Consuming web services in flex from a SAP system can lead to flash player security sandbox violations. Most of the time you have the flex application on one domain and the
R/3 system on another. This results in the following error being thrown: Request for resource at * by requestor from * file is denied due to lack of policy file
Starting with flash 7, direct cross-domain data loading was possible, but only authorized by policy files – crossdomain.xml files. With each flash player version, the default policy rules became more and more restrictive ending in current flash player version 10 that has a default meta-policy of master-only. This means that even with loadPolicyFile (allowing you to load a crossdomain.xml from any location) you still need to have a master policy file located directly under root /crossdomain.xml in the domain you’re trying to access data from. So no matter the scenario a root /crossdomain.xml is required.
Enabling /crossdomain.xml in an R/3 system.
There are two possible approaches to this:
- Via transaction SICF change the default host’s default service to point to a BSP application in which you’ve added the crossdomain.xml file as a mime service
- Configure ICM (Internet Communication Manager) to handle it since it sits between the outside world making HTTP, HTTPS, SMTP requests and the SAP System
Method 1 – BSP Application.
I’ve found this method described in a few places, including the sap sdn forums. In my opinion, it has a major drawback as it overrides some settings with new ones (changing default service part).
Nevertheless, here it goes:
1) In transaction SE80 Object Navigator, select a package you own (like the default $TMP_BCUSER one), right click -> create -> BSP Library -> BSP Application
2) Select the BSP Application, right click -> create -> MIME Object -> Import -> select the crossdomain.xml file. activate the application.
3) Execute transaction SIC with default settings, double click the default_host, go to the Default Service tab, and the select the newly created application from default_host/sap/bc/bsp/sap/.Â Save changes.
4) Go back and reactivate default_host.
Method 2 – File Access Handler.
I find this method a lot less invasive, but nobody seems to mention it. It makes use of ICMÂ responsible for processing HTTP requests. One of the ICM http handlers is the file access handler. This one is responsible for returning files from the file system following the rules from parameter icm/HTTP/file_access_xx. In a way think of this as configuring httpd.conf from an apache web server via the RewriteRule.
An example of such a rule can be:
icm/HTTP/file_access_0 = PREFIX=/crossdomain.xml, DOCROOT=C:\usr\sap\NSP\DVEBMGS00\data\icmanroot\crossdomain.xml
PREFIX indicates for what path under the current host and port the handler should trigger. DOCROOT indicates what file(s) should be returned. Usually both PREFIX and DOCROOT contain directory values but in our situation we need to explicitly define PREFIX as /crossdomain.xml. If we define it as / means all requests to current host and port will be handled by the file access handler and we certainly don’t want that, the web services we’re trying to load in the first place will not work. Instead of being handled by the SAP system (default action for every request), the web services will be handled by a http handler resulting in an error.
Detailed steps to achieve this:
1) In transaction SMICM, Goto -> Parameters -> Display. Look for any file_access_ references you may have so that we don’t override existing entries. If you have file_access_0, the new entry will be file_access_1 and so on. If you don’t have such an entry, the new entry will be file_access_0.
2) Select transaction RZ10, select the instance profile from the available dropdown menu. If you don’t have any entries in the dropdown Utilities ->Import profiles -> Of active servers. Select “Extended Maintenance” under Edit Profile and click change.
3) Click create new parameter and add the new file_access_xx entry. Example: parameter name is file_access_0, parameter value is PREFIX=/crossdomain.xml, DOCROOT=C:\usr\sap\NSP\DVEBMGS00\data\icmanroot\crossdomain.xml
4) Save the current profile and click yes when asked if you want it activated as well.
5) Restart the SAP instance.