Skip to Content

How to disable web service authentication by sap-user string in url

Hi Experts,

I am publish some RFC function as webservice for my SAP AS ABAP, i set the authentication as basic. I can using http basic authentication to call the service and get the result. But it also accept passing user/password through the url string: http://localhost:8001/sap/bc/soap/wsdl11?services=BAPI_PO_CHANGE&sap-client=100&sap-user=myId&sap-password=myPassword

I want to disable this, make it no user/password through url string. Can anyone tell me how to do it, thanks.

Best regards,

Peter

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • avatar image
    Former Member
    Sep 04, 2008 at 10:02 AM

    > I am publish some RFC function as webservice for my SAP AS ABAP, i set the authentication as basic. I can using http basic authentication to call the service and get the result. But it also accept passing user/password through the url string: http://localhost:8001/sap/bc/soap/wsdl11?services=BAPI_PO_CHANGE&sap-client=100&sap-user=myId&sap-password=myPassword

    This is expected behaviour for this authentication method. Http basic authentication is not exclusive to SAP so you can also search the [The Internet Engineering Task Force website|http://www.ietf.org/] for the authentication methods' details.

    > I want to disable this, make it no user/password through url string. Can anyone tell me how to do it, thanks.

    Nice question. But why? Just curious.

    Add comment
    10|10000 characters needed characters exceeded

    • Well, it's not a backdoor - but (extremely) bad style: an URL should never contain any authentication data (like UID & PWD) nor should it ever contain any (security) session ID (which, if valid, would allow to skip authentication).

      So, I agree with you / your customer: it should be (made) possible to configure the system to discard / ignore any authentication data which is contained in the URL.

      I recommend to submit a customer message to SAP (using message component BC-MID-ICF). You might refer to this SDN posting (by providing the URL) in the support ticket.

      PS: Basic Authentication is not much better but at least the information (UID & PWD) is not sent in the clear (although simply Base64-encoded) and not in the URL (but in the http header). Sending cleartext data in the URL is really the worst. The best is: use stronger authentication mechanisms (e.g. X.509 client certificates, Kerberos, Biometric authentication mechanisms, etc.).