Tuesday, 9 May 2017

Cross domain request in ABAP and Java with two workaround

Cross Domain Request in ABAP


Create a new ICF node in tcode SICF, implement the following source code in its handler class.

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

METHOD if_http_extension~handle_request.
   DATA: lv_text TYPE string value 'hello world'.
   server->response->append_cdata(
                        data   = lv_text
                        length = strlen( lv_text ) ).
  ENDMETHOD.

Access the url in browser, and it works as expected.

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

And now try to access the url by AJAX in jQuery:

function getPostByAJAX(requestURL){
   var html = $.ajax({
  url: requestURL,
  async: false}).responseText; 
   debugger;
   return html;
}

You will get the following error message in browser: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘null’ is therefore not allowed access.

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

The request fails to finish due to same origin policy.

One remedy is to use Cross-Origin Resource Sharing.

Add a few more codes in the ICF handler class:
  METHOD if_http_extension~handle_request.

    DATA: lv_text TYPE string VALUE 'hello world'.
    CONSTANTS: cv_white_id TYPE string VALUE 'i042416'.

    DATA(lv_origin) = server->request->get_header_field( 'origin' ).
    DATA(lv_userid) = server->request->get_form_field( 'userId' ).
    IF lv_userid = cv_white_id.
      server->response->set_header_field(
         EXPORTING
           name  = 'Access-Control-Allow-Origin'
           value = lv_origin ).
    ENDIF.
    server->response->append_cdata(
                         data   = lv_text
                         length = strlen( lv_text ) ).
  ENDMETHOD.

And when requesting the resource again but this time with a hard coded user id which acts a a simulation of white list, the request can be successfully processed this time thanks to CORS:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

The response is available in JavaScript code:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

Change the user id to any other one and the request will fail again:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

Cross Domain Request in Java


The similar logic as in ABAP.
Create a dynamic web project in Java with a servlet named “HelloWorldServlet”:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

Copy the following implementation source code into the Servlet:

public class HelloWorldServlet extends HttpServlet {
    private static final long serialVersionUID = 1L;
    public HelloWorldServlet() {
        super();
    }
    protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
    List<String> allowedUserId = Arrays.asList(getServletContext().getInitParameter("userIds").trim().split(","));
        String clientOrigin = request.getHeader("origin");
        String ipAddress = request.getHeader("x-forwarded-for");
        if (ipAddress == null) {
            ipAddress = request.getRemoteAddr();
        }
        String userId = request.getParameter("userId");
        if( userId != null)
        userId = userId.trim();
        if( allowedUserId.contains(userId)){
        response.setHeader("Access-Control-Allow-Origin", clientOrigin);
        }
        if( ipAddress.equals("0:0:0:0:0:0:0:1"))
        response.getWriter().println("local one");
        else
        response.getWriter().println("Hello World!");
    }
protected void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
doGet(request, response);
}
}

The web.xml in folder WEB-INF, which the allowed user ids are listed in node <context-param>.

<?xml version="1.0" encoding="UTF-8"?>
<web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://java.sun.com/xml/ns/javaee"
xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd"
id="WebApp_ID" version="2.5">
<display-name>JerryTest</display-name>
<welcome-file-list>
<welcome-file>Hello</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<context-param>
<param-name>userIds</param-name>
<param-value>i042416,i042417,i042418</param-value>
</context-param>
<servlet>
<description></description>
<display-name>HelloWorldServlet</display-name>
<servlet-name>HelloWorldServlet</servlet-name>
<servlet-class>helloworld.HelloWorldServlet</servlet-class>
</servlet>
<servlet-mapping>
<!-- http://stackoverflow.com/questions/4140448/difference-between-and-in-servlet-mapping-url-pattern -->
<servlet-name>HelloWorldServlet</servlet-name>
<url-pattern>/Hello</url-pattern>
</servlet-mapping>
</web-app>

Now access the servlet with user id which is not included in the list, and the request fails:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

And perform positive test via an allowed user id specified in request:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

Request is successfully handled and returned to browser:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

Client side workaround


Sometimes for development purpose we would like to bypass the limitation of same origin policy, and here below are two approaches I used in my daily work.

workaround 1: use Chrome extension “Allow-Control-Allow-Origin”

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

Once installed, just switch on CORS via checkbox:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

This extension will automatically add a new field in request header to do the magic:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

Now the response is available with the help of this extension, even the requested user id is not in allowed list:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

workaround 2: disable same origin policy via Chrome start command argument –disable-web-security

Create a new shortcut and add the argument –disable-web-security

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

request detail:

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

This time the request is still successfully handled – you will see a warning “Stability and security will suffer.” in Chrome.

SAP ABAP Guide, SAP ABAP Tutorials, SAP ABAP Certifications

No comments:

Post a Comment