I’m trying to develop a web application, which should submit a SOAP-Request (POST) to a SAP Webservice using Ajax / Javascript. After that the appropriate data from the SAP System should be displayed on the web application.
However, I’m now faced with the cross-domain problem, because of the web application and the system are on different domains. If I adjust my IE (btw. IE11) security settings, the application will run correctly.
But I want to avoid that, because the application will not be only used on my computer, but also it’s to be used by many other users. It’s important that it supports all browsers and mobile devices, without the need to adjust the security settings.
With the default security level, the application no longer works for me and I get the error message “XMLHttpRequest: Access denied” because apparently CORS and CORS Preflight is required.
Looking for a solution, I’m first stumbled upon JSONP. But since this are standard SAP Webservices and the data are transmitted in XML-form (not json) by means of the WSDL, this method in my opinion, falls out. In addition, I use “POST”-methods. In JSONP only “GET”-methods will be supported.
I would also like to avoid to solve the problem via another server or a proxy which is stored between the SAP system and the web application, because I had no knowledge of those topics related with SAP Systems and does not know how to implement this.
CORS seems to be a good option in my case. From the request header I can deduce that following attributes are sent to the host of the SAP System:
Option: with the domain of the Web application
Access-Control-Request-Method: with the value “POST”-method
Access-Control-Request-Header: with the entries “content-type, accept”
Requirement: with “OPTION”
See request header: http://up.picr.de/23122262lo.png
If I understood CORS correctly, the SAP system must now respond appropriately to this request to allow the cross-access. I’ve tried using a “crossdomain.xml” – file like in flash or adobe which I’ve provided in the root of the SAP System domain. Calling via the path “SAP domain/crossdomain.xml”, the XML-file is shown as follows:
<?xml version="1.0" ?>
<cross-domain-policy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<site-control permitted-cross-domain-policies="all"/>
<allow-access-from domain="*" to-ports="*" secure="false"/>
<allow-http-request-headers-from domain="*" headers="*" secure="false"/>
</cross-domain-policy>
Unfortunately, this is apparently not entirely sufficient. From the response header I can see that the XML-file is not taken.
See response header: http://up.picr.de/23122265yp.png
How should I attach that CORS permissions to the response headers in SAP? Is this solution only possible for adobe or flash? Can I also use this in my case or can I bind the appropriate permissions in the webservice settings (SOAMANAGER), eg. in a binding?
How it looks with a SAP sided proxy? Would that be an option and if so, do you have any advice for the implementation?
I would be very grateful about helpful tips and answers, especially since I have no other ideas at the moment, how to solve this cross-domain problem.
Thank you in advance for your assistance.
Here is my request-snippet:
`//jQuery.support.cors = true;
$(document).ready(function () {
var wsUrl = "http://BCSW-SAP016.xxxxxx.net:8000/sap/bc/srt/rfc/sap/z_agbs_webservice_xxxx/001/service/binding";
var soapRequest ='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:urn="urn:sap-com:document:sap:soap:functions:mc-style">'
+ '<soap:Header/>'
+ '<soap:Body>'
+ '<urn:ZAgbsWebserviceComTab>'
+ '<Aosuser>'+aOSUser+'</Aosuser>'
+ '<Asystem>'+aSystem+'</Asystem>'
+ '<EvTabelle>'
+ '</EvTabelle>'
+ '</urn:ZAgbsWebserviceComTab>'
+ '</soap:Body>'
+ '</soap:Envelope>';
$.ajax({
type: "POST",
url: wsUrl,
contentType: "application/soap+xml", // charset=UTF-8", //
action: "urn:sap-com:document:sap:soap:functions:mc-style:Z_AGBS_WEBSERVICE_xxxx:ZAgbsWebserviceComTabRequest",
dataType: "xml",
data: soapRequest,
success: processSuccess,
error: processError
});
});
Check out this blog post
You need to add a custom handler that sets the "Access-Control-Allow-Origin" header and then assign the header in SICF.