Enterprise Resource Planning Blogs by SAP
Get insights and updates about cloud ERP and RISE with SAP, SAP S/4HANA and SAP S/4HANA Cloud, and more enterprise management capabilities with SAP blog posts.
cancel
Showing results for 
Search instead for 
Did you mean: 
thomas-salvador
Employee
Employee
4,702
Authenticating a consumer for access to SAP Business ByDesign depends on the concrete way chosen and them used technology. The following example shows how to login to ByDesign - with username and password - with JavaScript.

JavaScript does not allow unrestricted cross site calls. If you execute your script somewhere, the application can talk to the server it was started on (SCP account, some server, localhost), but it cannot call other systems.

This is for security reasons.

For testing purposes, you can disable security in some browsers, e.g. in Google Chrome. You can do this by closing all open Google Chrome instances and starting it from the command line (e.g. Win+R) with

chrome.exe --disable-web-security --user-data-dir=c:\temp .

Cookies should be allowed.

If you host your application on the SAP Cloud Platform, you can use destinations to access your system conveniently.
var sHost = "https://YOUR_SERVER";
var sUser = "USERNAME";
var sPassword = "PASSWORD";

var sGetTokenModulePath = sHost + "/sap/ap/ui/login";
var sUrl, sXsrfToken;

function fMain(sXsrfToken) {
// process app (main,...)
}

function handleLoginResponse(body) {
// If no redirect is needed this code is being executed
alert("Handle login reps");
if (!body.login) {
alert("Login failed");

} else {
if (fMain) {
fMain(); // Remote, login is done using form based login
}
}
}

function handleTokenReceived(data, textStatus, XMLHttpRequest) {
var oResponseParameters = new Object();
oResponseParameters.sysinfo = new Object();
sXsrfToken = XMLHttpRequest.getResponseHeader("sap-xsrf");
sURL = sHost;

// Check if already authenticated
if (XMLHttpRequest.responseText.indexOf("state=authenticated") === -1) {

// not authenticated, login
var xmlDoc = $.parseXML(XMLHttpRequest.responseText);

$(xmlDoc).find("Data").each(function() {
$(this).find("Element").each(function() {
oResponseParameters.sysinfo[$(this).attr("name")] =
$(this).attr("value");
});
});
var sXsrfToken = oResponseParameters.sysinfo["sap-login-XSRF"];
$.ajax({
url: sGetTokenModulePath,
type: "POST",
dataType: "json",
data: {
"sap-alias": sUser,
"sap-password": sPassword,
"sap-login-XSRF": sXsrfToken
},
beforeSend: function(xhr) {
xhr.setRequestHeader("x-sap-request-xsrf", "X");
},
success: handleLoginResponse,
error: function(jqXHR, textStatus, errorThrown) {
// error callback, also called when response is not in JSON format...
if (fMain) {
fMain(sXsrfToken); // Remote, form based login
}
}
});
} else { // authenticated, call app main
fMain(sXsrfToken);
}
}

function doLogin() {
$.ajax({
url: sGetTokenModulePath,
type: "POST",
beforeSend: function(xhr) {
xhr.setRequestHeader("x-sap-request-xsrf", "X");
},
success: handleTokenReceived,
error: function(jqXHR, textStatus, errorThrown) {
alert("Get Login Token call failed");
}
});
}

It starts at doLogin().

  • A POST call with set header x-sap-request-xsrf is issued to fetch the CSRF protection token.

    • If it cannot be received, the script ends with an error message.

    • Otherwise handleTokenReceived() is executed. This checks, if the consumer is already logged in.

      • If the consumer is logged in, it just calls the main function fMain() that would realize the real app functionality. The security token is passed in, as it has to be supplied with every call that changes data in the system.

      • If the consumer is not yet logged in, the security token is extracted from the returned document, and a POST call to the login URL is executed, supplying username and password, secured by the just extracted security token.

        • If this fails the script exits with an error message.

        • Otherwise, the consumer is logged in, and the main function fMain() is executed.








If login issues occur during local testing, it is often either active security functionality or rejected cookies.
17 Comments