on 2004 Aug 23 3:34 PM
Hi,
I am trying to integrate web application that has basic
authentication using application integrator. I have two
questions about:
1. When "at" (@) sign is part of mapped username or password
- how it can be passed? This sign is part of
UserMappingTemplate too and it doesn't work when url
looks like http://user:pass@word@site.com/
2. If external application has same username and password
like the portal's ones - how it can be used instead of
user mapping?
Thank you,
Yuri
I have the exact same problem...
Anybody got through or around this ? How do you do user mapping to a standard basic authentication site ?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
for the 1. part of your question i have no answer. Sorry.
For the 2. part i use the "User Mapping Type" in the system definition with the value admin. Then go to the UserMapping and define a mapping for the system.
Stephan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
I tried to integrate my BASIC authenticated web app with the app integratior.
When I call the page with the iview I see (through a tool) that the browser requests the correct page like https://user:pw@server.com.
But the page cannot displayed since Microsoft has shipped a patch for the IE and you cannot call a Basic Authentication through a URL directly. Is there an other way to call a Basic Auth. Web app? A solution where you don't have to change code at the target app? Not like the one described in 'Enabling SSO from EP to Non-SAP-Apps'?
Regards Ralph
Ralph,
basically there is a way of logging on to a basic secured side other than using the "@"-approach. HTTP basic credentials are transferred in the HTTP headers of a client's request. Thus, by creating appropiate headers on your own you could log on.
But: This would require you to proxy all HTTP requests to the target application and include the authentication header (HTTP authentication is not only sent for the first request but also for all subsequent requests to this page) . This is a feature, EP does not support. So, if you need a solution that runs with the portal's included mechanisms , the answer is "no" (sad as it is).
Alternatively, the changed bahaviour that came with the IE's security patch can be switched off resp. reversed to the earlier befault behaviour by the use of a registry key. A google search should bring you to the correct key.
Regards,
Dominik
Dominik,
thanx a lot for your answer. But as we plan our portal for about 10.000 users, the security admins won't be really amused if we try to change the registry
But your suggestion for the HTTP authentication sounds interesting. Does that mean there is a servlet which
gets all the requests for the BASIC auth. web app and enriches the http header with the user / password?
The user / password should then be read from the user mapping.
Is the solution sth. like:
http://www.unix.org.ua/orelly/java-ent/servlet/ch08_01.htm
Or do you have a working example?
Thanks in advance
Regards
Ralph
Ralph,
Yes, basically the idea is shown at the URL you provided. If you intend to code your own solution, you would additionally need to be aware of these issues:
- user ID and password required for HTTP basic authentication will need to be retrieved from the use mapping (there is a portal API for this...)
- You will have to add the HTTP basic header to all requests that go to the target application (think of js files, images etc. that are included in an HTML page). Essentially you will have to build up a real proxy server as an iview. This will definitely be no trivial task.
So if you need a solution very soon, I would suggest to get in touch again with your security guys and discuss this registry thing. If you are using active directy in your windows landscape, a simple group policy should be sufficient for changing the reg value to its earlier default behaviour. Alternatively, you might take a look around what proxy servers with the option to integrate HTTP basic are there on the market.
Lastly, if the application to be integrated had been developed in-house, you might want to talk with these guys about other authentication variants. Maybe they can include SAP Logon Ticket support or form based authentication (instead of basic this approach will only need to pass a user's credentials on its first request per session)?
Regards,
Dominik
Hi Dominik,
thanks a lot.
As all the webapps are developed in-house it seems to be the most uncomplicated way to develop a new form based login page. (Or develop a login library like it is described in the article 'Enabling SSO ...')
All the other solutions (maybe except the commercial HTTP Proxy Servers) seems to lead in errors and long night debugging sessions.
Thnanks and
Regards
Ralph
User | Count |
---|---|
70 | |
11 | |
10 | |
10 | |
9 | |
9 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.