cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

NetWeaver Gateway Support for CORS

former_member186439
Participant

on ‎08-20-2015 6:17 PM

0 Kudos

I am trying to run an SAPUI5 JavaScript application to read data from a NetWeaver Gateway OData service.  I am running into cross origin policy issues.

My SAPUI5 code is running in a different domain from the OData service.  The web service is secured using Basic Authentication (user ID and password).

This is what is happening...

  • JavaScript is trying to send a GET request to the web service.
  • The Browser sees this as cross origin, so it kicks into something called 'CORS Preflight' and sends an OPTIONS request instead or a GET.
  • Since the web service wants authentication data and doesn’t see any, it returns a 401 error to the Browser.
  • Fail

I tried rewriting the JavaScript to send an Authentication header.  However, the authentication data is never included in the OPTIONS request.

I did some more research, and I found that the CORS specification says two things:  1) OPTIONS shouldn’t require authentication on the server side, and 2) the browser will strip all headers from OPTIONS requests (including the Authentication Header!) before sending the request.  Tilt.

It would seem that SAP’s support for CORS is lacking because it is requiring authentication on OPTIONS requests. Is there is something more I can do to get SAP to allow OPTIONS requests to be made unauthenticated?

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (5)

Answers (5)

Former Member
‎08-17-2016 3:01 AM
0 Kudos

How to do if we don't have an Apache Server.


Thanks

Sahil

Show replies
Show replies
Former Member
‎11-06-2015 6:08 PM
0 Kudos

Hi Steve-

I was able to fix the error by making changes in the Apache Web Server sitting in front of my SAP Portal. Following helped in fixing -

RewriteEngine On 
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

Basically, send a HTTP 200 for every OPTION requests which comes in to Apache.

Reference - http://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests

-Amit

Show replies
Show replies
former_member388328
Active Contributor
‎11-04-2015 7:08 AM
0 Kudos

Hi Steven,

Even though system gives you return a  bad request. I does not mean that is CORS issue. Please login into backend system goto tcode : /IWFND/ERROR_LOG. Check if system is logging error here. If it is logging , select the error and click on active source . You can see the source code where there is exeception. You can even paste the source here with class name and method , so we can help you why you are getting that error.

Thanking you

Vengaiah

Show replies
Show replies
former_member186439
Participant
‎11-04-2015 1:19 PM
0 Kudos

I can see what is happening in Fiddler.  The OPTIONS request is sent.  A 401 is returned.  This behavior is not in line with the CORS specification.  If I cannot call this a "CORS issue", what should I call it?

Former Member
‎11-03-2015 6:00 PM
0 Kudos

Hi Steven-

Were you able to find solution for your problem? Does the Apache tweak of limiting OPTIONS work for you?

  1. Disabling authentication on OPTIONS using <LimitExcept> (seehttp://serverfault.com/questions/684855/disable-authentication-for-http-options-method-preflight-req...).

Thanks

-Amit

Show replies
Show replies
former_member186439
Participant
‎11-04-2015 1:13 PM
0 Kudos

We have not tried this.  So far, we are looking at proxying the requests.

We found this example on how to write a simple ABAP proxy -  https://www.youtube.com/watch?v=RnWlIooOoIw

Former Member
‎08-20-2015 7:17 PM
0 Kudos

Maybe you want to have a look at . Furthermore, the and spaces are more appropriate for this discussion thread. You should be able to find several similar ones there.

Show replies
Show replies
former_member186439
Participant
‎08-28-2015 4:14 PM
0 Kudos

The Gateway Protection Against Cross-Site Request Forgery attacks doesn't apply.  That scheme requires a X-CSRF-Token to be retrieved using a GET request.  My situation is preventing that GET from even happening in the first place.

Former Member
‎08-28-2015 5:35 PM
0 Kudos

Read on... the comments starting on the second page and continuing to the third page also address CORS.

former_member186439
Participant
‎08-28-2015 6:22 PM
0 Kudos

I guess you are referencing Andre Fischer's comment that "CORS is not supported by the SAP NetWeaver stack. You would have to use a reverse proxy instead."

Is it possible to drop down to the Apache configuration level and configure CORS behavior by doing the following?

  1. Disabling authentication on OPTIONS using <LimitExcept> (see http://serverfault.com/questions/684855/disable-authentication-for-http-options-method-preflight-req...).
  2. Adding a custom Response Header that inserts the Access-Control-Allow-Origin header (see http://alextsilverstein.com/programming-and-development/quick-apache-tip-add-a-custom-http-response-...).
Ask a Question