Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

WebService basic userid,pwd authentication with in SAP Landscape.

Dear Friends,

I really appreciate If you could help in the following scenario,that would be really awesome help..

Background:

-


1. We have webservice set up in ECC6.0

2. We need to call the same webservice from consumer abap proxy in CRM within the same SAP landscape .

3. we want to use basic user/pwd authentication to implement between webservice PROVIDER and consumer abap proxy (webservice client)

Help needed:

-


What steps are needed to configure secure suthentication in SAP in the view of both provider, consumer , where to configure the user id / pwd authentication and how.

Note: We are not using PI in the middle, it is a direct sap to sap system communication .

Thanks and Regards.

Suraj.

Former Member
Former Member replied

Hi Suraj,

Question 1:

The user + pwd combination (in the logical port) grants the consumer (service) access to the ECC Web Application Server. So authentication is at Web AS level and not per specific web service. This means that (depending on what additional authorization roles you specify for this user) this user + pwd combo could potentially have access to other web services on ECC. So choose user + pwd + roles and how you convey this to the consumer carefully. This is also a very "low" security option (hence it's called "basic authentication"), i.e. these details are not protected over the network and you could probably catch it with a basic network sniffer. So if your user + pwd combo is correct, you are granted Web AS access but this does not necessarily translate to the web service's successful execution...See question 2 for more...

Question 2:

So (after question 1) you've now been granted Web AS access. The WS Runtime will then do an authorization (does the user have the necessary SERVICE roles) check to execute web services. Once that is passed, depending on the business function being exposed as a service, there might be additional authorization checks to see if the user is able to execute what is being requested from a business perspective. So there are technical and business authorization checks.

If all of that is passed, then you have a success.

Regards, Trevor

0 View this answer in context

Helpful Answer

by
Not what you were looking for? View more on this topic or Ask a question