cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

REST on Tomcat -- different authentication requirements

Joe_Peters
Active Contributor

on ‎03-25-2019 3:33 PM

0 Kudos

I'm trying to set up REST on Tomcat instead of WACS. It mostly works, but I'm noticing a difference in authentication that is causing a problem,

I need to support SSO as well as logon via token. In WACS, this works fine. But in Tomcat, a call to /logon/token produces a 401 error. It appears that it is attempting to do an SSO logon first, prior to my token logon.

How can I configure biprws on Tomcat to NOT do a challenge/response authentication when /logon/long or /logon/token is used?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (4)

Answers (4)

daniel_paulsen
Active Contributor
‎04-02-2019 2:15 PM
0 Kudos

Hi Joe,

Yes, I think its worth looking into sooner rather than later. If it is a limitation that cannot be worked around, then we will find out for sure, but I still think that logon/token and logon/long should be usable in an application even when adsso is configured

Show replies
Show replies
Joe_Peters
Active Contributor
‎04-02-2019 4:13 PM
0 Kudos

Ok, I'll open an incident

Thanks!

daniel_paulsen
Active Contributor
‎04-01-2019 11:46 PM
0 Kudos

Hi Joe,

I believe you should be able to get a response when calling /logon/long and the fact that it is not working through REST on Tomcat, is a defect.

Can you create a ticket with Support outlining your requirements and observations so this can be submitted for a fix rather than an enhancement?

Dan

Show replies
Show replies
Joe_Peters
Active Contributor
‎04-02-2019 1:57 PM
0 Kudos

Thanks for your reply, Dan.

Just to be clear -- /logon/long does work in a browser, since the browser can respond to the authentication challenge. It just doesn't work in other application (ex. Java) that can't respond to the authentication challenge. WACS only demands authentication on /logon/adsso.

Do you still think this is a defect?

Joe_Peters
Active Contributor
‎03-26-2019 12:59 PM
0 Kudos

I confirmed that when SSO is enabled, biprws-on-Tomcat applies the authentication filter to the entire directory tree, and not just /biprws/logon/adsso as it is in WACS. This prevents me from using biprws on Tomcat to support SSO and non-SSO connections.

I submitted an enhancement request to fix this: https://influence.sap.com/sap/ino/#/idea/228582

Show replies
Show replies
former_member230921
Active Contributor
‎03-25-2019 4:10 PM
0 Kudos

Supported Authentication types are same in Tomcat and WACS.

Configuration steps are different :

https://blogs.sap.com/2017/12/15/bi-platform-rest-sdk-rws-in-boe-4.2/

Show replies
Show replies
Joe_Peters
Active Contributor
‎03-25-2019 4:14 PM
0 Kudos

I've done the configuration in biprws.properties, using the values from web.xml in pjs. SSO works but /logon/long and /logon/token does not.

former_member230921
Active Contributor
‎03-25-2019 5:28 PM
0 Kudos

what is the error you are getting ?

secEnterprise ?

Joe_Peters
Active Contributor
‎03-25-2019 7:49 PM
0 Kudos

The error occurs when I try calling the API programmatically. The initial call to /biprws/logon/long returns a 401 (unauthorized).

When I try to connect to /biprws/logon/long via browser, it works. But in Fiddler I see that Tomcat is returning a 401, followed by a 200. When I connect to WACS instead, I just get the 200 response, which is what I expect.

It seems that in WACS, only the /logon/long/adsso page invokes the challenge/response, but in Tomcat it's the entire directory.

Ask a Question