on 12-13-2004 5:21 PM
Is there a way of linking to an abap report in the web portal system without using the www_get_selscreen function? R/3 version 4.0 and an ITS server is being used.
The abap reports all work from system>services>reporting in the portal, but I'd like to offer a web page which just lists a couple of reports.
May be this weblog is useful for you.
/people/durairaj.athavanraja/blog/2004/09/23/pass-parameter-to-its-url-upadated-21st-june-2008
Regards
Raja
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thank-you for your reply.
The use of http://<ITS_SERVER>:<port>/scripts/wgate/webgui/?client=<client>&login=<userid>&password=<password>&language=<language>&transaction=ks03&CSKSZ-KOSTL=425100&okcode=GRUN works well.
Do you know if there is an easy way to hide the web address so the user can't see which transaction they are logging into, or use this format to access a transaction they shouldn't be able to.
Then you need to use HTML form and have some hidden fields with the values and use them to direct to this URL.
or you can place an iframe within the page and load the page with this url. The user wont see this url.
There are many ways we can handle this within HTML form.
If you want code sample do let me know.
Regards
Raja
Hi Karen,
from the security point of view it's not a good idea to submit user/pw via HTTP (at least HTTPS). If you use a technical user for this (means everyone uses the same user/pw) it's better to copy the webgui service to a different name and add the user/pw information to the service file. But please keep in mind that anybody can use this technical user to access your system so restrict the permissions for this user to only the reports you really need.
Regards Ralph
Hi,
As Ralph pointed out from the security point of view we should not be using the user id password in the URL at all. The example i gave you was just to show how that can be done.
With regard to calling the url inside an iframe use the below code.
<iframe name="I1" src="<your ITS report url" width="690" height="566"></iframe>
Regards
Raja
Hi Durairaj,
I'm afraid the only safe way to avoid passing a clear text username / password combination via the network is to work with ITS-service-files or with encryption as Ralph described above.
Whether you try to hide the URL-string-parameters through an iframe or an html form - both methods are insecure. A user just has to record the HTTP Headers the browser sends to the web server via a network sniffer or (even easier) a browser plugin (like HTTPWatch for Internet Explorer or LiveHTTPHeaders for Mozilla Browsers). There you can read username and password in clear text.
Best regards,
Henning.
Hi Henning,
My iframe sample is not to hide userid / password , i understand the security concerns and people can get this info in so many ways. The original thread poster wanted to know how he can hide the transaction code from being displayed in the URL. Again this is not a foolproof method.
Regards
Raja
Hi Durairaj, hi Karen,
Well, if the transaction code is static and the username and password are static (meaning: technical user) it shouldn't be a lot of work to create an ITS-service-file that contains transaction, username and password hardcoded (and is also configured to prevent the user from changing the transaction within webgui).
It prevents malicious users from getting to know the content of these parameters (because they aren't submitted anywhere and therefor you don't have to hide them) and through that you can also avoid to be able to change the transaction code (the service should be configured to prevent the user from changing the transaction within webgui).
Then you would be on the safe side and you could also use an iframe to make the url calling the ITS service invisible too.
OK: If there are three transactions needed there would be the need for three service files. But if it is a limited number of transactions this shouldn't be a lot of work.
Karen, please contribute to this discussion and tell us if we are still helping you to solve your problem. ;o)
Best regards,
Henning.
It was the transaction code that I wanted to hide.
I have written a javascript that uses window.open() to create a link dynamically when the uses clicks the hyperlink for the relevant transaction. By setting the address bar to not be visible this has solved the problem. The users never see the full URL.
Thanks for your help
Karen
User | Count |
---|---|
84 | |
10 | |
10 | |
9 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.