Best practice in SOAP calls is to provide at least user and password to authenticate call. Unfortunately sometimes the client systems do not provide the option to send credential in SOAP calls.
This issue have been discussed in previous Blogs like A closer look at SOAP Sender authentication , but the solutions provided are either not supported by SAP PI single stack or they are too dangerous because disable SOAP authentication at adapter level.
One option we have found quite interesting in a recent project is to use SAP Web Dispatcher to allow anonymous SOAP calls to specific services.
The idea is the following:
1. We define a new endpoint for the anonymous service, for instance /xi/project1/service1
2. Rewrite the end new endpoint to the SOAPAdapter URL related to the service
3. Add header authentication for the endpoint.
Let have a look in detail.
1. The first thing to find out what the URL for the service call is.
This URL has the format
http://<server>:<port>
/XISOAPAdapter/MessageServlet?senderParty=<SENDER_PARTY>&senderService=<SENDER_SERVICE>&receiverParty=<RECEIVER_PARTY>&receiverService=<RECEIVER_SERVICE>&interface=<INTERFACE>&interfaceNamespace=<INTERFACE_NAME_SPACE>
for instance
There are several places where you can find this, one of them is in Display WSDL for the ICO.
2. HTTP Basic Authentication is constructed as follows:
- Username and password are combined into a string "username:password"
- The resulting string is then encoded using the Base64
- The authorization method and a space i.e. "Basic " is then put before the encoded string.
For the values pouser and mypassword the string will be "Basic cG91c2VyOm15cGFzc3dvcmQ="
3. Update modification handler rules for SAP Web Dispatcher.
The documentation is here Modification of HTTP Requests - SAP Web Dispatcher - SAP Library
In Unix the file is something like /usr/sap/<SID>/SYS/global/security/data/icm_filter_rules.txt
You can add 3 rules similar to these ones:
if %{PATH} stricmp "/xi/project1/service1"
SetHeader Authorization "Basic cG91c2VyOm15cGFzc3dvcmQ="
RegRewriteUrl ^/xi/project1/service1/XISOAPAdapter/MessageServlet?senderParty=&senderService=BC_MYBC&receiverParty=&receiverService=&interface=BookingUpdate&interfaceNamespace=http://mycompany.com/booking" [qsreplace]
4. Logon to Web Dispatcher Administrator
http://<server>:<port>/sap/admin for instance http://myserver:50000/sap/admin
Select HTTP Handler -> Modification Handler
Press Reload Rule File
5. In the SAP call for this service replace the end point with the new one, for instance /xi/project1/service1
And hopefully it will work without user and password 