Skip to Content
author's profile photo Former Member
Former Member

ABAP web service security

hi guys,

we have a couple of abap web services here that are called by an external .NET application. Currently, the .NET application can call the web service without passing on any username and password. Hence, there is no security. I wanted to change it and make it secure, so in SICF, i selected my WS, logon data tab and changed the procedure to standard and left the u/p blank. Also, made sure that the WS definition in se80 is set to basic authentication and SOA Manager is also set to HTTP authentication - username and password. But the .NET application can still call the web service without passing on any username and password. I cleared out all the caches etc.

Any idea as to why .Net app is not getting prompted for u/p ??

thanks

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

3 Answers

  • author's profile photo Former Member
    Former Member
    Posted on Oct 14, 2010 at 08:15 AM

    How was it authenticating beforehand?

    Note that if you already are logged on and execute the service from SE80 then you already are "on the inside" and do not need to authenticate again.

    Another thing to check is within SICF the attributes of the service nodes are inherited from nodes higher up in the tree, unless they are set differently lower down. This also includes the logon data.

    Anyway, this is just speculation. The correct procedure is to use the logon trace (SM19 dynamic filters and ST11 dev trace) to find out what is exactly going on.

    Cheers,

    Julius

    Add a comment
    10|10000 characters needed characters exceeded

  • Posted on Jan 12, 2011 at 08:19 PM

    Hi,

    Which SAP Netweaver release are we talking about?

    The SOAMANAGER settings are sufficient. This will update the ICF node. Directly editing the SICF nodes is deprecated. Which username/password authentication method did you choose, document/message or http authentication?

    The WS definition in SE80 only defines a certain minimum level of security. For instance if you define Basic, then you the runtime configurations, the actual endpoints, cannot be configured with no authentication anymore. In SOAMANAGER only username/password and certificate based authentication mechanisms are allowed then.

    Regards,

    Mathias

    Add a comment
    10|10000 characters needed characters exceeded

  • author's profile photo Former Member
    Former Member
    Posted on May 23, 2011 at 09:53 AM

    I want to know how did you create an ABAP WebService without authentication as a result of which the external .NET application is able to call it without asking for the login credentials.I have a similar requirment,tired with many variations but not possible. Can u help with the same.

    Regards,

    Anuja S.

    Add a comment
    10|10000 characters needed characters exceeded

    • Former Member

      I want to know how did you create an ABAP WebService without authentication as a result of which the external .NET application is able to call it without asking for the login credentials.I have a similar requirment,tired with many variations but not possible. Can u help with the same.

      >

      > Regards,

      > Anuja S.

      Hi Anuja, to publish a web service without authentication you only have to configure the endpoint/service from transaction "SOAMANAGER" without marking any "Authentication Method" in the "Provider Security" tab.

      Regards.

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.