07-07-2015 11:15 PM
Dear all,
I have a question on how user impersonation (in other words user delegation) is supported by SAP JAVA Connector (JCo).
Let say I have an 3rd party JAVA application communicating with SAP NetWeaver ABAP based system. The JAVA app actually manipulates the data in SAP by calling BAPI. What are my possibilities of having user which is used to connect from JAVA app to SAP delegated? E.g. instead of using generic user to manipulate the data a real user (who is logged to JAVA app) would be used to make a call into SAP.
thanks
m./
07-08-2015 7:47 AM
Hi,
it's like connecting to ABAP AS via any other method. You have to authenticate before it allows you to execute any FM. For example check this example from SAP documentation.
SAP JCo Scenario: Online Invoice - Components of SAP Communication Technology - SAP Library
Here the web app written in Java is using JCo to connect to ABAP AS. It uses username and password for authentication. So it means it needs to know these for current user. JCo also supports using logon tickets for authentication. In that case the app somehow needs to get the ticket for a user.
Cheers
07-08-2015 7:47 AM
Hi,
it's like connecting to ABAP AS via any other method. You have to authenticate before it allows you to execute any FM. For example check this example from SAP documentation.
SAP JCo Scenario: Online Invoice - Components of SAP Communication Technology - SAP Library
Here the web app written in Java is using JCo to connect to ABAP AS. It uses username and password for authentication. So it means it needs to know these for current user. JCo also supports using logon tickets for authentication. In that case the app somehow needs to get the ticket for a user.
Cheers
07-10-2015 11:03 AM
Hi Martin,
basically your suggestion is to use logon tickets (issued by external authority) authentication. User authenticated and having valid ticket would not be checked in SAP again. Simply SAP would allow running BAPI with the user having the ticket. There needs to be SNC connection established between JAVA app and SAP to make this work; I believe. Do I get it correctly?
I was thinking whether there is more "out of the box" support of impersonation by JCo. Something like if there would be a more parameters within JCo connection like ImpersonUserId along with UserId...
However turns out that this is not the case in JCo...
Seem this kind "out of the box" impersonation is supported by NW RFC SDK 7.1 which has parameter e.g. USREXTID...
Thanks!
cheers
m./
07-10-2015 12:07 PM
Hi,
I am not sure if SNC is required but it's a good idea to encrypt traffic. I don't understand what you mean by "out of the box" impersonation. RFC works exactly same from authentication point of view as any other connection e.g. HTTP. You need to be authenticated somehow to execute RFC. It would be a massive hole if client could choose which user will be used for execution. BTW this is how BO server works. When you use ABAP user it first calls FM using service user to get a logon ticket and this logon ticket is then reused for all subsequent calls. If you use a BO internal user you need to set up a trust between BO and ABAP AS. When you do that BO server can generate a valid ticket for any user. Note that SAP does not provide a library to generate these logon tickets.
Cheers
07-14-2015 7:51 PM
Hi Martin,
just to explain what I mean by "out of the box" impersonation. Currently JCo call has user/pwd which needs to be provided as parameters. Together with these there will be 2 more parameters e.g. ImpersonUser/ImpersonPwd. Then when BAPI call is executed user/pwd is used to login to SAP. If there is any data manipulation in SAP by the BAPI (e.g. sales order created) ImpersonUser would be used to create that data. E.g. ImpersonUser would appear in table VBAK in its ERNAM field - which says who created the Order. Of course ImpersonUser/ImpersonPwd would also be checked whether these credentials really exists in the system before the BAPI execution otherwise whole BAPI call would be rejected (so no security hole). In short we can say that the BAPI is "run as" ImpersonUser user.
Is there any way I could somehow workaround this in JCo?
PS: What do you mean by "BO server" some BusinessObjects product?
thanks
m./
07-14-2015 8:14 PM
Hi,
I did not check the JCo API but I am pretty sure that you can make two calls with different user from same app. You can just create multiple instances of JCo.client and each client will use different user. How they authenticate (user/password or SSO logon) is a different issue. Yes, I meant business object server.
Cheers