Entering content frameProcedure documentation Testing Security Settings Locate the document in its SAP Library structure

Use

Once you have gone through the checklist for the configuration of the security function and the ICM, you should test your settings.

Initial situation

This graphic is explained in the accompanying text

The initial situation is represented as follows:

Step 1

When a URL is called (such as a page of a BSP application), the browser sends a GET request to the server. The server does not have any authentication information and therefore requests it (return code 401).

It displays a dialog box in the browser, requesting the user name and password.

Step 2

As soon as the user has been authenticated using this data (basic authentication), the information is specified in the header with the next GET request.

The server therefore recognizes that the user is authorized to display the URL and therefore displays the page contents (return code 200). It is also possible that the server sends additional SSO2 information, although this cannot be verified.

Caution

As soon as basic authentication has been used once, it is always user afterwards.

Step 3

If a different URL is now called (such as a page of a different BSP application), this means that an additional GET request is sent to the server with a new URL. The basic authentication information is also sent with the header. Theoretically, SSO2 information can also be specified, but again this cannot be verified.

Due to the basic authentication information, the requested page is always displayed in the browser (return code 200).

It is not possible to find out here whether SSO2 information is transmitted, or whether SSO2 is used at all. You must therefore suppress basic authentication in the following test scenario.

Test scenario

This graphic is explained in the accompanying text

The test scenario is as follows:

Step 0

All browser windows are closed in order to get rid of all previous basic authentication information.

Step 1

Server authentication is then enforced without using basic authentication. This is done by transferring the name and password directly to the first URL.

The contents of the URL are returned (return code 200) as well as – hopefully – the SSO2 information.

Step 2

A new GET request is now sent to the server. With this second URL, however, the name and password are not explicitly transferred. Instead, this information is implicitly available in the SSO2 cookie if everything is running correctly.

The system returns either return code 200 or return code 401:

  • If SSO2 is working, then return code 200 is sent and the content is displayed in the browser.
  • If, however, SSO2 is not working correctly, then return code 401 is sent with an authentication request, since the server does not have any authentication information and must explicitly request this first.

Procedure

  1. Close all browser windows.
  2. Select a BSP application for testing, such as BSP application TUTORIAL_1.
  3. Note

    Ensure that this is not a BSP application that has an anonymous display user in Transaction SICF.

  4. Select a page of this BSP application that you want to execute for the test and call it up in a browser.
    Example of a page:
    http://ls0028.wdf.sap-ag.de:1080/sap/bc/bsp/sap/tutorial_1/default.htm
  5. Choose Cancel for the authentication query that follows.
  6. Now manually extend the URL in the browser with the user name and password data.
    Example of an extended URL:
    http://ls0028.wdf.sap-ag.de:1080/sap/bc/bsp/sap/tutorial_1/default.htm?sap-client=000&sap-user=testuser&sap-password=test
  7. Choose Enter.
  8. The browser displays the page you requested.

  9. Now choose a different BSP application whose page you want to display for the test, and enter the corresponding URL in the browser.
  10. Note

    Ensure that this too is not a BSP application that has an anonymous display user in Transaction SICF.
    This time do not enter the user name and password information.

    Example of a page:
    http://ls0028.wdf.sap-ag.de:1080/sap/bc/bsp/sap/tutorial_3/search.htm

  11. Choose Enter.

Result

Two cases can occur as a result:

 

 

Leaving content frame