFactory().getUserAccountByLogonId(userName);					
if(chAcc.isLocked()) {
 status="N";
 error = "User Is Locked";
}
else {
result = chAcc.checkPassword(pwd);					
//checkPassword will return false if password doesn't match.
if(result) {			
//If password is correct then retrieve first name and 
// last name of user from UME to display on Screen.			
ur = chAcc.getAssignedUser();
if(ur.getFirstName()!=null)
fName = ur.getFirstName();
if(ur.getLastName()!=null)
lName = ur.getLastName();

}

Step 4: Check if user is authorized based on roles added to user.

For our application, I am checking two roles for user with names “ACFI_SEARCH_UPDATE” and “ACFI_SEARCH” based on which role exists, the landing page after authentication changes.

String userName = request.getParameter("UserName");
IUserAccount chAcc = null;
chAcc = (IUserAccount) UMFactory.getUserAccountFactory().getUserAccountByLogonId(userName);					
if(chAcc.isLocked()) {
 status="N";
 error = "User Is Locked";
}
else {
result = chAcc.checkPassword(pwd);					
//checkPassword will return false if password doesn't match.
if(result) {			
//If password is correct then retrieve first name and last name of user from UME to display on Screen.			
ur = chAcc.getAssignedUser();
if(ur.getFirstName()!=null)
fName = ur.getFirstName();
if(ur.getLastName()!=null)
lName = ur.getLastName();
}

Iterator iteratorRoles = ur.getParentGroups(false);							
while(iteratorRoles.hasNext()) {
userRole = iteratorRoles.next().toString();
if(userRole.contains("ACFI_SEARCH_UPDATE")) {
acfiSearchUpdate = true;
roleBuffer.append(userRole+"\n");
}
								
if(userRole.contains("ACFI_SEARCH")) {
acfiSearchOnly = true;
roleBuffer.append(userRole+"\n");
}
}			

Overall, idea is to only highlight which methods to used to build custom login screen, once you have login screen which pretty much controls based on roles then its a good start…..

Since UI Application developed in PI totally same as deploying on any JAVA application server, further more we have to make sure below points are taken care.

1. Session management is handled to make sure invalid session for ex more than 2 or 5 min are closed by application.
2. DB connections are effectively reused and closed back to avoid DB connection leaks.
3. Access to files inside web Content is forbidden, user is only user Login page to login to application, no other pages like landing page should be accessible by passing Login pages