Question:
Hello,
We require the ability to authenticate a user's login with an additional password. The password is checked against an external system using an HTTP request. Currently we have tried to implement this using user exit SUSR0001.
However, when we display a popup window prompting for the additional password, the user can simply bypass the additional security by clicking the top left corner of the dialog box and selecting "Create session". I've also tried using CL_GUI_DIALOGBOX_CONTAINER instead of a popup screen, but have not found a way to make this modal (ie user can still switch back to the GUI window underneath).
Does anyone know a way of popping up a window which the user is not able to bypass? As a last resort, is it still possible to modify the logon screen SAPMSYST 0020? I'm in 4.7.
Cheers,
Mike
Answer:
Does anyone know a way of popping up a window which the user is not able to bypass? As a last resort, is it still possible to modify the logon screen SAPMSYST 0020? I'm in 4.7.
Mike
Hi Mike,
I have been trying this sort of thing for some time, but more out of inquisitiveness than requirement.
SAPMSYST is pretty clever and the call stack (as one is able to see it) complains whenever one tries to change things except the user exit (e.g. slipping a new or changed module into a screen as you suggested).
But it would be very unusual if there weren't a backdoor
Tarr
Answer:
Hi Michael,
Again you are correct that it is possible to deregister the close event of the dialog box control, making it impossible to close the box without some sort of input.
Unfortunately, despite this, the user can still click the top left corner of the underlying SAPGUI window and create a new session to bypass any additional security checking programmed into the events of CL_GUI_DIALOGBOX_CONTROL.
It still seems that there's a way out - so I'm still kind of screwed.
Any other suggestions are very welcome ??? (please, I'm really stuck here)
What about modifying the logon screen? I understand this is "impossible" as of 4.6. Is there a way around this?
Answer:
Are you using a function module to create the pop_up or are you using 'call screen 9001 starting at xx ending at yy'? This seam to prevent the "open new session" option
Answer:
Hi John,
I am using CALL SCREEN xyz STARTING AT .. ENDING AT. I'll try the FM route, although I believe the "POPUP_TO..." FM's just issue a CALL SCREEN anyways ?
Mike