Win a copy of Machine Learning for Business: Using Amazon SageMaker and JupyterE this week in the Jython/Python forum
or Object Design Style Guide in the Object-Oriented programming forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Bear Bibeault
  • Paul Clapham
  • Jeanne Boyarsky
  • Knute Snortum
Sheriffs:
  • Liutauras Vilda
  • Tim Cooke
  • Junilu Lacar
Saloon Keepers:
  • Ron McLeod
  • Stephan van Hulst
  • Tim Moores
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Joe Ess
  • salvin francis
  • fred rosenberger

Proxy Error 403 from SAP webservice invocation

 
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi.


I am connecting to an SAP service from Java application, here the request is send succdessfully from Java application but the response from SAP is not coming back instead we are getting the below error.

      com.sun.xml.ws.client.ClientTransportException: The server sent HTTP status code 403: Proxy Error
       at com.sun.xml.ws.transport.http.client.HttpTransportPipe.checkStatusCode(HttpTransportPipe.java:332)
       at com.sun.xml.ws.transport.http.client.HttpTransportPipe.createResponsePacket(HttpTransportPipe.java:274)


Please let me know what could be the issue here , only from application end we are getting this issue even after enabling the port and firewall to connect to this service/server and the telnet connectivity to the SAP service/server is working fine and also it is working fine when we connect from SOAP UI.

Please let me know what is causing this issue and it is very strange when we invoke this service from application it is not working.

Thanks

 
Saloon Keeper
Posts: 21603
147
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
HTTP status 403 means "Forbidden". It is returned when the server determines that the client is not authorized to make that request. It is not returned by firewalls.

You can get it when you are not logged in, or you are logged in as a user who doesn't have proper security rights for that request.

You can also get it if you issue a bad (for example, mis-spelled) URL request that targets a protected web resource.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Tim, It will be really great if you can elaborate on the below 2 , i verified the endpoint URL config that looks fine from application perspective. So i think we can rule out the Point# 3. But can you please help me on the below as mentioned it is working fine when we invoke from Soap UI and there is no issue with the connectivity when we telnet the server.

1. It is returned when the server determines that the client is not authorized to make that request. It is not returned by firewalls.

2. You can get it when you are not logged in, or you are logged in as a user who doesn't have proper security rights for that request.

For the above 2 points, if there is any issue with the client is not authorized or any issue with the user doesn't have the proper security rights then we normally get the 401 unauthorized error and not proxy error 403 right?
Since it is proxy error 403 is there any issue with the SAP service certificate installation and any web server level config we need to add from Infra/server (Server1) level in which client application is hosted to invoke the SAP service running in different server (Server2)? please let me know your opinion.  
 
Tim Holloway
Saloon Keeper
Posts: 21603
147
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A properly configured webapp server will return a 401 to force a login, that's true. If a login was not forced, a 403 could be encountered.

A 403 will definitely be returned if the webapp server detects a URL request for which the client was not authorised. The 403 always comes from the server logic itself. If the server provides container security such as that provided by the JEE standard, then the server (Tomcat, Websphere, Wildfly or whatever) returns the 403 response itself. If the request was OK at the server level, the web application can return a 403 if its own internal security logic wants to deny access. But that's because a webapp can return any response code it wants to, and 403 is the standard "forbidden" code. The 403 code is not just for proxies.

If a firewall blocks, usually the connection request will simply time out, with no response and thus no response code. If a security cert is invalid or does not imply, the connection request will likewise be denied and most probably will also not receive an HTTP (403) response because the forbidding is typically done at the networking level, not the HTTP level.

So in short, check the userID that is being used to make the request and verify that it has the proper role(s) assigned.

And remember that if you login as a user session, the security token (jsessionid) must be passed on subsequent requests or the client will not be seen under the proper userID. HTTP does not open a permanent connection and thanks to such constructs as NAT, a source IP cannot uniquely identify a single user. Only the jsessionid can do that. If you are using cookies, make sure that the client-side Java code keeps passing the jsessionid cookie (the HttpURLRequest does that automatically, but lower-level services do not. If you are not using cookies, you need to append the jsessionid to the URL being requested.
 
Tim Holloway
Saloon Keeper
Posts: 21603
147
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
And an addendum. Don't save the jsessionid and keep using it. It may change between requests. Always use the jsessionid returned by the last request made.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks a lot Tim, when you say the below,

A 403 will definitely be returned if the webapp server detects a URL request for which the client was not authorised. The 403 always comes from the server logic itself. If the server provides container security such as that provided by the JEE standard, then the server (Tomcat, Websphere, Wildfly or whatever) returns the 403 response itself.

Here Proxy error 403 is coming from the Destination server which is from SAP server (Server 2) which is returning the error message as supposed to the web service response while invoking this from the client application running in Server 1?
I had discussion with the SAP team, they were telling a full permission is given to access their end point from any server and there is no security restriction from their end, also verified the same from Server1 which is initiating this request there also no security issues. It will be really great, if you can pin point any configuration at server level from both Client (from where the SAP service is getting invoked) and Server (where the SAP service is hosted to send the response back to client) which could have caused this issue? not getting any clue at this point.

Thanks in advance.

 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Tim,

To add on this during the trouble shooting,

We  see at SAP end there is an error thrown for the request send from Java client as mentioned below, but the SOAP request from Java is having the endpoint as "http" and there is no "https" and also we are passing the username/password to SAP which is having full permission at SAP end, please let me know when we normally get the below issue and i want to figure out it is an issue at SAP end or Java end in which we are consuming the SAP service by sending the SOAP request to SAP for which we are not getting any response and in our Java logs as mentioned we are getting the Proxy error : 403 where as in the SAP they were getting the below error,

ERROR => illegal characters in request - SSL request on wrong port? {00020d6a}
role : Server , protocol : HTTP , local 130.30.17.888:8000 , peer : 141.177.99.170:15177

where the issue lies here, please let me know your input is highly appreciated here.

Thanks
 
Tim Holloway
Saloon Keeper
Posts: 21603
147
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
"Proxy error 403" doesn't exist. The HTTP 403 response code does not make the distinction between primary and proxy server. That message is ambiguous, but what I would expect it to mean is that the proxy received a 403 from the SAP server.

The 403 response code should not be a result of any networking configuration. It is supposed to be based on the remote user's login ID, regardless of where on the network the user is. Thus, it would be more the responsibility of the SAP user administrator than of the networking support people.

An alternative reading of "Proxy error 403" would be if the proxy itself identified the user and rejected the request before it could be routed to the SAP server. This is hard for me to envision, but I understand that in some networks you did have to log into a proxy server before you could use it to talk to downstream servers, especially, I think, if SOCKS was involved. Note that the userid/password for a proxy server login would not be the same userid/password used by SAP.
 
Rithanya Laxmi
Ranch Hand
Posts: 251
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks Tim,

when you say -

-."It is supposed to be based on the remote user's login ID, regardless of where on the network the user is. Thus, it would be more the responsibility of the SAP user administrator than of the networking support people."

-. "Note that the userid/password for a proxy server login would not be the same userid/password used by SAP."


1. Here what is the Proxy server we are looking at it is the Proxy server of the Java web application client which sends the request to SAP server for response?
2. The same config is working in another env without any changes and we compared both the env's are having the same config from application standpoint, whether  the user Id for a Proxy server login is different from the user Id login of the SAP server to get the response back?
3. If the Proxy server login is different , whether SAP admin team should configure the correct login credentials in their SAP server to make it work?
3. Since Proxy received 403 , it is received from SAP server and it could be looked at SAP end to be corrected?

What to know what is the solution for it? as there are lot of back and forth communication happened without progress on from where we need to get this issue resolved.

Thanks in advance.
 
Tim Holloway
Saloon Keeper
Posts: 21603
147
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I know nothing of your proxy server. It could be a hardware proxy, such as an F5 device or a software proxy, such as Squid. I don't really even know if it's acting like a true proxy (controlling outbound requests) or a reverse proxy (controlling requests specifically targeting the SAP server.

If a proxy server is secured with userid/password, then the userid and password for the proxy server would be completely independent of the userids and passwords of any servers that are accessed through it. For web browsers, the proxy userid and password - if any - are generally set in the client's browser configuration so there is no prompt for the user to login.

What you are saying, however, indicates that the SAP server is returning the 403 to the proxy. In that case, the userid that the client logs into SAP with is unauthorised. To resolve that, you need to record the time that you logged in and have the SAP administrators check their logs to see what user ID actually logged in at that time, then check that user ID's access rights within SAP. And, for good measure, you should have them determine what the failing URL was, in case the proxy altered the client's URL in some way.
 
Check your pockets for water buffalo. You might need to use this tiny ad until locate a water buffalo:
Sauce Labs - World's Largest Continuous Testing Cloud for Websites and Mobile Apps
https://coderanch.com/t/722574/Sauce-Labs-World-Largest-Continuous
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!