Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ABAP web service security

Former Member

‎10-13-2010 9:05 PM

0 Kudos

hi guys,

we have a couple of abap web services here that are called by an external .NET application. Currently, the .NET application can call the web service without passing on any username and password. Hence, there is no security. I wanted to change it and make it secure, so in SICF, i selected my WS, logon data tab and changed the procedure to standard and left the u/p blank. Also, made sure that the WS definition in se80 is set to basic authentication and SOA Manager is also set to HTTP authentication - username and password. But the .NET application can still call the web service without passing on any username and password. I cleared out all the caches etc.

Any idea as to why .Net app is not getting prompted for u/p ??

thanks

4 REPLIES 4

Former Member

‎10-14-2010 9:15 AM

0 Kudos

How was it authenticating beforehand?

Note that if you already are logged on and execute the service from SE80 then you already are "on the inside" and do not need to authenticate again.

Another thing to check is within SICF the attributes of the service nodes are inherited from nodes higher up in the tree, unless they are set differently lower down. This also includes the logon data.

Anyway, this is just speculation. The correct procedure is to use the logon trace (SM19 dynamic filters and ST11 dev trace) to find out what is exactly going on.

Cheers,

Julius

mathias_essenpreis
Employee
Employee

‎01-12-2011 8:19 PM

0 Kudos

Hi,

Which SAP Netweaver release are we talking about?

The SOAMANAGER settings are sufficient. This will update the ICF node. Directly editing the SICF nodes is deprecated. Which username/password authentication method did you choose, document/message or http authentication?

The WS definition in SE80 only defines a certain minimum level of security. For instance if you define Basic, then you the runtime configurations, the actual endpoints, cannot be configured with no authentication anymore. In SOAMANAGER only username/password and certificate based authentication mechanisms are allowed then.

Regards,

Mathias

Former Member

‎05-23-2011 10:53 AM

0 Kudos

I want to know how did you create an ABAP WebService without authentication as a result of which the external .NET application is able to call it without asking for the login credentials.I have a similar requirment,tired with many variations but not possible. Can u help with the same.

Regards,

Anuja S.

Former Member
In response to Former Member

‎05-24-2011 8:06 AM

0 Kudos 
I want to know how did you create an ABAP WebService without authentication as a result of which the external .NET application is able to call it without asking for the login credentials.I have a similar requirment,tired with many variations but not possible. Can u help with the same.
> 
> Regards,
> Anuja S.

Hi Anuja, to publish a web service without authentication you only have to configure the endpoint/service from transaction "SOAMANAGER" without marking any "Authentication Method" in the "Provider Security" tab.

Regards.