The Geek House

Add crossdomain.xml on the root of SAP Web application server


Posted in Abap, Programming


in this post I would like to resume all the steps required in order to add the crossdomain.xml on the root of SAP WAS.

First of all create a crossdomain.xml, I used this content:

<?xml version=”1.0″?>
<!DOCTYPE cross-domain-policy SYSTEM “”>
<allow-access-from domain=”*” secure=”false” to-ports=”*”/>
<allow-http-request-headers-from domain=”*” headers=”*”/>

If you need more information about crossdomain.xml please refers to Adobe Cross-domain policy file specification

Then create a new empty BSP application as shown below:

Crossdomain 1

Import a new MIME object into the BSP application and select the crossdomain.xml that you have created:

Crossdomain 2

Then launch SICF and modify the default_host and set the default service:

Crossdomain 3

Open your browser and test the settings:

Crossdomain 4

Hope this could help you.


Note: This is a solution but I’m triyng to find an other way in order to have not to modify the default_host properties.

16 Responses

  1. k says:

    Hi Ivan!

    Thank you for writing this all down, great help actually! I started implementing it, but one thing is still missing: If I follow the steps above, I can create a file with path “/sap/bc/bsp/sap/zflex/crossdomain.xml?sap-client=800″ which is not really what I want, having the file in the root with no parameters added (“/crossdomain.xml”).
    So maybe if you could add this information it would make this guide much better.


  2. Ivan Femia says:

    Hi k,

    did you apply the changes to the default_host using the SICF?
    Have you activated the service root?

    Let me know.


  3. k says:


    I have checked service default_host using SICF, double clicked on root element default_host, double clicked sap/bc/bsp/sap/zflex – still it doesn’t work. It says:
    “BSP Exception: the BSP URL /crossdomain.xml Does Not Contain Any Application Entries”

    rather strange for me :P

    Thanks & Best Regards,

  4. Ivan Femia says:

    Hi Gabor,

    take a look to this OSS Note
    Note 1260386 – ICF service link/alias to BSP/ITS service is incorrect


  5. Rodo says:


    Thanks for this work.
    For my case, i need to fill the Logon Data for Default_host and zflex bsp application. otherwise it works only few works (after i obtain BSP Exception).

    Best Regards,

  6. Kim says:

    In order to avoid the error message described in note 1260386, you can create a web page (with flow logic) instead of a mime object, name it crossdomain.xml and copy paste the contents in it.
    Set it as the initial page for the BSP, and set up your default_host as described.

    Hope this helps,

  7. Hwang says:


    Our system execute offline backup every weeks, so i reactivate defualt host setting every weeks.
    I want to fix.

    Best Regards,

  8. Ivan Femia says:

    Hi Hwang,

    I have not found any solution right now, what I could suggest you is to schedule a task at the restart of the system in order to auto reconfigure default host.


  9. Hwang says:

    Hi Ivan!
    Thangs your answer.
    How to auto reconfigure default host? BDC?
    I do not understand.
    Please help me.


  10. Shlomi says:


    Thanks for the detailed post.
    I have a question.
    I’ve followed the steps in my BW server and the xml is on the root of the BW server,
    but I need it to be on the root of the portal!

    How do I do that?



  11. Ivan Femia says:

    Hi Shlomi,

    you do not need to put it on the root, it is enough to perform the last step as described (default_host into SICF)


  12. Franziska says:

    first of all thank you for your first help.

    But I have the followering problem that I have created a FLEX application which use extracted data from the SAP Business Suite and now if I put my application on my computer anywhere I’ve get the policy error message (attachement). This I can dissabled localy by using the Flex security setting. But that is not really a solution because it should also work anywhere without making this.
    So I have insert the “crossdomain.xml” like you and made the same steps but the problem now is that I get a password request if I open my appl. on not local permitted locations. And my question is how I can avoid this because I do not can access it and after I cancel the password window (requested password from application server) it I get the same error message.

    Thank you.

    Best regards,

    1. Here the error message based on security policy

    [RPC Fault faultString="Security error accessing url" faultCode="Channel.Security.Error" faultDetail="Destination: DefaultHTTP"]
    at mx.rpc::AbstractInvoker/[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\]
    at mx.rpc::Responder/fault()[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\]
    at mx.rpc::AsyncRequest/fault()[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\]
    at DirectHTTPMessageResponder/securityErrorHandler()[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\messaging\channels\]

  13. Carsten says:

    can i ask you what SAP GUI you are using? It doesnt look like the regular SAPGUI 7.10.


  14. Ivan Femia says:

    Hi Carsten,

    in this video it was SAP GUI 7.10 patch level 9.


  15. Hi Ivan,

    I have the same issue as K (post #3). I did apply OSS Note 1260386 but the issue was not solved, I got the same error message.

    Before we upgraded to ERP 6.0, running WAS 6.20 (R/3 4.7), I followed the above steps and it worked fine. But with NetWeaver 7, I get the error message in post #3.

    Please help.

    Thank you,


  16. Thomas Bezak says:

    I found this online

    It works better because you can reboot the server and it keeps working.

    Upload your Crossdomain.xml to a directory on the SAP server, Open RZ10, edit your system (Extended Maintenance), add
    a parameter
    Parameter Name: icm/HTTP/file_access_0
    Parameter Val: PREFIX=/crossdomain.xml, DOCROOT=E:\Path to your file on the SAP server\crossdomain.xml

Leave a Reply

%d bloggers like this: