cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HTTP Adapter - Security question/issue

Go to solution
Former Member

on ‎05-28-2007 12:38 PM

0 Kudos

Hi

In the Http client used to communicate with the http adapter, we enter the username and password of the user who has SAP_XI_APPL_SERV_USER role in IS? Is there a means to hide this credential info?

2.how to avoid that a HTTP sender would take the identity of another sender?

regards

krishna

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

bhavesh_kantilal
Active Contributor
‎05-28-2007 12:47 PM
0 Kudos

Krishna,

Exactly why you have the concept of Access Control List.

Check these blogs and see if they help you problem,

/people/rahul.nawale2/blog/2006/06/16/acl--confine-users-sending-messages

/people/community.user/blog/2006/11/15/security-access-control-via-assigned-users

Regards

Bhavesh

Show replies
Show replies
Former Member
‎05-28-2007 12:57 PM
0 Kudos

Bhavesh,

That's Wonderful

Thanks for the info.

But How can I hide the credential info found in the request URL??

http://<host>:<port>/sap/xi/adapter_plain?namespace=&interface=&service=http_sender&party=&agency=&s...

regards

krishna

bhavesh_kantilal
Active Contributor
‎05-28-2007 12:59 PM
0 Kudos

Krishna,

The User id and passwrod has to be a part of the Http URL as this is how when the call hits the IE , it is validated against the user credentials.

As you are using the HTTP Client currently, you are able to see the Generated URL,. but in a real time you will be hiding the actual URL being generated from the End User and so this should not be an issue.

Regards

Bhavesh

MichalKrawczyk
Active Contributor
‎05-28-2007 1:06 PM
0 Kudos

hi,

use SOAP adapter to do HTTP call

this way you will not have credentials in your http string

(in SOAP adapter you can use noSOAP mode - which can

be used for http "non web service" calls)

Regards,

michal

-

<a href="/people/michal.krawczyk2/blog/2005/06/28/xipi-faq-frequently-asked-questions"><b>XI / PI FAQ - Frequently Asked Questions</b></a>

Answers (1)

Answers (1)

Former Member
‎05-28-2007 1:27 PM
0 Kudos

Thank you "experts" for your answers

Bhavesh,

>>>>>but in a real time you will be hiding the actual URL being generated from the End User and so this should not be an issue

how the URL will be actually hidden. Without the URL , they wont be able to communicated with XI right??

Michal,

IS there any available doc on using SOAP adapter with the "no-soap" option set?

Can you give more details on the same??

Thanks and regards

Krishna

Show replies
Show replies
bhavesh_kantilal
Active Contributor
‎05-28-2007 1:55 PM
0 Kudos

Krishna,

In a normal case, you woudl wite a Application code that will dyamically trigger the call to XI by contructing the URL ( the Application code will do this ) and posting data to XI. This URL need not be made visible to the End User At all.

Regards

Bhavesh

Former Member
‎05-29-2007 7:27 AM
0 Kudos

Hi Bhavesh

Really, you have given me a very high level info:).

Application code..Where do i write it in the server side?

How will the external request from the client side be? What URL he will use to connect to the application code which will in turn trigger XI?

Did i get your suggestion right?

Can you flash a "bright light" ?

Regards

krishna

bhavesh_kantilal
Active Contributor
‎05-29-2007 7:50 AM
0 Kudos

Krishna,

This can be any application. A J2Se application , a J2EE application etc.

A Application programmer would know what needs to be done.

The basic idea is that the URL is hidden from the intiator of the call.

The URL will be XI's URL as you seen in the HTTP Client but the end user need not necesarily see this URL. It is hidden in the Aplplication code.

Regards

Bhavesh

Former Member
‎05-29-2007 9:43 AM
0 Kudos

Bhavesh

Many thanks for the reply

>>>>The basic idea is that the URL is hidden from the intiator of the call.

hidden from the initiator of the call or <b>"hidden by</b>" the initiator

regards

krishna

Ask a Question