Add crossdomain.xml on the root of SAP Web application server


in this post I would like to resume all the steps required in order to add the crossdomain.xml on the root of SAP WAS.

First of all create a crossdomain.xml, I used this content:

<?xml version=”1.0″?>
<!DOCTYPE cross-domain-policy SYSTEM “”>
<allow-access-from domain=”*” secure=”false” to-ports=”*”/>
<allow-http-request-headers-from domain=”*” headers=”*”/>

If you need more information about crossdomain.xml please refers to Adobe Cross-domain policy file specification

Then create a new empty BSP application as shown below:

Crossdomain 1

Import a new MIME object into the BSP application and select the crossdomain.xml that you have created:

Crossdomain 2

Then launch SICF and modify the default_host and set the default service:

Crossdomain 3

Open your browser and test the settings:

Crossdomain 4

Hope this could help you.


Note: This is a solution but I’m triyng to find an other way in order to have not to modify the default_host properties.

Published by Ivan Femia

I have more than 10 yrs of experience in IT; born as Windows Basis Administrator I moved rapidly to my real passion: web programming and R&D. I have been at Techedge since 2007 and I'm head of development of Techedge Labs Team. I focused my researches in emerging technologies, mobile, WebDynpro ABAP, Flash Island, Adobe Interactive Form and ABAP. My colleagues consider me one of the top reference for ABAP, ABAP OO, WebDynpro ABAP and high tech topic. I'm owner of the SCN Community Projects on SAP Code Exchange: abap2xlsx, augmentedSAP, abap2GApps, abap2docx and Clone Hunter. Follow me on Twitter @IvanFemia

Join the Conversation


  1. Hi Ivan!

    Thank you for writing this all down, great help actually! I started implementing it, but one thing is still missing: If I follow the steps above, I can create a file with path “/sap/bc/bsp/sap/zflex/crossdomain.xml?sap-client=800” which is not really what I want, having the file in the root with no parameters added (“/crossdomain.xml”).
    So maybe if you could add this information it would make this guide much better.


  2. Hello,

    I have checked service default_host using SICF, double clicked on root element default_host, double clicked sap/bc/bsp/sap/zflex – still it doesn’t work. It says:
    “BSP Exception: the BSP URL /crossdomain.xml Does Not Contain Any Application Entries”

    rather strange for me 😛

    Thanks & Best Regards,

  3. Hi,

    Thanks for this work.
    For my case, i need to fill the Logon Data for Default_host and zflex bsp application. otherwise it works only few works (after i obtain BSP Exception).

    Best Regards,

  4. Hi,
    In order to avoid the error message described in note 1260386, you can create a web page (with flow logic) instead of a mime object, name it crossdomain.xml and copy paste the contents in it.
    Set it as the initial page for the BSP, and set up your default_host as described.

    Hope this helps,

  5. Hi,

    Our system execute offline backup every weeks, so i reactivate defualt host setting every weeks.
    I want to fix.

    Best Regards,

  6. Hi Hwang,

    I have not found any solution right now, what I could suggest you is to schedule a task at the restart of the system in order to auto reconfigure default host.


  7. Hi Ivan!
    Thangs your answer.
    How to auto reconfigure default host? BDC?
    I do not understand.
    Please help me.


  8. Hi,

    Thanks for the detailed post.
    I have a question.
    I’ve followed the steps in my BW server and the xml is on the root of the BW server,
    but I need it to be on the root of the portal!

    How do I do that?



  9. Hey,
    first of all thank you for your first help.

    But I have the followering problem that I have created a FLEX application which use extracted data from the SAP Business Suite and now if I put my application on my computer anywhere I’ve get the policy error message (attachement). This I can dissabled localy by using the Flex security setting. But that is not really a solution because it should also work anywhere without making this.
    So I have insert the “crossdomain.xml” like you and made the same steps but the problem now is that I get a password request if I open my appl. on not local permitted locations. And my question is how I can avoid this because I do not can access it and after I cancel the password window (requested password from application server) it I get the same error message.

    Thank you.

    Best regards,

    1. Here the error message based on security policy

    [RPC Fault faultString=”Security error accessing url” faultCode=”Channel.Security.Error” faultDetail=”Destination: DefaultHTTP”]
    at mx.rpc::AbstractInvoker/[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\]
    at mx.rpc::Responder/fault()[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\]
    at mx.rpc::AsyncRequest/fault()[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\]
    at DirectHTTPMessageResponder/securityErrorHandler()[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\messaging\channels\]

  10. Hi Ivan,

    I have the same issue as K (post #3). I did apply OSS Note 1260386 but the issue was not solved, I got the same error message.

    Before we upgraded to ERP 6.0, running WAS 6.20 (R/3 4.7), I followed the above steps and it worked fine. But with NetWeaver 7, I get the error message in post #3.

    Please help.

    Thank you,


Leave a comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: