Skip to Content
0

I'm struggling to configure authentication on our SMP server

Jul 18, 2017 at 10:51 AM

93

avatar image

I'm struggling to configure authentication on our SMP server so that users of our OpenUI5 mobile application can authenticate against our existing back end system. We were able to get this to work using SMP 3.0.3, but not using the newer SMP 3.0.10.11.

Requirements:

  • Our mobile application needs to allow multiple different back end users to log in to using same device. It sends the credentials using HTTP basic authentication, i.e. "Authorization:Basic" header in the HTTP request.
  • The back end system provides OData services with HTTP basic authentication. There is no session, i.e. the user is authenticated on each request via the Authorization header of the request, and no session cookie or SSO cookie is returned in the response.

We need have tried two different configuration approaches on SMP, without success.

Using "No Authentication Challenge"

In Settings, we created a security profile called "No Auth", and configured "No Authentication Challenge" as the only authentication provider, and set it as required.

In Applications:

  • Under "Back End", we configured the endpoint (http://172.18..../), did not check "Allow anonymous access", set the Rewrite Mode to "No Rewriting", and added a single SSO Mechanism of "Basic".
  • Under "Authentication", we selected the "No Auth" profile and unchecked "Check Impersonation".

We opened the application and registered successfully without providing a username or password. The registration reflects as user name "nosec_identity".

We then tried to log into the application with a valid username (admin) and password for the back end system. The application makes a service call to the SMP server, including these credentials in a basic authentication header (Authorization:Basic YW.............=).

So far so good, but the SMP server returned a 403 Forbidden error without sending the request to the back end system. The SMP debug log gives the reason as "No matched SSO credentials is found for not allowAnonymousAccess endpoint". I don't know why it couldn't use the "Basic" SSO which was configured for the endpoint:

#2.0#2017-07-18 11:49:52 AM#WARNING#RequestResponse#403##Proxy#1500371392748018#1b6118d6-40ea-49bf-90f8-6358de7a70c4#com.j5.app#com.sap.mobile.platform.server.proxy.core.handler.DirectProxy:handleException#nosec_identity#######2257#####Exception caught while trying to set credentials for anonymous access#

...

#2.0#2017-07-18 11:49:52 AM#FATAL#Proxy####1500371392748000#1b6118d6-40ea-49bf-90f8-6358de7a70c4#com.j5.app#DirectProxy:fireRequest#nosec_identity#######2257#####Forbidden No matched SSO credentials is found for not allowAnonymousAccess endpoint [com.j5.app]. : {"endPoint":"http.../odataservice/inspection_rounds/$metadata?0.6973737435488696","requestURL":"http:...:8080/com.j5.app/odataservice/inspection_rounds/$metadata","miscInfo":"Proxy Request Response","source":"SMP Server : Proxy","version":"1.0","responseCode":"403"}#

Using "HTTP/HTTPS Authentication"

In Settings, we created an security profile called "HTTP HTTPS", and configured "HTTP/HTTPS Authentication" as the only authentication provider, and set it as required. We also set its URL to a valid URL on the back end that performs basic authentication, and did not set any other fields in the settings.

In Applications:

  • Under "Back End", we configured the endpoint URL, checked "Allow anonymous access" (so we can register without providing credentials for a specific user), set the Rewrite Mode to "No Rewriting", and added a single SSO Mechanism of "Basic".
  • Under "Authentication", we selected the "HTTP HTTPS" profile and unchecked "Check Impersonation".

We opened the application and registered successfully without providing a username or password. This registration reflects as user name "anonymous". Although the registration is successful, the SMP log contains the following warnings for User Name "NA":

#2.0#2017-07-17 04:43:59 PM#WARNING#ApplicationSettings###Security#1500302639903001#9a43b81d08684a42895450ba54dc812d#com.j5.app#com.sybase.security.http.HttpAuthenticationLoginModule:login########708#####Anonymous authentication is not supported. #

#2.0#2017-07-17 04:43:59 PM#WARNING#Registration###Security#1500302639669001#9a43b81d08684a42895450ba54dc812d#com.j5.app#com.sybase.security.http.HttpAuthenticationLoginModule:login########730#####Anonymous authentication is not supported. #

We then tried to log into the application with a valid username (admin) and password for the back end system. The application makes a service call to the SMP server including these credentials in a basic authentication header.

Again, the SMP server returns a 403 Forbidden error without sending the request to the back end server.

The SMP log contains the following warning, for User Name "NA":

#2.0#2017-07-17 04:45:58 PM#ERROR#RequestResponse###Foundation#1500302758402001#92cd519b-39aa-4bce-a4e8-84cf1fc12364#com.j5.app#com.sap.mobile.platform.server.foundation.security.filter.AuthenticationFilter:doFilter########713#####The registered user anonymous for application connection doesn't match the login user admin#

So it seems that if we register anonymously, the app can't supply a username at login time.

Any help would be appreciated.

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

0 Answers