Show TOC

 Web Service Authentication Authorization Deployment ProblemsLocate this document in the navigation structure

Problem Description

The following problems can occur:

  • Deployment problems
  • Authentication problems
  • Authorization problems

    Scenario Type:

    Error analysis

    SAP NetWeaver Component:

    J2EE (Web Service)

    Validity:

    J2EE version >= 6.30
Decision Roadmap

Prerequisites

-

Main Tools

Log Viewer or Visual Administrator

Analysis

Deployment problems

  • Technical Background:

    During deployment, configuration data is taken from the ws-deployment-descriptor.xml and stored in the Configuration Manager under /webservices (service Configuration Adapter). During the call of the Web services, the configuration data is looked up.

  • Solution:

    Problems of this kind should not appear anymore after SP4. If they do appear, this is due to lock timeouts. Change the property locking.timeout of Service Web Service Security (tc~sec~wssec~service) to a higher value (default 30000 = 30 seconds).

  • Symptom:

    Error while processing document security. The error was class com.sap.engine.frame.core.configuration.NameNotFoundException. A configuration with the path webservices/proxies/sap.com/WSSEC_PROXIES/com.sap.security.core.ws.proxies.wss.Wss*doc_basicPort_Rpc/authenticate/wss does not exist.

    Date : 02/27/2004

    Time : 16:15:59:876

    Message ID : 000BCD719CC1003C00000032000010A00003D456FA2FC96F

    Severity : Error

    Location : com.sap.security.core.client.ws.DeployableSecurityProtocol.handleRequest

    Source Name : /System/Security/WS/SecurityProtocol

    Thread : SAPEngine_Application_Thread[impl:3]_18

    Message : Error while processing document security. The error was class com.sap.engine.frame.core.configuration.NameNotFoundException A configuration with the path "webservices/proxies/sap.com/WSSEC_PROXIES/com.sap.security.core.ws.proxies.wss.Wss*doc_basicPort_Rpc/authenticate/wss" does not exist..

    Datasource : 22418350:./log/system/security.log

    Application : sap.com/WSSEC_CLIENT_EAR

    Argument Objs :

    Arguments : class com.sap.engine.frame.core.configuration.NameNotFoundException,A configuration with the path "webservices/proxies/sap.com/WSSEC_PROXIES/com.sap.security.core.ws.proxies.wss.Wss*doc_basicPort_Rpc/authenticate/wss" does not exist.,

    Dsr Component : P111854_D11_22418350

    Dsr Transaction : 2db34230693711d88e6c000bcd719cc1

    Dsr User : Administrator

    Indent : 0

    Level : 0

    Message Code : _DeployableSecurityProtocol0800

    Message Type : 1

    Relatives :

    Resource Bundlename : com.sap.security.core.client.ws.DeployableSecurityProtocolMessage

    Session : 126

    Source :

    Thread :

    Transaction :

    User : Administrator

  • Analysis / solution:

    Redeploy the application

Authentication problems

  • Symptom:

    HTTP 401 / Invalid credentials

  • Analysis:

    Authentication was not accepted, or user is not in group Everyone

  • Solution:

    Check for output in the security log, test logon using /wsnavigator

Authorization problems

  • Symptom:

    The client gets the error message Authorization failed for the specified security roles. For details see log entry 000BCD719CC1004C000000C2000010A00003D45747B8E725

    SOAP message:

HTTP/1.1 500 Internal Server Error Connection: close Set-Cookie: JSESSIONID=(J2EE22418300)ID22418350DB2006953124854834067End; Version=1; Path=/ Set-Cookie: sapj2ee_Stocks*sso=22418350; Version=1; Path=/ Server: SAP J2EE Engine/6.30 Content-Type: text/xml Date: Fri, 27 Feb 2004 15:37:40 GMT

<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" >

 <SOAP-ENV:Body>

 <SOAP-ENV:Fault>

 <faultcode>SOAP-ENV:Server</faultcode>

 <faultstring>Authorization failed for the specified security roles. For details see log entry 000BCD719CC1004C000000C2000010A00003D45747B8E725.</faultstring>

 <detail>

<ns1:com.sap.engine.interfaces.webservices.runtime.ProtocolException xmlns:ns1='http://sap-j2ee-engine/error'>Authorization failed for the specified security roles. For details see log entry 000BCD719CC1004C000000C2000010A00003D45747B8E725.</ns1:com.sap.engine.interfaces.webservices.runtime.ProtocolException>

 </detail>

 </SOAP-ENV:Fault>

 </SOAP-ENV:Body></SOAP-ENV:Envelope>

  • Analysis:

    The user is not member of one of the required J2EE security roles.

  • Solution:

    Take the ID of the log entry, open the security log in the Log Viewer and search for the log entry. This will lead to an message of severity Warning like:

    Calling operation getQuote of component sap.com/WSSEC_SERVER_EAR*WSSEC_TEST_Assembly.jar for principal Administrator denied (roles: [StockGuests, StockCustomers]).

    The message contains the user in combination with the component and the required security roles that are needed to successfully authorize the request. In the Security Service look for the security roles of the component and check the user assignment.

    If no roles were assigned (roles: []), no authorization is possible and the assignment must be changed in the IDE.

  • Symptom:

    The server responds with HTTP 503

  • Analysis / solution:

    The Web service is not started. Check in the list of deployed Web services if the application has been started (deploy service, wsnavigator).

Additional Information