Skip to Content
0
Former Member
Dec 05, 2008 at 02:35 PM

Basic Authentication without using SPNEGO

118 Views

Hello everybody

We have configured SPNEGO in our portal and everything is working fine but now we are going to use ESS and we want to protrect some iviews, like the payroll. We want to ask for the user and password.

We have create a new template in the Visual Administrator-Security Provider with the following entries:

com.sap.security.core.server.jaas.EvaluateTicketLoginModule - Sufficient - ume.configuration.active:true =yes

BasicPasswordLoginModule REQUISITE {}

com.sap.security.core.server.jaas.CreateTicketLoginModule SUFFICIENT {ume.configuration.active=yes}

With this we have modified the autschemes.xml adding the following

lines:

Also, we have assing this template to the iview.

Now, when we access to the iview a logon screen is poped up (this is

ok) but even if we put a correct user after 3 tries a 401 error is

shown (acces denied).

What can be the cause of this behaviour?

I have opened a message in OSS but this is all I have got of them:

+the point is - when SSO Ticket is expired, it won't be 401-Not Authorized HTTP error,

with header set to Negotiate, but just a J2EE runtime exception. This

would allow the user's browser to renew the SSO Kerberos ticket, which

is how SPNEGO works.

The user who is checking it is Guest user, so therefore you are getting

it.+

They don't explain anything else because this issue isn't an error... "you know what I mean"

Here I send an extract of the trace created by the diagtool:

[Dec 4, 2008 10:42:25 PM ] - CLIENT: 4649216, REQUEST:

{GET /irj/servlet/prt/portal/prtmode/preview/prtroot/pcd!3aportal_content!2fcom.sap.pct!2fevery_user!2fcom.sap.pct.erp.ess.bp_folder!2fcom.sap.pct.erp.ess.iviews!2fcom.sap.pct.erp.ess.benefits_payment!2fcom.sap.pct.erp.ess.area_benefits_payment?sap-config-mode=true HTTP/1.1

Accept: /

Accept-Language: es

UA-CPU: x86

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)

Host: portal.lubasa.es

Connection: Keep-Alive

Authorization: Basic cnVnYXJjaWE6bmFyYW5qYTM=

Cookie: j_authscheme=ESS_SCH; UserUniqueIdentifier=1228379971997; PortalAlias=portal; saplb_*=(J2EE3080100)3080151; JSESSIONID=(J2EE3080100)ID1055733851DB01046363213849042466End; MYSAPSSO2=AjExMDAgAA9wb3J0YWw6UlVHQVJDSUGIABNiYXNpY2F1dGhlbnRpY2F0aW9uAQAIUlVHQVJDSUECAAMwMDADAANFUFAEAAwyMDA4MTIwNDIxNDEFAAQAAAAMCgAIUlVHQVJDSUH/AQUwggEBBgkqhkiG9w0BBwKggfMwgfACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGB0DCBzQIBATAiMB0xDDAKBgNVBAMTA0VQUDENMAsGA1UECxMESjJFRQIBADAJBgUrDgMCGgUAoF0wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDgxMjA0MjE0MTIxWjAjBgkqhkiG9w0BCQQxFgQU9r0lROP9xSeA5thGNqyvEbaqrWswCQYHKoZIzjgEAwQvMC0CFQCV6qIJ2ofjbF/iMd9vVFd6U72dVwIUD7ENuEa2ID7ZVYY1kwtrrbs8!OU=; SAPPORTALSDB0=urn%253Acom.sapportals.appdesigner%253Aframework%2526isPersonalizeMode%3Dfalse

n/a

}

[Dec 4, 2008 10:42:25 PM ] - CLIENT: 4649216, REPLY:

{HTTP/1.1 401 Unauthorized

Server: SAP J2EE Engine/7.00

Content-Type: text/html;charset=ISO-8859-1

WWW-Authenticate: Basic Realm=Authentication

Pragma: no-cache

Content-Encoding: gzip

Content-Length: 594

Date: Thu, 04 Dec 2008 21:42:25 GMT

Set-Cookie: j_authscheme=ESS_SCH; Expires=Thu, 04-Dec-2008 21:42:35 GMT

n/a

}

Thank you in advanced!

Rubé