Skip to Content

Why can I login using BOE Trusted Authentication without a secret or password

We have SAP BOE 4 SP6.

We configured Trusted Authentication with a Shared secret but seems like I can bypass that and get a logon token from the browser without passing a secret or password, simply passing the user in the header.

http://<myboeserver>:6405/biprws/logon/trusted

Header: X-SAP-TRUSTED-USER=<someuser>

Getting something back that looks like a valid token.

http://www.w3.org/2005/Atom">
<author>
<name>....</name>
</author>
<title type="text">Logon Result</title>
<updated>2018-09-14T13:30:32.949Z</updated>
<content type="application/xml">
http://www.sap.com/rws/bip">
<attr name="logonToken" type="string">....&6.....&S9=299688,U3&qe=100,U3&vz=L3Z1XN53UmjGhMGUZpqqNglAmnLQyjI_xw76hyYKmOid2vBs5HGRxAlh7PaEF8ig,UP}
</attr>
</attrs>
</content>
</entry>

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

5 Answers

  • Sep 14, 2018 at 05:39 PM

    That's the restful web service https://apps.support.sap.com/sap/support/knowledge/preview/en/2437493 you would want to post that in the bi-dev-java forum

    restful does not work the same as an application like BI launchpad / opendoc / CMC etc it's supposed to generate a token for custom coding (at least that's my understanding) and I'm not quite sure how that all works as it's handled by the DEV teams

    -Tim

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 15, 2018 at 02:18 PM

    That's how it works. The "trust" is between the WACS server and the CMS. The WACS is pointed at a file that contains the shared secret, and this is read by WACS and then passed to the CMS for validation. This prevents someone from setting up their own WACS and pointing it at your CMS and then being able to log in as anyone they want.

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 16, 2018 at 04:28 AM

    Hi Tim

    Yes, that is what I am trying to do, get a token to be used in the REST API. Where is this "bi-dev-java" forum?

    Add comment
    10|10000 characters needed characters exceeded

  • Sep 17, 2018 at 05:43 PM

    Actually we moved the RESTFull questions to in the BOE Platform SDK forum

    Which I'll move you to

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Mar 20 at 04:25 PM

    Hello Florin,

    I'am in the same trouble trying to figure out how to secure this "trusted" api as anyone can call it . i was expecting that the secret can be passed in parameters along side the username.

    I don't understand how this works when the secret is on the same box that generated it, how do you know to trust who is passing the user?

    Add comment
    10|10000 characters needed characters exceeded