Reading MYSAPSSO2 Cookie using HttpGetterCallback

Similar Messages

• Read MYSAPSSO2 Cookie

  Hi
  I am writing a java webdynpro application which is running inside portal.
  Working on NW2004s sp11. I would like to retrieve MYSAPSSO2 Cookie in my
  webdynpro  application. please let me know if it is possible or not.
  Thank you
  With Wishes
  Krishna kanth

  Hi,
  try this.
  private String getSSOTicket() {
            IWDMessageManager msgMgr =
                 wdThis.wdGetAPI().getComponent().getMessageManager();
            try {
                 return (String) WDClientUser
                      .getCurrentUser()
                      .getSAPUser()
                      .getTransientAttribute(
                           "com.sap.security.core.usermanagement",
                           "MYSAPSSO2_STRING");
            } catch (WDUMException e) {
                 //report exception          }
            return "";

• Error when trying to retrieve UserName from MySAPSSO2 cookie

  Hi,
  I tried to retrieve the UserName from MySAPSSO2 cookie using the dotnet toolkit, but I keep getting the error "User Not Aunthenticated". I have placed the verify.pse files in a folder called psefiles in the same location as the bin folder of my application.
  I then also tried to directly use Convert.FromBase64String() to read the username from the cookie, but during conversion I get the error "Invalid character in a Base- 64 string"
  Any help is highly appreciated.
  Thanks,
  Kantishree D.

  From the menu bar, select
   ▹ System Preferences ▹ Energy Saver ▹ Power Adapter
  and uncheck the box labeled Put the hard disk(s) to sleep when possible, if it's checked.
  If the drive has more than one interface (USB, FireWire, Thunderbolt, eSATA), try one of the other interfaces.
  Check that the data cable is securely inserted at both ends.
  Try a different cable.
  If you're connecting the drive through a hub, connect it directly to a built-in port on the Mac.
  If you're connecting it directly, try a different port.
  Disconnect all other devices on the bus, or as many as possible.
  Test the drive with another Mac. Test another drive with this Mac.
  If the drive is bus-powered, but has an AC adapter, connect the adapter.
  Start up in Safe Mode and test.
  If the drive doesn't work under any of the above conditions, and if another drive does work with the same Mac, then the drive has failed. You may be able to salvage the mechanism by removing it from the enclosure and installing it in another one, or in a drive dock.

• How to read http cookies from adobe desktop Air app using flex/flash builder in AS 3.0 ??

  Im developing Adobe desktop air app where i need to read the session id from the cookie of a http request.
  I have found a property called URLRequest.manageCookies supported by AIR so i Hope there should be a way to read the cookies as well. Im Using Flash Builder 4.5
  Please provide any reference code or guide me for this research;
  searched a lot regarding on this web.
  Most results lead to local shared object or reading cookies fr a webpage using javascript and ExternalInterface.
  I want to read http cookies not Local shared Object and in a desktop AIR application.
  Im using Flash builder 4.5
  Thanks
  Hari

  Sorry, but you are at the wrong forum; this one is only for discussions on the forums themselves. The Air forums are here:
  http://forums.adobe.com/community/air

• How to get Cookie Name and Value Using HttpGetterCallback - CE 7.3

  Hi All,
  We are migrating from Netweaver 7.0 to 7.3. We are facing a issue when migrating the custom login module from 7.0 to 7.3.
  Since WebCallback is deprecated and not to be used in Netweaver 7.3, we are finding difficulties in getting the cookie name and value. Please find below our coding for getting the cookie value using HttpGetterCallback. We are not getting the cookie name and value, Kindly let us know if we are implementing the HttpGetterCallback correctly.
  HttpGetterCallback httpGetCookieCallback = new HttpGetterCallback();
  httpGetCookieCallback.setType(HttpCallback.COOKIE);
  Callback] callbks = new Callback[ { httpGetUrlCallback, httpGetCookieCallback };
  callbackHandler.handle(callbks);
  requestUrl = (String) httpGetUrlCallback.getValue();
  Cookie] cookies = (Cookie [) httpGetCookieCallback.getValue();
  if (cookies != null) {
  for (int i = 0; i < cookies.length; i++) {
  location.debugT("Cookies name " + cookies.getName()
  + " - value "
  + cookies.getValue());
  Thanks and Regards,
  Saravanan

  Try This-
          Cookie cookiesArray[] = request.getCookies();
       Cookie currentCookie = null;
       String currentCookieName = "";
       String cookieValue = "dummycookie";
       int cookieArrayLength = cookiesArray.length;
       for (int i = 0; i < cookieArrayLength; i++) {
            currentCookie = cookiesArray<i>;
            currentCookieName = currentCookie.getName();
            cookieValue = currentCookie.getValue();
  Regards,
  Atul

• Issue in parsing MYSAPSSO2 Cookie -Certificate Serial no is in Hexadecimal

  Hi All,
  We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.
  Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.
  Following Libraries are used:
  logging.jar
  i18n_cp.jar
  iaik_jce.jar
  com.sap.security.api.jar
  com.sap.security.core.jar
  rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).
  Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.
  The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.
  Following is the code which we are using.
  //Instantiate the rpovider
  IAIK provider = new IAIK();
  Security.addProvider(provider);
  //Instantiate the ticket
  tv = new com.sap.security.core.ticket.imp.Ticket();
  //set teh certificates
  tv.setCertificates(certificates);
  //set the MYSAPSSO2 cookie
  tv.setTicket(strCookie);
  if (!tv.isValid()){
  System.out.println("Ticket is not valid");
  //Verify the ticket
  tv.verify();
  isValid method is working fine - it is returning true or false exactly based on the validity.
  ISSUE:
  tv.verify();--->Raises the following exception:
  java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.
  When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format
  but the portal is providing the serial number in hexadecimal format.
  So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.
  If I print the certificates available in the keystore it is printing that certificate with serial number in hexadecimal format. if I convert that hexadecimal to decimal - I get the same number which is part of the error message raised by the code.
  The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.
  Could anyone help resolve this issue?
  Thanks in advance.

  Any advice please?
  Do I need to post it in a different forum?

• Terminate Portal User Login with JSessionID or MYSAPSSO2 Cookie

  Dear All,
  I know using Visual Administrator , we can terminate the session.
  Is it possible for the administrator to terminate a logged in portal user with his/her  JsessionID or MYSAPSSO2 cookie value or User Id programmatically.?
  Is it possible for portal admin to forcibly exit (logoutl) an active user login  without logging onto visual administrator?
  Regards,
  Eben Joyson

  The only complete mitigation for session hijacking is to run the entire site as SSL. This is Oracle's recommendation if you need a complete mitigation solution. And example of an ATG site running in full SSL is Dennis Kirk (denniskirk.com).
  The problem with doing so is that SSL (a) takes more processing power in the system running the client's browser and (2) incurs latency that degrades the perceived page performance. This is particularly true for consumers running Internet Explorer, where speed-up measures like SPDY are either incomplete or don't work. And for a hard core eComemrce site, slower page performance means that you make less money.
  Most sites, including those that you mention, use a mixture of SSL and non-SSL pages to overcome this. They use non-SSL for those areas of the site where penetration does not have a material negative impact. Browsing catalog pages as an anonymous user, for example. If someone hijacks my session and I'm browsing the catalog anonymously, they're welcome to it. There's nothing private in my session. Even robots can access that content.
  Once I login or go to pages where private information is being exchanged, then you have to secure the session. That's where the protocol switcher servlet comes in. As you authenticate, you switch the user to SSL.
  I've tried a number of additional mitigation steps. Unfortunately I can't discuss them here at this time.
  And none of the servlets that you mention have any benefit with mitigating session hijacking.

• How to generate MYSAPSSO2 cookie?

  Hello!
  Is it possible to generate MYSAPSSO2 cookie in WebDynpro or J2EE/JSP applications? These apps running as standalone, not in the SAP Portal. Also WD apps not using sap.authentificate property since I have to use my own login algorithm for it.
  If yes could you give a code snippets for this? I've tried to find it but found snippets only for reading such cookie.
  P.S. I'm working with SAP Web AS 7.0
  regards, Lev

  hi Lev
  check this
  https://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/17be8b32-0a01-0010-51bc-8fe5e11d204e
  http://help.sap.com/saphelp_nw04s/helpdata/en/ac/ce417acc9a4d48aa52fa562cb9b194/content.htm
  http://www.scribd.com/doc/6558564/HOWTO-Create-Custom-Application-for-Handling-J2EE-Engine-Multi
  let me know ami got it or not
  bvr
  Edited by: bvr on Apr 7, 2009 2:56 PM

• Issue while parsing the MYSAPSSO2 Cookie

  Hi All,
  We are trying to establish SSO with a non SAP web application using MYSAPSSO2 cookie.
  Plan is to write a java class which can parse out the MYSAPSSO2 cookie, extract the user Id and use it for single sign on.
  Following Libraries are used:
  logging.jar
  i18n_cp.jar
  iaik_jce.jar
  com.sap.security.api.jar
  com.sap.security.core.jar
  rscp4j.dll(this is downloaded from a SAP EP 7.0 instance running in windows 2003 server in our landscape).
  Our Source SAP EP 7.0 instance which will be issuing the cookie is running in Solaris.
  The target application in which the cookie is parsed, is running in Windos 2003 64 bit server.
  Following is the code which we are using.
  //Instantiate the rpovider
  IAIK provider = new IAIK();
  Security.addProvider(provider);
  //Instantiate the ticket
  tv  =   new com.sap.security.core.ticket.imp.Ticket();
  //set teh certificates
  tv.setCertificates(certificates);
  //set the MYSAPSSO2 cookie
  tv.setTicket(strCookie);
  if (!tv.isValid()){
       System.out.println("Ticket is not valid");
  //Verify the ticket
  tv.verify();
  isValid method is working fine - it is returning true or false exactly based on the validity.
  ISSUE:
  tv.verify();--->Raises the following exception:
  java.security.SignatureException-Certificate (Issuer="CN=SID,OU=XX,O=XYZ,L=LO,ST=ST,C=CO", S/N=1234567890) not found.
  When analyzed, it looks like the verify method is trying to compare the issuer's serial number in integer format
  but the portal is providing the serial number in hexadecimal format.
  So the keystore has the certificate with the same issuer and serial number but the serial number is in hexadecimal format.
  The certificate from SAP Enterprise Portal was imported to the local keystore using the keytool -import option.
  Could anyone help resolve this issue?
  Thanks in advance.

  Hi,
  im facing the exact same problem, and I think I found the reason for the behavior described above.
  The Problem seems to be located at
  [http://help.sap.com/javadocs/NW73/SPS01/CE/se/com.sap.se/com/sap/security/api/ticket/TicketVerifier.html#verify()]
  from com.sap.security.api.jar, just like mentioned.
  But the Problem seems to be the issuer, not the serial number.
  When decompiling  com.sap.security.api.jar with JD-GUI ([http://java.decompiler.free.fr/?q=jdgui]),
  you can see the following:
       public static java.security.cert.X509Certificate[] findCertificates(
                 java.security.cert.X509Certificate[] certificates, String issuer, BigInteger serial) {
            if ((certificates == null) || (certificates.length == 0)) {
                 return null;
            ArrayList certificateList = new ArrayList();
            for (int i = 0; i < certificates.length; i++) {
                 java.security.cert.X509Certificate certificate = certificates<i>;
                 if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
                      certificateList.add(certificate);
            if (certificateList.size() == 0) {
                 return null;
            java.security.cert.X509Certificate[] matchedCertificates = new java.security.cert.X509Certificate[certificateList
                      .size()];
            certificateList.toArray(matchedCertificates);
            return matchedCertificates;
  As you can see, the issuer-parameter is beeing compared with the issuer from the certificate. And here comes the weird stuff: While the  issuer-parameter contains an issuer like
  "OU=J2EE,CN=EXAMPLE"
  the issuer retrieved from the certificate is
  "OU=J2EE, CN=EXAMPLE"
  (see toString() of the java.security.cert.X509Certificate)
  You see the missing whitespace after the comma? This is the reason why the if-condition fails and you get something like
  java.security.SignatureException: Certificate (Issuer="OU=J2EE,CN=EXAMPLE", S/N=1234) not found.
  A workaround (a really UGLY one, I admit), is the following:
  1. Open  com.sap.security.api.jar with a ZIP-tool and delete
  /com/sap/security/api/ticket/TicketVerifier.class
  2. Copy the decompilied Version of TicketVerifier to Java-Class /com/sap/security/api/ticket/TicketVerifier.java
  3. Change
  for (int i = 0; i < certificates.length; i++) {
       java.security.cert.X509Certificate certificate = certificates<i>;
       if ((certificate.getIssuerDN().getName().equals(issuer)) && (certificate.getSerialNumber().equals(serial))) {
            certificateList.add(certificate);
  to
  for (int i = 0; i < certificates.length; i++) {
       X509Certificate certificate = certificates<i>;
       String dnNameFromCert = certificate.getIssuerDN().getName().replaceAll(", ", ",");
       BigInteger serialNumberFromCert = certificate.getSerialNumber();
       if ((dnNameFromCert.equals(issuer)) && (serialNumberFromCert.equals(serial))) {
            certificateList.add(certificate);
  4. Package this class into a jar and make it available in your classpath.
  5. Enjoy
  To me, this is a huge bug in the SAP-Library and has to be fixed.
  Regards
  Matthias
  Edited by: Matthias82 on Sep 29, 2011 12:47 PM

• Problem hiding userid etc in cookie using 10.1.2.0.2 Forms and Reports

  Hi
  Background
  I am new to 10.1.2.0.2 Forms and Reports and also to Application Server - though not to Oracle forms and reports. We are currently converting from 6i.
  Due to security concerns we would very much like to use the FrmReportsInteg Bean (or like) to hide userid connect string in a temporary and encrypted cookie when trying to run a report from a form (and the report has a report parameter screen that we want to display).
  Firstly I have to decide how we are going to use reports via the Developer Suite -for development work. Then I have to work out how to do it via the Application Server - for testing and production. So if you have two variations of any solutions - one for DS and one for AS, could you give both please?
  Problem
  Problem is that I cannot get the bean to work. I get report parameter form displaying ok, hit submit and then get the Database User Authentication window poppling up with the "REP-51018: Need database user authentication" error that I've noticed a few other people in this forum have had too. If the user id etc is then entered in this window, the report parameter form redisplays (from a second html) and submitting this causes the report to display. Don't like the Database User Authentication window poppling up and don't like the second parameter form - html for this has the userid etc in it.
  For me though I can't even get the bean to output any logs. Got any ideas to help me at least output some logs?
  Also do I have to do anything to the browser (IE6) to get it to read the cookies?
  Do I need to change the bean code for the DS in some way - eg to avoid using domain name (as I noticed in another thread)?
  My code exactly follows the whitepaper and I also carefully followed the instructions for adding the bean to the form and configuring the forms services - as per white paper.
  Looking forward to some answers
  Pamela

  hi Kashif,
  just check this thread,
  How to deploy Forms/report on Application Server 10.1.3
  Regards,
  Hamdy

• MYSAPSSO2 Cookie not found in IE

  Hi Everyone,
  I am trying to implement SSO between a third party Java application and the SAP EP 7.0. As a test procedure, I log in to my portal and then run my code to see if I can retrieve and decrypt the MYSAPSSO2 cookie.
  My code works perfectly when I log in to the portal using Mozilla Firefox (2.0.0.1); I can see the MYSAPSSO2 cookie and decrypt it (Log file output below). However, when I use IE (6.0.3790.1830) to log in to the portal, I can not retrieve the MYSAPSSO2 cookie. It seems as if this cookie does not even exists. I am thinking the cookie is somehow hidden and therefore my code can't see it.
  Has anyone faced this issue before? I have tried to decrease the security settings on IE but that doesn't help things. Any help on this issue would be really appreciated!
  Pasted below is a snippet of my code.
  //request is a HttpServletRequest object
  Cookie[] allCookies = request.getCookies();
                      int allCookiesLength = allCookies.length;
                      for (int i = 0 ; i<allCookiesLength; i++)
                           Log.debug("Cookie Name at " + i + " = " + allCookies<i>.getName());
                           if(allCookies<i>.getName().compareToIgnoreCase("MYSAPSSO2")==0)
                                SAP_SSO_COOKIE =  allCookies<i>;
                                                  Log.debug("Cookie Found!");
                                cookieFound = true;
                                break;
                                          Log.debug("Cookie NOT Found!");
                           cookieFound = false;
  <u><b>Log file Output with IE</b></u>
  2007.02.07 13:05:31 Cookie Name at 1 = saplb_*
  2007.02.07 13:05:31 Cookie Name at 2 = JSESSIONID
  2007.02.07 13:05:31 Cookie NOT Found!
  <u><b>Log file Output with Firefox</b></u>
  2007.02.07 13:54:15 Cookie Name at 0 = saplb_*
  2007.02.07 13:54:15 Cookie Name at 1 = PortalAlias
  2007.02.07 13:54:15 Cookie Name at 2 = JSESSIONID
  2007.02.07 13:54:15 Cookie Name at 3 = MYSAPSSO2
  2007.02.07 13:54:15 Cookie Found!
  Thanks
  MOY

  Michael,
  I changed the parameter "httponlycookie" to FALSE and this works. My issue was that when I set the parameter to FALSE, I restarted my J2EE engine. For some odd reason, after the restart this parameter was set back to TRUE. Whats even worse, or maybe even cool, depends how you look at it, is that this parameter is set back to TRUE even if I closed down Visual Admin and fire it up again (without restarting the server). However, in this case SSO still works because the J2EE settings are not updated with this TRUE value. Is there a security setting which sets back this parameter to TRUE every time the server is restarted or when Visual Admin is fired up?
  Thanks
  MOY

• Calling an Abap Web Service from IBM WebSphere with a MYSAPSSO2 Cookie

  Hello,
  I have the following problem :
  I have to develop a proof of concept between IBM Web Sphere 5.1 and SAP AS JAVA 7.0.
  I have created an IBM sevlet in Web Sphere, I use a specific redirect from an SAP AS Java to call it, this way I can have a SAP Logon Ticket, and I manage to call an ABAP module function with JCO with SSO.
  Scenario 1 : browser  + authentication --> AS Java redirect servlet MYSAPSSO2 cookie -> IBM WebSphere servlet JCO -> Abap module function (ECC5)
  This scenario works fine.
  I have to do the same scenario with a Web Service and I don't know what to do.
  I try to use jax-rpc handlers but I don't know how to pass my cookie from my servlet to my handler.
  Scenario 2 : browser + authentication --> AS Java redirect servlet MYSAPSSO2 cookie -> IBM WebSphere servlet JCO -> Abap Web Service (ECC5)
  Has someone already done that  ?
  Regards,  Julien.

  Julien,
  Why are you using 5.1....go for 6.0 and its cake walk, i have integrated WebSphere 6.0 with R/3 uysing xi.....in a week.
  Scenario changed to:--
  Browser+ authentication --> WebSphere AS servlet request --> XI --> RFC/bapi --> abap webService
  Hope that helps
  Regards
  Ravi

• SRM and MYSAPSSO2 cookie

  Hello,
  we are using SRM 4.0 (standalone scenario) with integrated ITS 6.40. The SRM application is accessed directly through browser (without any SAP portal encapsulation). We would like to customize the lifetime of cookie MYSAPSSO2 which is set after user authentication. I have noticed that this cookie is still located at browser level as long as this browser is open : there is no time validity for this cookie. As user's session, at application server level, is submited to timeout, we would like to be able to set such timeout for MYSAPSSO2 cookie too.
  Do you know a way to achieve this ?
  Thank you for your help.
  Regards.
  Fabrice

  Hi Fabrice.
  I am using Single Sign On for SRM Add on ERP without portal.
  I have set up the following tickets with value 1 but after 8 hours this tickets resets to 0 and have to put value as 1 again via RZ11 so that user can sign on properly in SRM as SSO.
  login/create_sso2_ticket and login/accept_sso2_ticket
  In our system, the default value for login/ticket_expiration_time is 8 hrs.
  Please advise what i shoud do so that the single sign on works properly and the value of parameters does reset to 0.
  Thanks,
  Sagar

• Setting value in cookie using ABAP code

  Hai All,
  Is it possible to set value in a cookie using ABAP code.
  Regards,
  H.K.Hayath Basha.

  Hai Thomas Jung,
  In Enterprise portal SAP has standard functionality to set inactivity timeout. We can set whatever time we want, say for example if we set the time as 15 minutes. If the user is not interacting with the system for 15 minutes then portal will logout the user automatically without any information.
  Our user wants a popup to be shown that the system will be logged out due to inactivity.
  Since Portal logout the user automatically without any information. I want to put in my own framework to handle inactivity timeout.
  What idea I have is, when ever user interacts with any function in portal. I will set current time in a cookie. Someother application will read this cookie at regular interval, if the time difference between the cookie and system is 15, then I will force the user to logout by showing a popup screen.
  In our portal we have three different type of application, they are, Java Webdynpro, ABAP-Webdynpro and BSP.
  I think that from Java Webdynpro and BSP we can call a javascript to set value in a cookie, from ABAP-Webdynpro I don't know how to set a value in cookie.
  This is my business requirement. Is there anyother solution to fullfill this business requirement.
  Thanks & Regards,
  H.K.Hayath Basha.
  Let me tell the business requirement.  Our user want to give a popup message when

• Help in reading browser cookies

  In my app i use Ruby on rails as server side language. I have
  a login page with "Remember me" option. It stores the user info in
  a browser cookie. After successful login it should redirect to the
  flex application. There I must be able to read the browser cookie
  info and display a greeting message for the user like this "Hello
  "+user.name. I dont know how to do this. Someone please help with a
  general way to read browser cookies. Thanks

  Adobe Newsbot hopes that the following resources helps you.
  NewsBot is experimental and any feedback (reply to this post) on
  its utility will be appreciated:
  Flex 3 - About data access:
  Flex data access components are based on a service-oriented
  architecture (SOA). ... JavaServer Pages, Java servlets, Ruby on
  Rails, and Microsoft ASP pages.
  Link:
  http://livedocs.adobe.com/flex/3/html/data_intro_2.html
  Adobe - Flex 3:
  Flex for Ruby developers. Step 1: Experience Flex. Ruby on
  Rails logo ... Post and find jobs that require Flex and Ruby
  knowledge through the Flex and Rails
  Link:
  http://www.adobe.com/products/flex/developers/ruby/
  Flex 3 - Using HTTPService components:
  ... ColdFusion Pages, JavaServer Pages (JSPs), Java servlets,
  Ruby on Rails, ... You can use a Flex HTTPService component in
  conjunction with PHP and a SQL
  Link:
  http://livedocs.adobe.com/flex/3/html/data_access_2.html
  Adobe - Developer Center : Integrating Flex 2 and Ruby on
  Rails:
  Oct 9, 2006 ... In this article you will learn how to
  integrate Flex 2 with Ruby on Rails and a MySQL database by
  building a simple issue tracker
  Link:
  http://www.adobe.com/devnet/flex/articles/flex2_rails.html
  Flexible Rails About:
  It is not an exhaustive Ruby on Rails tutorial (Agile Web
  Development with Rails does that already) or a Flex 3 reference
  manual (Adobe ships over 2000
  Link:
  http://www.flexiblerails.com/
  Mike Potter: Announcing the Ruby on Rails RIA SDK by Adobe:
  If you're interested in Ruby on Rails and Adobe Flex, you can
  participate in our small but growing community by joining the Ruby
  on Rails RIA SDK mailing
  Link:
  http://blogs.adobe.com/mikepotter/2006/09/announcing_the_1.html
  Disclaimer: This response is generated automatically by the
  Adobe NewsBot based on Adobe
  Community
  Engine.