Start of Content Area

Procedure documentation Logon Checks: Overview   Locate the document in its SAP Library structure

When an ICF service is called through an external client in SAP ABAP Application Server, a series of checks is performed to authenticate the caller. This document provides an overview of these checks in the order in which they are performed.

An initial check is used to ensure that the called service exists and is active. If the service exists and is active, the next step checks whether the service is Public or Non-Public. A public service can be called in the system without the logon being checked.

If the service that is being called is non-public, the service configuration is used to check whether logon data or a SSL certificate is required: 

      If Logon Data Required has been selected, the logon procedure uses the anonymous logon data specified for this service.

       The attribute AUTHENTICATION_METHOD, which belongs to IF_HTTP_SERVER is set to AUTHMETHOD_SERVICE.

      If SSL Certificate has been selected, this is used for the logon procedure.

       The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_CERTIFICATE.

If neither of these procedures is required, the system checks whether the standard logon order or an alternative logon order has been selected.

      If the standard logon order has been selected, the system attempts to log the user on in the following order:

       1.      Logon using HTTP fields (HTTP header fields or form fields): These changes are:

       sap-language

       sap-client

       sap-user

       sap-alias

       sap-password

(If sap-user is specified, sap-alias is then unimportant, see Basic Authentication.)

       The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_FIELD.

       2.      Logon using SAP Logon Ticket (MYSAPSSO2 cookie field). If no logon data is transferred as form fields or header fields, the system then tries to log on using a logon ticket. To enable this, the cookie field MYSAPSSO2 must be set.

       The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SSO.

       3.      Logon using Basic Authentication. If the request contains the header field for Basic Authentication, the user name is interpreted either as a standard SAP user (default) or as an Internet user (user name alias, see transaction SU01), depending on the settings made under Basic Authentication.

       The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER wird is set to AUTHMETHOD_BASIC.

       4.      Logon using SAP RFC Logon. This is a normal RFC logon procedure using client, user, password, and logon language. This method is used primarily between SAP Systems, and not so much for logon via a Web browser. A header field is also used to indicate that this logon method should be used.

       The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SAP.

       5.      Logon using SSL Certificate (HTTPS and certificate). In this case, the system attempts to log on the user using an SSL certificate. The following conditions must be met:

       The appropriate header field is set.

       The connection for HTTPS is configured.

       The client certificate exists.

The AUTHENTICATION_METHODattribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_CERTIFICATE.

       6.      If none of these methods are possible because the request does not contain any information regarding logon procedure, the default logon procedure is used using user data stored in the service: If this anonymous logon data is maintained then the logon takes place with this user (and the specified client and logon language). If you have not entered any data for an anonymous user, HTTP response 401 is sent. If you are using a Web browser, this response is displayed in a popup. The user can then log on to the SAP System using HTTP Basic Authentication on this popup. The default client and logon language of the user in question are used.

       The AUTHENTICATION_METHOD attribute, which belongs to IF_HTTP_SERVER, is set to AUTHMETHOD_SERVICE.

 

      If Alternative Logon Order applies, the procedures described under the standard logon order (or a selection of them) run in the user-defined order.

If none of the selected logon procedures are successful, the system checks to see whether an individual error page has been configured for the service.

If no error page exists, a default response (HTTP) is sent to the caller, together with a Basis Authentication prompt in a dialog box.

Note

If Alternative Logon Order is specified, and Basis Authentication is not permitted as a procedure, then no Basis Authentication prompt is sent when an error occurs.

 

 

This graphic is explained in the accompanying text

 

 

 

End of Content Area