Enabling End-to-End User Authentication Propagation for Web Services

Enabling user authentication propagation for web services using custom processor.

Context

You can now enable end-to-end user authentication propagation for web services (which are exposed as OData services). Two authentication types can be enabled, basic and SSO2. To achieve this, add the custom code in the custom processor as given in the procedure below.

Note When you are enabling SSO2 authentication for a web service from SAP back-end system, use MYSAPSSO2 token.

Prerequisite

For SSO2 authentication type, you must encrypt the communication channel between the back-end and SAP Mobile Platform Server for security reasons before configuring a security profile. This is achieved by uploading SSO certificate of the back-end system in the SAP Mobile Platform Server and vice versa.

Procedure

Create a service and select the datasource for the web service selected. See Step 1 in Enabling Web Services as OData Services.

Enter the custom code in the custom processor from the API toolkit for SAP Mobile Platform for the selected web service to enable user authentication propagation. This will fetch the required authentication details at runtime. See Step 1 in Enabling Web Services as OData Services.

Sample Code An example JavaScript for basic authentication type

function processRequestData(message) {
       importPackage(com.sap.gateway.ip.core.customdev.util);
       importPackage(java.util);
       importPackage(com.sap.gateway.core.ip.component.commons);
       importPackage(com.sap.gateway.ip.core.customdev.logging);
       importPackage(org.apache.olingo.odata2.api.processor);

       var headers = message.getHeaders();
       var context = headers.get("ODataContext");
       var request = context.getParameter("~httpRequestObject");
       var Auth = request.getHeader("Authorization");
       
       if(Auth!=null)
       message.setHeader("Authorization",Auth);

       return message;
}

Sample Code An example JavaScript for SSO2 authentication type. Here, SSO2 authentication is enabled for a SAP back-end using MYSAPSSO2 token.

function processRequestData(message) {

       importPackage(com.sap.gateway.ip.core.customdev.logging);
       importPackage(com.sap.gateway.ip.core.customdev.util);
       importPackage(org.apache.olingo.odata2.api.processor);

       var headers = message.getHeaders();
       var context = headers.get("ODataContext");
       var request = context.getParameter("~httpRequestObject");
       var MYSAPSSO2 = request.getAttribute("MYSAPSSO2");
       
       if(MYSAPSSO2!=null)
       message.setHeader("mysapsso2",MYSAPSSO2);
       
       
       return message;
}

Generate and deploy the content bundle. See Step 1 in Enabling Web Services as OData Services
Configure a security profile with HTTP/HTTPS Authentcation as the authentication provider from SAP Mobile Platform Administration Cockpit. Provide the URL of the back-end system where the web service is hosted. See Creating and Configuring Security Profiles in SAP Mobile Platform 3.0 SAP Mobile Platform Server Administrator Application Administrator Managing and Monitoring Applications Managing Security Profiles
Note
- When accessing the service document directly from the Gateway Management Cockpit, the security profile Name must be same as the Service Namepace of the service. For example, if the Service Namespace is SAP_SSO2, the security profile Name must be SAP_SSO2.
- For onboarded applications (SAP Mobile Platform applications that have an endpoint using the Integration Gateway service as back-end URL, with the internal option enabled), the security profile Name and the Service Namespace of the service need not be same.
.
When you try to access the service document, Authentication Required screen appears where you need to enter the user name and password.