09-04-2008 4:17 AM
Hi Experts,
I am publish some RFC function as webservice for my SAP AS ABAP, i set the authentication as basic. I can using http basic authentication to call the service and get the result. But it also accept passing user/password through the url string: http://localhost:8001/sap/bc/soap/wsdl11?services=BAPI_PO_CHANGE&sap-client=100&sap-user=myId&sap-pa...
I want to disable this, make it no user/password through url string. Can anyone tell me how to do it, thanks.
Best regards,
Peter
09-04-2008 11:02 AM
> I am publish some RFC function as webservice for my SAP AS ABAP, i set the authentication as basic. I can using http basic authentication to call the service and get the result. But it also accept passing user/password through the url string: http://localhost:8001/sap/bc/soap/wsdl11?services=BAPI_PO_CHANGE&sap-client=100&sap-user=myId&sap-pa...
This is expected behaviour for this authentication method. Http basic authentication is not exclusive to SAP so you can also search the [The Internet Engineering Task Force website|http://www.ietf.org/] for the authentication methods' details.
> I want to disable this, make it no user/password through url string. Can anyone tell me how to do it, thanks.
Nice question. But why? Just curious.
09-08-2008 5:08 PM
Jurjen, thanks for you reply. There is no reason why ..., the only reason is customer think it is a back door and not comfortable with it.
09-11-2008 10:51 AM
Well, it's not a backdoor - but (extremely) bad style: an URL should never contain any authentication data (like UID & PWD) nor should it ever contain any (security) session ID (which, if valid, would allow to skip authentication).
So, I agree with you / your customer: it should be (made) possible to configure the system to discard / ignore any authentication data which is contained in the URL.
I recommend to submit a customer message to SAP (using message component BC-MID-ICF). You might refer to this SDN posting (by providing the URL) in the support ticket.
PS: Basic Authentication is not much better but at least the information (UID & PWD) is not sent in the clear (although simply Base64-encoded) and not in the URL (but in the http header). Sending cleartext data in the URL is really the worst. The best is: use stronger authentication mechanisms (e.g. X.509 client certificates, Kerberos, Biometric authentication mechanisms, etc.).