Problem with ITS bwwf_wi_deci service in WebSEAL sessions
Hi SDN friends,
We are implementing SSO with the following ...
IBM TAM 5.1
SAP Portal 6.0 SP13,
Internet Transaction Server 6.20 SP19
SAP 4.7 Backend
This is for an ESS application. The problem we are encountering is that when a manager accesses the workflow inbox service (ITS service), and they click on the approval button for a given approval request, we get an 'Access is denied' screen returned.
I have spent much time investigating this and it seems to appear because WebSEAL is failing to catch a particular circumstance whereby javascript in an ITS template is generating a URL.
The problem is definitely on the ITS side (ie. Portal is not the cause of this problem). If I execute the transaction through WebSEAL directly through ITS (ie. avoiding Portal) I encounter the same error.
It seems that the following javascript ...
function return_bwsp()
{
location.href="`ret_url`&okcode=WORK&BW02_1400-CHOICE=BAIN&dec_state=1&confirm_url=`~confirm_url`";
}
at runtime is sent out like the following ...
function return_bwsp()
{
location.href="/scripts/wgate/ze000009657d04/~flN ... etc ...etc confirm_url=/scripts/wgate/bwwf_wi_deci/ ... etc ...etc";
}
... and this code passes through WebSEAL unchanged. Of course, what should occur is that the WebSEAL junction should have been appended at the beginning of the /scripts/wgate instances.
My WebSEAL consultant tells me it is not possible for WebSEAL to capture this scenario. Has anyone else seen this and managed to overcome the problem?
Any thoughts would be appreciated and rewarded.
Thanks
John Moy