Skip to Content

UI5 App without authentification shows popup in browser (HTTP 401) due to call of /sap/bc/lrep

I would like to host a UI5 App without authentification. The app works well in Fiori Launchpad and via the direct link to the service in my user context.

To achieve it without authentification I entered a system user in the corresponding SICF services for the UI5 and the OData service. (like described here: https://blogs.sap.com/2015/08/05/disable-csrf-token-for-odata-calls-using-sap-netweaver-gateway/)

Example for the UI5 service:

Now I can call my two services without authentification:

/sap/bc/ui5_ui5/sap/z_system_info

/sap/opu/odata/sap/z_sm_system_info_srv

But the problem is that the browser shows a logon window like this:

As I found out this is caused by a call to sap/bc/lrep/flex/data/com.yourcompany.z_system_info.Component

All other resources are loaded fine and when I abort the message I can use the app without problems.

I thought about a problem with the CSRF Token, but the entry ~CHECK_CSRF_TOKEN=0 in the GUI_CONFIGURATION of the service as mentioned in the linked article did not change anything.

So I got the idea to switch the logon error page for the lrep service from explicit to system logon:

The result is that instead of a 401 the call gets back with a 200 status and a page where the user normally should log on:

But because it is loaded in the background it will never show up to the user.

I am aware that this is just a dirty workaround, so I would be interested if someone got the same problem or if there is a better solution to this problem? (Especially without modifying the lrep service.)

Add comment
10|10000 characters needed characters exceeded

  • Hi,

    now after a month without answers I would just like to know if there is a problem with the question or just nobody has been experiencing this problem so far?

    I am curious about your feedback.

  • Get RSS Feed

3 Answers

  • Best Answer
    Aug 03 at 09:08 AM

    Hello Tim,

    I found the root cause of this problem. It is happening because of a dependecy in your manifest file. Once you create the app with WebIDE, a dependency of '"sap.ui.comp": {},' is added in manifest file along with many others. This is responsible for calling the LREP service.

    If you remove this dependecy, it solves the issue.

    Regards,

    Ekansh

    Add comment
    10|10000 characters needed characters exceeded

    • Hello Ekansh,

      many thanks for your answer. I tried your solution and it works well, but I had to adapt my routing configuration.

      I had to add the "targetControl" property in manifest.json as described here, but I am not sure why:

      Regards

      Tim

  • Apr 16 at 09:58 AM

    Hi Tim,

    Check if the following KBA is useful for you:

    2568947 - SmartVariantManagement - Setup and Authorizations

    Best regards,
    Désirée

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Désirée,

      thank you for the answer.

      I read the KBA you provided, which describes how to set up Smart Variant Management, but in my case I do not need it at all. I just had to enable the lrep service because otherwise I could not start the UI5 app from Fiori Launchpad. This is described here https://launchpad.support.sap.com/#/notes/2467759 and it solved this particular problem.

      But back to the KBA you mentioned: The problem is that I have no user to assign rights to, but I want to be able to open the URL anonymously. Which works due to the service user I entered except for the lrep service (that I technically not need for the app).

      Best regards

      Tim

  • Aug 01 at 12:33 PM

    Hello Tim,

    I am also facing the same problem. Did you get the proper solution for this?

    FYI. My app is very simple and not using any smart controls or variant management etc.

    Regards,

    Ekansh

    Add comment
    10|10000 characters needed characters exceeded