Add crossdomain.xml on the root of SAP Web application server


in this post I would like to resume all the steps required in order to add the crossdomain.xml on the root of SAP WAS.

First of all create a crossdomain.xml, I used this content:

<?xml version=”1.0″?>
<!DOCTYPE cross-domain-policy SYSTEM “”>
<allow-access-from domain=”*” secure=”false” to-ports=”*”/>
<allow-http-request-headers-from domain=”*” headers=”*”/>

If you need more information about crossdomain.xml please refers to Adobe Cross-domain policy file specification

Then create a new empty BSP application as shown below:

Crossdomain 1

Import a new MIME object into the BSP application and select the crossdomain.xml that you have created:

Crossdomain 2

Then launch SICF and modify the default_host and set the default service:

Crossdomain 3

Open your browser and test the settings:

Crossdomain 4

Hope this could help you.


Note: This is a solution but I’m triyng to find an other way in order to have not to modify the default_host properties.

17 Replies to “Add crossdomain.xml on the root of SAP Web application server”

  1. Hi Ivan!

    Thank you for writing this all down, great help actually! I started implementing it, but one thing is still missing: If I follow the steps above, I can create a file with path “/sap/bc/bsp/sap/zflex/crossdomain.xml?sap-client=800” which is not really what I want, having the file in the root with no parameters added (“/crossdomain.xml”).
    So maybe if you could add this information it would make this guide much better.


  2. Hello,

    I have checked service default_host using SICF, double clicked on root element default_host, double clicked sap/bc/bsp/sap/zflex – still it doesn’t work. It says:
    “BSP Exception: the BSP URL /crossdomain.xml Does Not Contain Any Application Entries”

    rather strange for me 😛

    Thanks & Best Regards,

  3. Hi,

    Thanks for this work.
    For my case, i need to fill the Logon Data for Default_host and zflex bsp application. otherwise it works only few works (after i obtain BSP Exception).

    Best Regards,

  4. Hi,
    In order to avoid the error message described in note 1260386, you can create a web page (with flow logic) instead of a mime object, name it crossdomain.xml and copy paste the contents in it.
    Set it as the initial page for the BSP, and set up your default_host as described.

    Hope this helps,

  5. Hi,

    Our system execute offline backup every weeks, so i reactivate defualt host setting every weeks.
    I want to fix.

    Best Regards,

  6. Hi Hwang,

    I have not found any solution right now, what I could suggest you is to schedule a task at the restart of the system in order to auto reconfigure default host.


  7. Hi,

    Thanks for the detailed post.
    I have a question.
    I’ve followed the steps in my BW server and the xml is on the root of the BW server,
    but I need it to be on the root of the portal!

    How do I do that?



  8. Hey,
    first of all thank you for your first help.

    But I have the followering problem that I have created a FLEX application which use extracted data from the SAP Business Suite and now if I put my application on my computer anywhere I’ve get the policy error message (attachement). This I can dissabled localy by using the Flex security setting. But that is not really a solution because it should also work anywhere without making this.
    So I have insert the “crossdomain.xml” like you and made the same steps but the problem now is that I get a password request if I open my appl. on not local permitted locations. And my question is how I can avoid this because I do not can access it and after I cancel the password window (requested password from application server) it I get the same error message.

    Thank you.

    Best regards,

    1. Here the error message based on security policy

    [RPC Fault faultString=”Security error accessing url” faultCode=”Channel.Security.Error” faultDetail=”Destination: DefaultHTTP”]
    at mx.rpc::AbstractInvoker/[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\]
    at mx.rpc::Responder/fault()[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\]
    at mx.rpc::AsyncRequest/fault()[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\rpc\]
    at DirectHTTPMessageResponder/securityErrorHandler()[E:\dev\3.0.x\frameworks\projects\rpc\src\mx\messaging\channels\]

  9. Hi Ivan,

    I have the same issue as K (post #3). I did apply OSS Note 1260386 but the issue was not solved, I got the same error message.

    Before we upgraded to ERP 6.0, running WAS 6.20 (R/3 4.7), I followed the above steps and it worked fine. But with NetWeaver 7, I get the error message in post #3.

    Please help.

    Thank you,


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.