Session security for real time web service

system · December 20, 2012, 4:03pm

We have a RT web service that we are successfully consuming from ABAP. We created a consumer service in SAP and configured a logical port in the SOAMANAGER. The logical port is configured by supplying WSDL link we obtained from Data Services.

We have concerns that if we do not enable “session security” for our service then “Web services clients would have open access to all published batch jobs and real-time services”. I assume this is a valid concern?

If we enable “Session security” for our web service in the data services mgmt console, what steps are needed to be able to continue consuming the service from ABAP?

Do we simply generate a new WSDL and use to re-create our logical port? I assume we would need to supply data services logon ID/Password somewhere?

Will we have to make multiple calls… to first obtain a session ID (if so how from ABAP) or is this handled automatically via the logical port?

Thank you very much!

jff (BOB member since 2012-12-20)

system · December 20, 2012, 6:37pm

yes you will need to create the WSDL again and use the new WSDL

if you enable session security for a operation then you will first have to call the logon() operation to get a sessionId and use that session Id in header of the subsequent operation for which the session security is enabled

manoj_d (BOB member since 2009-01-02)

system · December 20, 2012, 8:08pm

Thank you for your reply it makes sense. I guess we are not sure how to call the logon operation from ABAP… and then how to pass the session id.

Is this possible using our SAP proxy/logical port technique for consuming the service?

Currently, we use the following code to create the web service class object reference and then consume the service via logical port:

LV_GW TYPE REF TO ZSFDCO_REAL_TIME_SERVICES.

CREATE OBJECT LV_GW
EXPORTING
LOGICAL_PORT_NAME = ‘ZGW_DETAILS’.

  CALL METHOD LV_GW->DGWS
    EXPORTING
      INPUT  = LV_IN
    IMPORTING
      OUTPUT = LV_OUT.

The class was generated in SAP based on the WSDL. Perhaps we will get more methods in our class (for logon operation) once we generate a new class based on new WSDL (with session security enabled)?

Or am I way off base here.

Thank you again for your help!

jff (BOB member since 2012-12-20)

system · December 20, 2012, 10:07pm

Here’s an update – using the new WSDL, we were able to generate a new logical port in SOAMANGER of type “connection operations”. This resulted in methods for “logon” and “logout”… so we are now able to retrieve a session id. Now we will try to use it to call our service.

Thank you

jff (BOB member since 2012-12-20)

system · December 20, 2012, 10:29pm

Well we re-generated the enterprise service class in SAP with the new WSDL (which has session security enabled). This is port type “real time service”. It generates methods for each published webservice. These methods are called from ABAP to consume the service.

However, we still see no place to provide the session id that we retrieved. There is no import parameter in this method for passing session id.

Any idea on how we pass session id when calling method for our logical port?

Thanks!

Mark

jff (BOB member since 2012-12-20)

system · December 21, 2012, 1:44am

I think if generate code from the WSDL then you may not see the option to pass the header information

you will need the following header to pass the session id, in this case CB3C70DF-FD92-4A55-D6CA-89DA941BD7EB is the Id generated using logon()

Soap:Header
<ns2:session xmlns:ns2=“http://www.businessobjects.com/DataServices/ServerX.xsd”>
CB3C70DF-FD92-4A55-D6CA-89DA941BD7EB
</ns2:session>
</Soap:Header>

manoj_d (BOB member since 2009-01-02)