Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Single Sign on in a 3 tier architecture between SAP Netweaver CE and R/3

Former Member

‎04-12-2011 2:08 AM

0 Kudos

Hi All,

I am trying to implement SSO using SAP logon tickets in a 3 tier architecture between NW CE and R/3. But so far I have not been able to crack this.

Let me describe the scenario in detail:

We have two Java EE applications on Netweaver CE7.2 Application Server:

1. UI: Just handles all the UI logic : js, jsp, css, html, extjs .It calls the Business Layer Java EE application to get data from back-end systems.

2. Business Layer: Calls R/3 SOAP services does some processing on them and exposes the data back to the UI via a Restful JSON service (implemented using Java Spring framework)

Both UI and Business Layer Java EE applications define login modules to be used for SAP logon tickets. So the architecture is like this:

UI-RESTfull-->Business LayerSOAP->ABAP R/3

So ideally when the UI link is clicked it prompts the user for authentication (uses CE UME) and then the UI applications calls the Business Layer which then calls R/3. This unfortunately doesn't work. The authentication between UI and Business Layer Application fails.

However if you remove the Business Layer Java EE application and call the SOAP service directly from the UI. SAP logon tickets starts working.

So I have been able to make SAP logon tickets work with the following 2 tier architecture:

UI---SOAP--->R/3

So my Question is:

Is there a way to use SAP logon tickets in a 3 tier architecture between NW CE and R/3 (For the scenario described above)? Any help/pointers/documentation links would be great

11 REPLIES 11

Former Member

‎04-12-2011 2:09 AM

0 Kudos

Following is an alternate entry in stackoverflow:

http://stackoverflow.com/questions/5629277/single-sign-on-in-a-3-tier-architecture-between-sap-netwe...

martin_voros
Active Contributor

‎04-12-2011 4:16 AM

0 Kudos

Hi,

from your description it looks to me that business layer does not pass SSO ticket to R/3. If I understand your set up user logs on to CE system and it gets SSO ticket signed by CE system. Any ticket signed by CE is accepted in R/3. Is this right? Have you tried to trace SOAP call in R/3 (transaction SMICM) to see why it fails.

Cheers

Former Member
In response to martin_voros

‎04-12-2011 5:04 AM

0 Kudos

Hey Martin,

To enable SSO I updated web.xml and engine-j2ee.xml for both UI and Business Layer application according to the login module stacks defined (the first one) in the following link:

http://help.sap.com/saphelp_NW70EHP1/helpdata/en/04/120b40c6c01961e10000000a155106/content.htm

Initially both UI and Business Layer had the same entries for web.xml and engine.xml. But since this was not working I did all kinds of testing. For UI i used FORM based authentication and for Business Layer I was using "BASIC" authentication.

I tested the following Scenarios:

1. Without any changes to the above XML files: The Business layer rejects any requests from the UI . I checked the Browser and "MYSAPSSO2" cookie was created. Somehow UI doesnt use this to call Business Layer. Or the Business Layer rejects the token itself

2. I removed authentication from the Business Layer application (Web.xml) keeping the UI same: The call went to R3 but returned a "UnAuthorized" error back. In this case also at the browser level "MYSAPSSO2" token was created but was not used by the business layer to call R3.

3. The did all sorts of permutation and combination with the sample login modules provided (See link above) on both UI and Business Layer application . Nothing worked. All combinations led to two results which were the same as 1 and 2

It seems all this is happening because of another application in between UI and R3.

Hope this Clarifies.

Thanks,

Dhannajay

martin_voros
Active Contributor
In response to martin_voros

‎04-12-2011 5:42 AM

0 Kudos

But those settings just control authentication mechanism for java application. The problem is that it looks likethe business layer does not pass that SSO ticket to R/3. Basically, after you authneticate yourself with username and password you get a SSO ticket. This ticket is used whenever you access UI. As far as I understnad your design UI calls RESTful service from business layer. This call is done from browser so that connection has access to SSO ticket so business layer can reuse it for authentication. The problem is another connection between business layer and R/3 backend. It looks like business layer does not take SSO ticket and reuse it for the second connection. How to pass that SSO ticket depends on how the business layer is implemented.

Cheers

Former Member
In response to martin_voros

‎04-12-2011 5:57 AM

0 Kudos

Precisely the problem Martin

How do you pass a ticket programatically? I have been looking for ways to do this.

The r3 service is a soap based service which is consumed in the business layer by importing the wsdl and generating proxy classes.

martin_voros
Active Contributor
In response to martin_voros

‎04-12-2011 6:26 AM

0 Kudos

Not expert in Java so I don't know. But you should be able to retrieve MYSAPSSO2 cookie from a request to business layer and then pass it to R/3. Usually web service call is over HTTP so you just need to set that cookie for that connection. First, I would try to trace that call on R/3 box to see what the problem really is. If you go to transaction SMICM you can set trace level to 2 and 3(Goto -> Trace Level). You should be able to see trace of that web service call with all errors. Just check what you are getting there.

Cheers

Former Member
In response to martin_voros

‎04-17-2011 9:57 PM

0 Kudos

Well I tried searching on SAP help portal but was not able to find anything. Never mind how the Business layer is implemented what I need is pretty straight forward

1. I have a J2EE web module as UI

2. I have a J2EE web module as Business Layer

3. I have a R3 Service

Now What I need is a document which can tell me how to implement Single Sign on for this using SAP logon tickets. I can change my Business Layer implementation accordingly.

So far all documentation on help.sap.com seemed pretty vague and none of them tells exactly how you can solve the problem. Most importantly there is no sample code or sample applications available.

martin_voros
Active Contributor
In response to martin_voros

‎04-18-2011 5:01 AM

0 Kudos

Hi,

check this [document|http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/ae399f0d-0301-0010-cebf-bb13f430af55?quicklink=index&overridelayout=true]. I believe that it describes exactly what you need.

Cheers

Former Member
In response to martin_voros

‎04-18-2011 5:47 PM

0 Kudos

Thanks Martin.

Yeah this somewhat meets my requirements but the problem is we use NW CE7.2. There are a lot of changes in NWDS and NW in general for 7.2 release and predictably there is no documentation for it.

Things like these make Netweaver a very difficult technology to use , Anyways I will try to map this with NW7.2

Former Member
In response to martin_voros

‎05-02-2011 10:10 PM

0 Kudos

After doing more research on this It seems even if you pass the MYSAPSSO2 ticket to the Business Web APp from the UI Web Module. The Ticket is invalid is it appears to be valid only if used by the UI web module DC.

Is there a way to pro grammatically generate MYSAPSSO2 token by userid/pwd?

martin_voros
Active Contributor
In response to martin_voros

‎05-03-2011 12:06 AM

0 Kudos

Why is that ticket invalid? Have you tried to trace tyhat connect to see why authentication fails?

Cheers