1

I'm struggling to configure authentication on our SMP server so that users of our OpenUI5 mobile application can authenticate against our existing back end system. We were able to get this to work using SMP 3.0.3, but not using the newer SMP 3.0.10.11.

Requirements:

  • Our mobile application needs to allow multiple different back end users to log in to using same device. It sends the credentials using HTTP basic authentication, i.e. "Authorization:Basic" header in the HTTP request.

  • The back end system provides OData services with HTTP basic authentication. There is no session, i.e. the user is authenticated on each request via the Authorization header of the request, and no session cookie or SSO cookie is returned in the response.

We need have tried two different configuration approaches on SMP, without success.

Using "No Authentication Challenge"

In Settings, we created a security profile called "No Auth", and configured "No Authentication Challenge" as the only authentication provider, and set it as as required.

In Applications: * Under "Back End", we configured the endpoint (http://172.18..../), did not check "Allow anonymous access", set the Rewrite Mode to "No Rewriting", and added a single SSO Mechanism of "Basic". * Under "Authentication", we selected the "No Auth" profile and unchecked "Check Impersonation".

We opened the application and registered successfully without providing a username or password. The registration reflects as user name "nosec_identity".

We then tried to log into the application with a valid username (admin) and password for the back end system. The application makes a service call to the SMP server, including these credentials in a basic authentication header (Authorization:Basic YW.............=).

So far so good, but the SMP server returned a 403 Forbidden error without sending the request to the back end system. The SMP debug log gives the reason as "No matched SSO credentials is found for not allowAnonymousAccess endpoint". I don't know why it couldn't use the "Basic" SSO which was configured for the endpoint:

#2.0#2017-07-18 11:49:52 AM#WARNING#RequestResponse#403##Proxy#1500371392748018#1b6118d6-40ea-49bf-90f8-6358de7a70c4#com.j5.app#com.sap.mobile.platform.server.proxy.core.handler.DirectProxy:handleException#nosec_identity#######2257#####Exception caught while trying to set credentials for anonymous access#

...

#2.0#2017-07-18 11:49:52 AM#FATAL#Proxy####1500371392748000#1b6118d6-40ea-49bf-90f8-6358de7a70c4#com.j5.app#DirectProxy:fireRequest#nosec_identity#######2257#####Forbidden No matched SSO credentials is found for not allowAnonymousAccess endpoint [com.j5.app]. : {"endPoint":"http.../odataservice/inspection_rounds/$metadata?0.6973737435488696","requestURL":"http:...:8080/com.j5.app/odataservice/inspection_rounds/$metadata","miscInfo":"Proxy Request Response","source":"SMP Server : Proxy","version":"1.0","responseCode":"403"}#

Using "HTTP/HTTPS Authentication"

In Settings, we created an security profile called "HTTP HTTPS", and configured "HTTP/HTTPS Authentication" as the only authentication provider, and set it as as optional. We also set its URL to a valid URL on the back end that performs basic authentication, and did not set any other fields in the settings.

In Applications: * Under "Back End", we configured the endpoint URL, checked "Allow anonymous access" (so we can register without providing credentials for a specific user), set the Rewrite Mode to "No Rewriting", and added a single SSO Mechanism of "Basic". * Under "Authentication", we selected the "HTTP HTTPS" profile and unchecked "Check Impersonation".

We opened the application and registered successfully without providing a username or password. This registration reflects as user name "anonymous". Although the registration is successful, the SMP log contains the following warnings for User Name "NA":

#2.0#2017-07-17 04:43:59 PM#WARNING#ApplicationSettings###Security#1500302639903001#9a43b81d08684a42895450ba54dc812d#com.j5.app#com.sybase.security.http.HttpAuthenticationLoginModule:login########708#####Anonymous authentication is not supported. #

#2.0#2017-07-17 04:43:59 PM#WARNING#Registration###Security#1500302639669001#9a43b81d08684a42895450ba54dc812d#com.j5.app#com.sybase.security.http.HttpAuthenticationLoginModule:login########730#####Anonymous authentication is not supported. #

We then tried to log into the application with a valid username (admin) and password for the back end system. The application makes a service call to the SMP server including these credentials in a basic authentication header.

Again, the SMP server returns a 403 Forbidden error without sending the request to the back end server.

The SMP log contains the following warning, for User Name "NA":

#2.0#2017-07-17 04:45:58 PM#ERROR#RequestResponse###Foundation#1500302758402001#92cd519b-39aa-4bce-a4e8-84cf1fc12364#com.j5.app#com.sap.mobile.platform.server.foundation.security.filter.AuthenticationFilter:doFilter########713#####The registered user anonymous for application connection doesn't match the login user admin#

So it seems that if we register anonymously, the app can't supply a username at login time.

Any help would be appreciated.

Ian Webb
  • 11
  • 2
  • Is this a pure web app or a Cordova app? If the latter is the case, I would recommend you to check out the [Mobile Interactive Tutorials](https://www.sap.com/developer/tutorial-navigator/mobile-interactive-tutorials.html) and see if you can get it to work on SAP Cloud Platform Trial. You can use a [Cloud Connector](https://tools.hana.ondemand.com/#cloud) on your laptop in order to make your local service available in your Trial account. Then see if you can reconfigure the tutorial app to work with your backend. You will need to configure Basic/SCIM for authentication in the end. – Michael Jess Jul 18 '17 at 12:53
  • This is a Cordova app. Thanks for the suggestion. – Ian Webb Jul 19 '17 at 15:14

0 Answers0