Skip to Content

REST on Tomcat -- different authentication requirements

I'm trying to set up REST on Tomcat instead of WACS. It mostly works, but I'm noticing a difference in authentication that is causing a problem,

I need to support SSO as well as logon via token. In WACS, this works fine. But in Tomcat, a call to /logon/token produces a 401 error. It appears that it is attempting to do an SSO logon first, prior to my token logon.

How can I configure biprws on Tomcat to NOT do a challenge/response authentication when /logon/long or /logon/token is used?

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

4 Answers

  • Mar 25 at 04:10 PM

    Supported Authentication types are same in Tomcat and WACS.

    Configuration steps are different :

    https://blogs.sap.com/2017/12/15/bi-platform-rest-sdk-rws-in-boe-4.2/

    Add comment
    10|10000 characters needed characters exceeded

    • The error occurs when I try calling the API programmatically. The initial call to /biprws/logon/long returns a 401 (unauthorized).

      When I try to connect to /biprws/logon/long via browser, it works. But in Fiddler I see that Tomcat is returning a 401, followed by a 200. When I connect to WACS instead, I just get the 200 response, which is what I expect.

      It seems that in WACS, only the /logon/long/adsso page invokes the challenge/response, but in Tomcat it's the entire directory.

  • Mar 26 at 12:59 PM

    I confirmed that when SSO is enabled, biprws-on-Tomcat applies the authentication filter to the entire directory tree, and not just /biprws/logon/adsso as it is in WACS. This prevents me from using biprws on Tomcat to support SSO and non-SSO connections.

    I submitted an enhancement request to fix this: https://influence.sap.com/sap/ino/#/idea/228582

    Add comment
    10|10000 characters needed characters exceeded

  • Apr 01 at 10:46 PM

    Hi Joe,

    I believe you should be able to get a response when calling /logon/long and the fact that it is not working through REST on Tomcat, is a defect.

    Can you create a ticket with Support outlining your requirements and observations so this can be submitted for a fix rather than an enhancement?

    Dan

    Add comment
    10|10000 characters needed characters exceeded

    • Thanks for your reply, Dan.

      Just to be clear -- /logon/long does work in a browser, since the browser can respond to the authentication challenge. It just doesn't work in other application (ex. Java) that can't respond to the authentication challenge. WACS only demands authentication on /logon/adsso.

      Do you still think this is a defect?

  • Apr 02 at 01:15 PM

    Hi Joe,

    Yes, I think its worth looking into sooner rather than later. If it is a limitation that cannot be worked around, then we will find out for sure, but I still think that logon/token and logon/long should be usable in an application even when adsso is configured

    Add comment
    10|10000 characters needed characters exceeded