cancel
Showing results for 
Search instead for 
Did you mean: 

Web Service Homepage: Authority check failed

0 Kudos

Dear Colleagues,

I have created a Web Service and now I want to test it via its Web Service Homepage (TA WSADMIN). The Homepage is displayed correctly, but testing leads to an error:

Authority check failed

Are there any prerequisites I maybe do not accomplish?

(I tested a very similar web service in another system, and there it works)

Here are some more information about my service:

- Service was build with Web Service Wizzard out of a function module

- Here you can see the conversation resulting of the test:

POST /sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003 HTTP/1.1

Host: bsl8011.wdf.sap.corp:50073

Content-Type: text/xml; charset=UTF-8

Connection: close

Cookie: <value is hidden>

Cookie: <value is hidden>

Authorization: <value is hidden>

Content-Length: 381

SOAPAction: ""

<?xml version="1.0" encoding="UTF-8" ?>

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xs="http://www.w3.org/2001/XMLSchema">

<SOAP-ENV:Body>

<ns1:Z_TEST_WS_CONFIG xmlns:ns1='urn:sap-com:document:sap:rfc:functions'>

<INPUT>TEST</INPUT>

</ns1:Z_TEST_WS_CONFIG>

</SOAP-ENV:Body>

</SOAP-ENV:Envelope>

HTTP/1.1 500 Internal Server Error

content-type: text/xml; charset=utf-8

content-length: 363

sap-srt_id: 20060404/125124/v1.00_final_6.40/1B0831447838C429E10000000A424016

server: SAP Web Application Server (1.0;700)

<soap-env:Envelope xmlns:soap-env="http://schemas.xmlsoap.org/soap/envelope/">

<soap-env:Body>

<soap-env:Fault>

<faultcode xmlns:n0="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">n0:FailedAuthentication</faultcode>

<faultstring xml:lang="e">Authority check failed</faultstring>

</soap-env:Fault>

</soap-env:Body>

</soap-env:Envelope>

The WSDL-Document looks as follows:

<?xml version="1.0" encoding="utf-8"?><wsdl:definitions targetNamespace="urn:sap-com:document:sap:rfc:functions" xmlns:http="http://schemas.xmlsoap.org/wsdl/http/" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/" xmlns:tns="urn:sap-com:document:sap:rfc:functions" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><wsdl:types><xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:tns="urn:sap-com:document:sap:rfc:functions" targetNamespace="urn:sap-com:document:sap:rfc:functions" elementFormDefault="unqualified" attributeFormDefault="qualified"><xsd:simpleType name="char60"><xsd:restriction base="xsd:string"><xsd:maxLength value="60"/></xsd:restriction></xsd:simpleType><xsd:element name="Z_TEST_WS_CONFIG"><xsd:complexType><xsd:sequence><xsd:element name="INPUT" minOccurs="0" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element><xsd:element name="Z_TEST_WS_CONFIGResponse"><xsd:complexType><xsd:sequence><xsd:element name="OUTPUT" type="tns:char60"/></xsd:sequence></xsd:complexType></xsd:element></xsd:schema></wsdl:types><wsdl:message name="Z_TEST_WS_CONFIG"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIG"/></wsdl:message><wsdl:message name="Z_TEST_WS_CONFIGResponse"><wsdl:part name="parameters" element="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:message><wsdl:portType name="Z_TEST_Q73_CONFIG_WS"><wsdl:operation name="Z_TEST_WS_CONFIG"><wsdl:input message="tns:Z_TEST_WS_CONFIG"/><wsdl:output message="tns:Z_TEST_WS_CONFIGResponse"/></wsdl:operation></wsdl:portType><wsdl:binding name="Z_TEST_Q73_CONFIG_WSSoapBinding" type="tns:Z_TEST_Q73_CONFIG_WS"><soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/><wsdl:operation name="Z_TEST_WS_CONFIG"><soap:operation soapAction=""/><wsdl:input><soap:body use="literal"/></wsdl:input><wsdl:output><soap:body use="literal"/></wsdl:output></wsdl:operation></wsdl:binding><wsdl:service name="Z_TEST_Q73_CONFIG_WSService"><wsdl:port name="Z_TEST_Q73_CONFIG_WSSoapBinding" binding="tns:Z_TEST_Q73_CONFIG_WSSoapBinding"><soap:address location="http://bsl8011.wdf.sap.corp:50073/sap/bc/srt/rfc/sap/Z_TEST_Q73_CONFIG_WS?sap-client=003"/></wsdl:port></wsdl:service></wsdl:definitions>

Can anyone help me, I have no Idea

Message was edited by: Hans-Peter Bauer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
0 Kudos

I am having the same issue also and don't have that SAP_QAP_WEBSERVICE_ALL role. Any screenshots on what Auth. Objects and values to those objects it has? So if we dont have that role, we can mimic it somehow?

Former Member
0 Kudos

Hey, for those still looking on what to do for the Authority check failed issue if you are in Web AS 6.40 patch 13, look at this link:

http://help.sap.com/saphelp_nw04/helpdata/en/2b/07074155bcf26fe10000000a1550b0/content.htm

Supposedly there is another role you can assign aside from SAP_QAP_WEBSERVICE_ALL, it is the SAP_BC_WEBSERVICE_ADMIN. And you add that role differently than you do other roles. Go to the Menu tab of your role configuration, click on Authorization defaults for services, last selection is called Type of Ext. Service, and choose WS from the dropdown list. Then in the Service field, when you do a lookup (F4), you should find your created ICF service.

I haven't fully tested it yet, but it looks like that would work.

Former Member
0 Kudos

Hi Angel,

Can you please elaborate more on this?

Our security team refused to provide SAP_BC_WEBSERVICE_ADMIN role as I am developer not administrator.

I am getting error "Authority check failed" when trying to test my web services.

How can I get authorization of SAP_QAP_WEBSERVICE_ALL role. This role doesn't exist in system. What objects are included in this role?

Waiting for your reply.

Thanks in advance,

Bhavik

athavanraja
Active Contributor
0 Kudos

to run webservices, you only need.

S_SERVICE

and

S_DEVELOP

with

objtype = WEBI and WEBS

Raja

Former Member
0 Kudos

I had the same exact error that you encountered and I am trying to resolve it. You said the issue was resolved by adding the profile SAP_QAP_WEBSERVICE_ALL to your ID.

We are on 6.40 with SAP BASIS Patch 13. But we cannot see this role. Any clues on where we can retrieve this role?

Former Member
0 Kudos

Hi Hans-Peter,

I was not able to execute other service present in the system as well.

I think there is some authorization problem with the server itself.

Can you try creating an IT/IBC message under the component DEV-BICONT-USER and explain this problem there.

Hope this helps,

Regards,

Vikas

0 Kudos

It talked with IT/IBC support but they cannot find any wrong setting, but it seems to be indeed a configuration problem. Thank you for that hint. I created an internal note. Maybe they can help me.

Peter

athavanraja
Active Contributor
0 Kudos

are you able to run the RFC within the system with the same user id? without hitting the authorization error

Regards

Raja

0 Kudos

Helpful hint, thank you. But the RFC call works fine.

0 Kudos

The problem is solved by adding the role SAP_QAP_WEBSERVICE_ALL to my user (and a change of the logon group).

But thank you all for your help.

Best regards,

Peter

Former Member
0 Kudos

hi,

IMHO you should nevertheless file an OSS because it shouldn't throw an error 500 in such a case. users will again and again not understand what's wrong.

moreover it doesn't seem to be the best solution if a serviceconsumer needs an ...-_ALL authorization. or did you mean you already had an error during service creation

which you didn't recognize in time?

regards,

anton

0 Kudos

Hi Anton,

You are right. I will leave the OSS open. Creating the service was not the problem. There error will appear, if a user tries to consume the WS.

best regards,

Peter

Former Member
0 Kudos

HI,

the client no it is showing is 003.

if the client is not correct you can access the service by passing the client in the following way.

http://iga03019b.in.intelligroup.com:8000/sap/bc/bsp/sap/zwas_display_material03/default.htm?sap-cli...

here i have specified client as 800 you can specify your right client.

Jaffer vali shaik

Former Member
0 Kudos

hi jaffer,

look at the WSDL. It's showing client 003. So the client is correct. if the client were incorrect the system were supposed to throw 404 or 403.

regards,

anton

athavanraja
Active Contributor
0 Kudos

Welcome to SDN.

from WSADMIN when you click webservice homepage the wsnavigator of J2EE engine opens and the first thing it will ask is

"<i>The selected endpoint requires basic authentication. Please, enter correct username and password:"</i>

Did you provide this and still get the error?

Regards

Raja

0 Kudos

Yes I did, that is not the problem.

After login I can see the "designtime features" of my service. The error will appear if I goto "test", fill in the requiered input parameters and press "send".

athavanraja
Active Contributor
0 Kudos

Ok. just to make sure.

can you right click and see the properties from the <b>test</b> link to see whether right sap-client is populated?

Regards

Raja

0 Kudos

The message server defined in the SAP-Logon is us4278.wdf.sap.corp

But the url of the web service starts with http://us4185:58500/wsnavigator/jsps/explorer.jsp?description=WebServiceZ_TEST_Q73_CONFIG_WS

But I think that's not the problem, is it? As I mentioned above the test page can be shown, but the after filling in the input parameters an pressing send, there appears the authorisation error.

For better illustration I made some screenshots for you:

1) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_OVERVIEW.gif

2) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_INPUT_FORM.gif

3) http://wipux2.wifo.uni-mannheim.de/~wi01211/sonstiges/WS_HOMEPAGE_TEST_reqest_response.gif

What can be wrong, if the error "n0:FailedAuthentication" appears?

Regards,

Peter

Message was edited by: Hans-Peter Bauer

Former Member
0 Kudos

Hi there,

I suppose you accidentially defined your service to use WS-Security, a webservice security extension.

If WS-Security isn't customized properly on your system or if you haven't assigned a security profile (transactions WSCONFIG and WSSPROFILE) or if the testing tool simply isn't able to create WS-Security-Messages then you might get this error.

hope that helps,

anton

Former Member
0 Kudos

btw,

you might read <a href="http://help.sap.com/saphelp_nw2004s/helpdata/en/e1/af3a40243c174ee10000000a1550b0/content.htm">this</a> this for further info.

0 Kudos

Hello Anton!

Thank you for that information. But I am using the default security settings. I built my fuction module, started the Web-Service Wizzard and accepted all settings as they are by default (basic auth). So that should not be the problem.

Has anybody another ideea?

Thanks in advance,

Peter

Former Member
0 Kudos

hi,

hard to diagnose from a distance. whats interesting is that you get an HTTP error 500 = internal server error.

it should be 401 - Unauthorized - if authorization worked but you supplied wrong (or no) credentials. sometimes webservers erroneously reply a 403 - forbidden - in that case, but 500 points to some misconfiguration. Also the returned namespace of the soap fault seems strange to me in a case where WS security is not enabled. Even the content of SOAP fault code hints at an error since there where no need to prefix the code with n0.

you can try to debug it at runtime...goto transaction SICF, select the service and choose Start Debugging from the menu. Call the service and see a debugger window open in the sapgui. step through this but hurry, the client closes the connection after 60 or 90 secs.

regards,

anton