Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to disable web service authentication by sap-user string in url

peter_yu3
Participant

‎09-04-2008 4:17 AM

0 Kudos

Hi Experts,

I am publish some RFC function as webservice for my SAP AS ABAP, i set the authentication as basic. I can using http basic authentication to call the service and get the result. But it also accept passing user/password through the url string: http://localhost:8001/sap/bc/soap/wsdl11?services=BAPI_PO_CHANGE&sap-client=100&sap-user=myId&sap-pa...

I want to disable this, make it no user/password through url string. Can anyone tell me how to do it, thanks.

Best regards,

Peter

3 REPLIES 3

jurjen_heeck
Active Contributor

‎09-04-2008 11:02 AM

0 Kudos

> I am publish some RFC function as webservice for my SAP AS ABAP, i set the authentication as basic. I can using http basic authentication to call the service and get the result. But it also accept passing user/password through the url string: http://localhost:8001/sap/bc/soap/wsdl11?services=BAPI_PO_CHANGE&sap-client=100&sap-user=myId&sap-pa...

This is expected behaviour for this authentication method. Http basic authentication is not exclusive to SAP so you can also search the [The Internet Engineering Task Force website|http://www.ietf.org/] for the authentication methods' details.

> I want to disable this, make it no user/password through url string. Can anyone tell me how to do it, thanks.

Nice question. But why? Just curious.

peter_yu3
Participant
In response to jurjen_heeck

‎09-08-2008 5:08 PM

0 Kudos

Jurjen, thanks for you reply. There is no reason why ..., the only reason is customer think it is a back door and not comfortable with it.

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert
In response to jurjen_heeck

‎09-11-2008 10:51 AM

0 Kudos

Well, it's not a backdoor - but (extremely) bad style: an URL should never contain any authentication data (like UID & PWD) nor should it ever contain any (security) session ID (which, if valid, would allow to skip authentication).

So, I agree with you / your customer: it should be (made) possible to configure the system to discard / ignore any authentication data which is contained in the URL.

I recommend to submit a customer message to SAP (using message component BC-MID-ICF). You might refer to this SDN posting (by providing the URL) in the support ticket.

PS: Basic Authentication is not much better but at least the information (UID & PWD) is not sent in the clear (although simply Base64-encoded) and not in the URL (but in the http header). Sending cleartext data in the URL is really the worst. The best is: use stronger authentication mechanisms (e.g. X.509 client certificates, Kerberos, Biometric authentication mechanisms, etc.).