02-21-2005 7:28 AM
Whenever a user logs into portal a cookie named MYSAPSSO2 is created. This encrypted cookie contains the logged in user name. This cookie is used to do Single Sign On to R/3 and other external systems. My question is
In ABAP, Has anyone tried to extract the user name from MYSAPSSO2 cookie issued by portal?
If yes kindly tell us how it was done.
The cookie can be decrypted by using the portal system certificated installed in R/3.
Thanks and Regards,
Prasanna Krishnamurthy
02-21-2005 9:32 AM
Hello Prasanna,
Not sure if this is what you are looking for, but you can take a look at the class <b>CL_HTTP_ENTITY</b>, which I think is gonna be helpful to you.
Regards,
Anand Mandalika.
02-21-2005 2:40 PM
Prasanna,
well, the user id actually is not encrypted in the mysapsso2 cookie. You could read it in plain text, if you just knew the data structure (which has not made public). But: What for do you need to explicitely inspect the mysapsso2 cookie?
I assume, you are writing some ABAP based web application (i.e. BSPs), right? Now, you like to do some SSO between EP and your application. This can be realized without custom coding by simply configuring the target system properly. Transaction STRUSTSSO2 should help you out. Also take a look at the relevant securityguides for your systems (available at service.sap.com/securityguide)
Regards,
Dominik
02-21-2005 3:42 PM
I also couldn't read the client cookie mysapsso2 via the normal abap way to read a clientside cookie .
call method request->get_cookie
exporting
name = 'MYSAPSSO2'
importing
value = application->sso_id.
But you can read it just fine via this javascript function
function ReadCookie(cookieName)
{
var theCookie=""+document.cookie;
var ind=theCookie.indexOf(cookieName);
if (ind==-1 || cookieName=="") return "";
var ind1=theCookie.indexOf(';',ind);
if (ind1==-1) ind1=theCookie.length;
return unescape(theCookie.substring(ind+cookieName.length+1,ind1));
}
[code]
02-23-2005 11:09 AM
What I am trying to do is this
a. In a Java iView read the SSO Cookie
b. Pass this encrypted string to an RFC
c. The RFC should decrypt it
Why I am doing this? I want my RFC's to work only if the request is comming from a trusted portal server.
I am aware that by doing this the RFC cant be reused by any other application.
Thanks and Regards,
Prasanna Krishnamurthy
02-23-2005 12:40 PM
Prasanna,
this is not the way passing the sap logon ticket via RFC is supposed to work. Please check the JCo documentation, JCo supports RFC logons based on SAP logon tickets (instead of uid/pw). The target system will automatically check the ticket (+ the user !) for validity and trustworthiness. It may also be a good advise to read the portal's security guide for seeing how to configure an R/3 system to support SAP logon tickets.
Regards,
Dominik
02-23-2005 1:17 PM
Hi Dominik,
Thanks.
I dont want to check for the validity of user as I am using User Mapping in portals. I just want to ensure that the RFC can be executed only by a trusted portal server.
Let me go thorugh the JCO documentation again.
Thanks and Regards,
Prasanna Krishnamurthy