Introduction

In this blog I shall describe my experience in addressing a simple cross site script issue reported on a portal application as part of security testing and the tools that came in handy in this endeavour.

 

     Generally security testing is performed by using specially developed tools that scan the application and try to find and exploit security vulnerabilities.The tool also generates reports and also provide fix recommendations.Examples include IBM Appscan,Burp suite from PortSwigger Ltd etc.


I had to investigate a reflected cross site script(XSS) issue reported on a customized portal application.There is lot of literature available on the Internet about cross site scripting.This page from help.sap.com provides a lucid explanation.And a great resource on this topic is the the Open Web Application Security Project at https://www.owasp.org/index.php/XSS

 

Issue Description

 

In a custom portal application there is a HTML form inside a JSP page which contains username and password fields along with a checkbox.Upon user submission,this form is posted to an abstract portal component.The values entered in the form are retrived from the request(IPortalComponentRequest) object and are stored in IPortalComponentContext object.After the necessary business logic, the abstract portal component is redirected to irj/portal URL.On the server side,the values entered by the user are retrieved from the IPortalComponentContext object.Here the value of the checkbox field is stored in a java variable.In a javascript block inside the $(document).ready function,this value is further copied to a javascript variable.


The above scenario is implemented in JSPs on Apache tomcat server for demo purpose.Below is the pseudocode for the initial login.html

 

<input id="user" type="text" name="user" ....>

<input id="password" type="password" name="password" -->

<input type="checkbox" id="mycheck" name="mycheck" ...>

 

The values submitted are posted to intermediate jsp(NewFile.jsp) where the checkbox selection is stored in a JSP session.A HTML form in this JSP posts to the final JSP page.

 

<%

String text = request.getParameter("mycheck");

session.setAttribute( "checkbox_value", text );

......


String redirectURL = "<form id=\"redirectedform\" method=\"post\" action=\"final.jsp\">";

......

%>

 

In the final JSP page,the value stored in the session is retrieved and later copied to a javascript variable as below.

 

<%

String data = session.getAttribute("checkbox_value").toString();

....

%>

.....

<script language="javascript">

$(document).ready(function()  {

var checkbox_selection = "<%=data%>";

 

 

});

</script>


 

The above code is vulnerable because the value entered in the checkbox field is not encoded when it is being stored in the session object.The tool used for

security testing sent a string such as 54321";alert('XSS issue')//733  as the value for the checkbox.This value flowed till the final JSP and echoed in the response.

This is possible because the string is crafted in such a manner,as to make it a valid javascript statement in the runtime

 

 

var checkbox_selection = "<%=data%>"; would become

var checkbox_selection = "54321";alert('XSS issue')//733

 

The double quotation mark after 54321 and the following (;) character would neatly close the statement,following which is a javascript alert() statement.The

javascript single line comment indicator(//) would render the rest of the code non executable.


Now that the issue is reported by the security testing tool we need to test and validate if the issue actually occurs and the code is vulnerable.After all not all issued reported by such tools  turn out to be potential vulnerabilities.


How to validate:

 

This issue escaped unit testing because of the apparent difficulty in passing any text value for a checkbox field.From the HTML page rendered by the browser,a checkbox can either be selected or unselected.So we need to use a tool that can alter/tamper HTTP requests. "TamperData" plugin for Mozilla Firefox browser is one such tool offering this functionality.The tool can be installed as browser add on.


screenshot1.png


We need select this addon from Tools and select click on select Start Tamper button before submitting the request. After checking to tamper the request,

A popup box opens  that lists all the fields used in the form to edit. As can be seen from the below screenshot,the value 54321";alert('XSS issue')//733 is entered for the field mycheck and click on Ok button.screenshot3.png


Now as is expected,the alert pops up with the message "XSS issue" on the final jsp.


screenshot5.png

 

 

Solution


Since the existence of the issue is now confirmed,a solution is to be provided,In the above simple scenario,as mentioned earlier,the issue exists because the value of the checkbox is not  HTML encoded before being stored in the session.Encoding the output before before displaying it is a good practice and it need to be done for every input. HTML encoding ensures harmful symbols and HTML tags are converted to their harmless HTML representation,

Eg: '>' is converted to &gt;

The class com.sap.security.core.util.taglib.EncodeHtmlTag contains the required methods for HTML encoding/decoding on EP 7.0 In the latest versions of NW portal,the class com.sap.security.core.server.csi.XSSEncoder provides similar functionality.For complete information on various encoding functions offered by SAP, please refer this help page.



Hello everyone,

For my entry into the SAP NetWeaver Portal Movie Critic challenge I have decided to review the video "The World Today - Intern creates a pretty freakin cool event site" which can be viewed below.

 

 

I have chosen to review this video because it shows the ease with which sites can be created and does it in a fun, humorous manner that made it stand out from the crowd.

 

Across the internet there are so many "how to"s and demonstration videos and if you are like me then after a while they all start to blend into one in your memories, well I'm sure that won't be happening any time soon with this video. By exaggerating the "young people are able to do anything with technology" stereotype into this breaking news bulletin format the creators have given their video a signature look which makes it stand out from the crowd, and in this age of media content overload standing out from the crowd is the first and usually most difficult challenge a video will have to go through. There is some nice attention to detail with the humour too, it is worth re-watching the video just to see the antics going on in the background which would have likely been missed first time around.

 

On top of being humorous the video is also quite informative, the viewer will go away from the video with the lasting impression that the software in use is easy to understand and quick to pick up and the fact that it got this message across while it hardly even shows the software in use for more than 10 seconds of its run time is really impressive to me, I come away from this video knowing I would find it easy to create a site using this software even though I am a relative novice when it comes to development such as this.

 

All in all I really enjoyed watching this video and I would be glad to see the further adventures of our favourite intern Emma should any more of these videos be made. If you are feeling inspired and want to write your own review please go check out Announcement of SAP Portal and HANA Cloud Portal Gamification Movie Challenge, best of luck to everyone involved. Thank you for taking the time to read my review.

Regards,

Alan Kelly

Content development is the process of designing and developing an application that can cater to its end users with seamless access to company’s sensitive and nonsensitive data as well as external data to perform business operations. Different users must be able to access right content at the right time at the right place with adequate security in order to increase productivity and reduce cost and inconsistency. End users can customize and personalize the content application according to their nature of business and needs. For instance, customers can create and customize the application according to business domain like e-commerce or social network where most of the content will be related to web sites and web contents. Where as if the company is brick and mortar the user can store contents related to suppliers, orders, invoices, delivery details, shipments, inventory, sales orders etc.


To cut short, the business can develop an application to streamline its complete business process life cycle in one place. Where different users can access the content simultaneously with consistent look and feel throughout the application for instance, the employees can access to the companies data according to their roles and capacity. Content system administrator is responsible for granting permissions or revoking the permission based o roles. For instance, top tier management like directors and VP’s, CEO will have complete access to all the contents of the business.  Employees may restrict to access company’s sensitive data other employee’s salary etc.

The following are the main components/tabs for developing effective SAP netweaver portal content management application.

            a) Portal content management

            b) Portal content transaction

            c) Portal display

            d) Web resource repository

            e) Knowledge content

            f) Collaboration content

            g) Workflow content

            h) Content statistics


Let me explain each of these components briefly:


Portal content management

Under this end users can create their own portal content either they can create group folders or individual folders based on their needs. Users can store various contents like collaboration forums, wiki, contents from vendors, SAP, and even migrated contents from other sources such as remote servers, platforms, able to store portal administration, application, user even remote system access can be configured easily by mentioning URL’s, server names, IP addresses. Also end users can find built in templates, themes, and transport package, visual composers to create iViews, roles, and pages, work sets and store it into the separate folders so that it will be easy to locate as and when required. End user does not require coding to create business objects, web pages and iviews instead the application wizard will help them create and personalize.

Apart from that end users can create and store business objects for each line of business separately so that it will be extremely convenient for the users to access, process and managed the business activity effectively and efficiently. In addition to that, the application has options to look into the databases. The databases are designed and stored in the back end system using ABAP language to communicate with the database and retrieve data accordingly. Some virtual internal databases in the form of iviews like portal application, WSRP content, web dynpro java application, portlet application will be available under this heading. Hence, from the above explanation we can see that portal content management is a powerful tool if architecture is strategically developed in such a way that the business can utilize both internal and external content more effectively and efficiently while conducting business activities in real time. When the business streamlines its business operation along with automation companies can achieve tremendous competitive advantage over its competitors.


Portal content translation

At high level this is another important component that provides seamless support to its end users. In the sense that this component allows users to create and store and manage connection ports, tab sets, search providers, favorite providers, suggestion providers and even device group container. Again these sub folders will be the users to organize its tasks and roles and easily navigate to various contents. Here I would like to mention that there is a tow common subcomponents such as portal content and business objects are available and shared by both i.e. portal content management as well as portal content translation. This show the both portal content and business objects are most important aspects when it comes to effective development of portal content management application.


Portal display

Under this component the end users will be allowed to design and redesign the pages, iviews, roles and worksets according to their look and feel. The application wizard will help to achieve these tasks. No coding is required for the end users to access these contents. The users can able to personalize the portal as per their needs. These sum components are powered with inbuilt themes from which they can create new and themes, they can edit the existing schemes, generate ITS themes, it has Ajax theme studio to configure the themes at the first place. Only the system administrator is allowed to perform these tasks because it required coding skills ( Java and ABAP)only systems administrator with access permission can perform these activities.


Web resource repository

This components acts as a central repository for every level of users will increase the ease of access to web contents as an when requires. It also helps to reduce cost of maintenance. When it is centrally maintained it actually eliminates duplications of same web contents. Again it depends on level of access control possessed by each user. Most of the common web contents will be available to everyone and some will not be available to access. The system administrator is responsible who can access what and how. One of the main tools to access web resource repository is a search options where in user enters the required keywords and the system will retrieve it for them. The search options is so powerful because in the back end the all the web resources stored in the databases are archived and indexed i.e when creating the system allocates unique ID to each of the web resources automatically. This provides faster retrieval time when we enter any search terms.


Knowledge management content

This is another most important component for developing effective content management application. KM content provides complete access to all the data in reside in the portal and also in the data bases. It is called root aka master data aka Meta data aka data about the data. Here the user can view any folder and select the any heading for downloading the folders for conveniently because documents are segregated according to personal and public. Personal documents will be having additional security to access with and public documents will have standard security to access by users within the company. Even users have the options to look for deleted items in case they accidently deleted the important documents or report. The KM content has toolbox to permit to make folder settings, reports can be created, folders can be achieved to manage and organize the folders effective communication among different functional teams. The users can export templates from one destination to another without much difficulty. The user can also has the option to import templates from one place to another, it provides users to upload package, view pending imports, imports which is currently running and which is archived. Overall KM content provides complete and easy access to entire data of the company and also other external data in single portal through collaboration and integration. With this level of access to content the company can perform seamlessly to achieve productivity and earn profit for the organization.

 

 

Collaboration content

Many companies face immense challenge when it comes to collaborating and integrating once business applications to streamline its business process to achieve optimum productivity with limited resources. Companies face information silos when their business applications are not properly collaborated and integrated. Due to which there will be bottle necks, delay in work flow from one phase to another which in turn lead to loss to the company. This component provides content related to integration and collaboration required to perform various business activities and communicates effectively to process the workflow faster from one stage to another. This tam administers rooms aka sessions, achieve rooms. These are nothing but a meeting point to share and exchange the resources work as a team achieve desired goals put forth in the beginning of the project. Templates are available to create group as well as individual rooms as per their requirement and schedule. Users can create room to collaborate between employees, between business owner and the suppliers, between system administrator and the employees, between the customer and the employees. It also provides links to configure extension collaboration in case we want include additional resource to achieve specific tasks or goal. Configure room content stores, room mails to communicate with each other so that ever one involved in the tasks are in the same page, user can configure room categories, relationships. Here most of the tasks are performed by the portal content system administrator.


Workflow content has in built workflow templates, workflow instances, work items, work flow tasks, upon creating new workflow the system allocates unique template ID automatically and stores into the system. Is also maintains version control of start and end event and precedence constraints for smooth flow of work from one stage to another in a orderly fashion. It can accommodate work flows like quick tasks, feedbacks, nomination, generic application task etc. the users can load template from stored file or remove template including old one .This component helps the user to manage the workflow with hurdles and delay in business process, for instance when a customer places an order to purchase a product and this will be the first process in the business process life cycle. When the order is place the next process is to accept the order and acknowledge the order to the customer with email notification and generate a invoice and send it to customer to receive payment. Meanwhile a copy of invoice in send to the inventory management system where the system confirms the order and blocks the items for shipment and delivery and after the payment is received from the customer the shipment department delivers the consignment to the customer according to the sale contract. This process happens at a real time through integration of various business applications by automating the workflow. Here the workflow template helps to achieve the intended tasks.


Content statistics

Under content statistics the users can find portal activity report like pages and iviews that has been created. It will be displayed in the form of dash board which includes day, date/time, type, object name, hits, viewers ID’s, ID (system ID) which is automatically generated while creating this business objects. The statistics of the report will display the current state of collection and aggregation of portal activity data. The fields will be available in readable only format.


To conclude, the purpose of the portal content development is to integrate and collaborate business process application systems like order management, inventory management, finance, CRM, with the business partner or with the customers to conduct seamless business and reduce cost, inconsistency, ability to design and provide scalability to the application for future expansion is an important feature which will reduce huge cost. In order to achieve effective utilization of portal content the business should ensure accurate and relevant data is available in the database which is indexed and archived to facilitate faster retrieval as and when required. Because time is very precious in world of business especially when is involves systems and cutting edge technology. In order to access data securely the systems should be highly protected with advanced security features like single sign on, SSL, DMZ firewall security, audit trails, PCI compliance, Sarbanes Oxley regulations, two point authentication level systems. For instance, in order to approve any financial transaction this is of huge amount. The transaction has get approved from two authorized persons only then the transaction will get approved and process.


The content should be able to protect and Share Company’s sensitive data like financial agreements, patents, copyrights, customer information, supplier’s agreements, tenders, software codes etc. the content should  be developed in such a way that users can use and reuse the content over and over effectively and efficiently. By providing powerful search (delta search) methods and help options the user can locate right information at the right time to achieve business objectives. SAP netweaver portal content management application provides users to customize and personalized the portal application contents according to their type of business. the user can able to create their own style of pages, iviews, tasks, work sets, roles and store it in separate folders which is available at the left side portal in the form of navigation icons. Users can edit and modify as and when required how it should look and feel? What to include and what not to? 


Each tab has its own set of sub components under which user can create new folders to manage and organize contents according to the preferences. Whether the company is a ecommerce or brick and mortar the user can customize the application accordingly. For instance, let us assume that home depot has purchase the SAP enterprise portal for its business operations. The company will customize the applications in such a way that it creates separate folders to list out suppliers, customers, items catalog, reports like sales forecasting, sales turnover, and inventory control system, shipment and delivery, purchase orders, sales orders, accounting and finance etc. by maintain various activities separately provides users to navigate and access data quickly. Ultimately when these activities are collaborated and integrated with various business applications gives a competitive advantage over other rivalries in terms of higher performance, after sale service, faster deliver, eliminating information silos and achieves overall productivity of the company.


Last but not the least the benefits that the company will receive from effective utilization and well architectural design of portal content will provide,

  • Integration and collaboration of various business process when streamlined through automating the workflow and tasks will ensure competitive advantage over its competitors.
  • By providing adequate security to the company’s data will lead to increased trustworthy from customers and promote goodwill which eventually reduce substantial loss to the company. Because losing one customer is equal to retaining 3 customers.
  • By building scalable, durable and consistent portal content application a company can expand its business venture to new heights when the applications is scalable i.e. scalability ability to expand the existing applications to accommodate large amount of data and business transactions rather than building a new one from scratch. This reduces huge cost and time which can be utilized in any other productive business activities.

 

 

Masquerading

Masquerading means stealing vital data by convincing other user has a legitimate user, that is when two user is communicating with each other when the attacker burrows into the communication channel by identifying has the legit user and tricks the user by asking the user to provide sensitive information. This can happen in many ways one of the ways is by using another user's IP address and gaining access to the network. Another way is to stealing the user ID and password by attacking with cookies and fictitious certificates and authorization prompts. By sending spam emails attackers spoof login password from the users by giving fake email address. Masquerading can occur in many ways some of them are as follows.


IP spoof

IP spoofing is one of the ways to trick the user to reveal the secured information to the attacker. IP spoofing occurs when the attacker sends a pop up message consists of IP address from trusted source to user computer in order to defeat security measures and authentications.  The attacker modifies the packet headers to resemble the original one to only pose to challenge to believe. The host is temporarily disabled and left vulnerable to connect to the host computer with just a address based authentication. When the attacker access gains access to the targeted computer the then executed some commands to take away all the information like web site domains resided in the computer without the knowledge of the user. The user will not know when it happened and how it happened and thinks the requested authentication is from trusted host. And the attacker uses the stolen web site domain names to gain access into the web networks and highjack the web sites.

 

Identity Spoof

Another way or gaining access to secured systems is identity spoofing. In this scenario the attacker uses previously stolen authenticated certificate to pass the verification process. Identity spoofing can take place via two means. Passive and active attack where in passive attack both the end user will not know the attacker has gained access to the network and in the latter case the host will know the that there is a middle man allegedly gain accessed to the network using stolen certificate. The attacker persistently continues to gain access to information until the user reveals the identity of the user. This kind of attack can range from less danger to critical danger i.e. the attacker can gain access to user bank account details and make away with money and personal information.


Web Spoofing

Another way of attacking the user to reveal the information is by web spoofing. In web spoofing the attacker designs exact replica of the web page and identifies himself as a original website for instance when doing online shopping when a person places order and the page diverts the person the payment gate way during that buffer time the attacker sends the exact replica of payment gate way page for example (paypal). If the user neglects to identify the fake web page he/she ends up in entering the credit card information and the attacker executes some commands to retrieve those information to attacker computer. This attack can be very serious for both customers as well as for the vendors. The attacker can misuse the credit card information where customer losses money and vendors losses trust from the customer. The attacker instead of fake web page he creates false links and embeds malicious software into it. When the user clicks the link the malicious software triggers and sweeps the information without the knowledge of the user.

 

Email Spoofing

Email spoofing is also another type of attack on getting access to user information. The attacker sends fake emails identifying has legit owner seeking user id and password by creating a believable story. If the user believes that the email is from trusted source and replies to that email. Your information is lost to the attacker. This attack is most common attack through which they take away bank account numbers, user id password of net banking and misuse it later. Website owners in order to prevent this kind of attack they constantly warned by sending frequent emails no to reply to the emails seeking sensitive information via emails.

 

Prevention

When browsing look for http, https and lock signs before making financial transactions. Use encrypted and decrypted security to exchange sensitive information. Look for any pop ups which has malicious application which can be accidently downloaded into the host computer and the malicious software take away the sensitive information from the computer.

            SAP NetWeaver portal is a significant service provider to an enterprise portal. A number of inbuilt basic services like single sign on (SSO), integration, federation, personalization, and many more make it worthy to meet the requirements of any enterprise’s portal to facilitate its users. Users are benefitted in their day to day life decision making by accessing a huge amount of relevant data very quickly. It also helps to be productive in the competitive market scenario. It facilitates a single point of access to an integrated system with greater functionality by the access to the SAP and non SAP information sources. A number of features available into the SAP NetWeaver portal make it worthy to the users is as follows:

1) The portal framework which facilitates to integrate SAP and non SAP business applications into a portal. It also provides services to build new applications.

2) Knowledge management gives the capability to access to the available structured and unstructured information in a structured fashion by the help of other installable software units (like TREX). It facilitates to store unstructured information in various types of repositories. All the integrated repositories can be navigated by the search function in the portal by the users to get the information these repositories contain.

3) Collaboration has the capacity to connect users in the portal in the project space by a) virtual rooms where team members can share data and services from different geographical locations; b) groupware integration which integrates email and scheduling services used in the company; c) Asynchronous collaboration; d) Real time collaboration (RTC).

4) Unification maximizes the usefulness of a portal navigation between SAP customers by drag and relate navigation and by the ability to manipulate the relations between business objects. It balances user’s requirements to the retrieved data in business context.

5) Federated portal implementation is beneficial in sharing content between SAP and non SAP portals across organizations distributed landscape by single point of access to the portal. It helps to reuse the contact as well as applications by deploying throughout the organization without affecting each and every unit’s autonomy running in independent portals. Therefore, it helps to reduce the administrative efforts.

6) External facing portal gives a web exposure to the organizations portal by exposing information, applications, services, etc. to the anonymous as well as self registered users.

7) Enterprise workspace gives flexibility to integrate, organize and use various contents to the users.

8) Tool like web page composer give a chance to the portal users to create their own portal pages.

9) Wikis not only allows creating collaborative web pages, it also gives an option to the users to interlink the web pages.

Movie_banner_nwportal.png


How can we combine the "SAP NW Portal movie challenge 2014" and "SAP TechEd && d-code 2014"? That is easy!

We would like to ask you - as attendees of the big SAP TechEd events in Las Vegas and Berlin this year - to provide us a recap of your SAP TechEd experiences and also win SCN points and badges.


You do not know about the SAP Portal movie challenge? Then read this announcement blog to get the details.

 

How to proceed?

 

I. Win a SAP NW Portal Critic Badge: describe your SAP Portal SAP TechEd && d-code story and refer to an existing movie

 

You are attending SAP TechEd && d-code and you plan to attend some SAP Portal sessions? You are interested in SAP’s UX strategy and tools, SAP Fiori and SAP Fiori launchpad, SAP Enterprise Portal roadmap and strategy? Tell you what you learned and experienced at SAP TechEd, give us your feedback and let the community participate at your SAP TechEd story 2014.

  • Think about the SAP TechEd story, you would like to describe. It should be connected with SAP UX strategy and tools and/or SAP Portal and/or SAP Fiori technology.
  • Go to the SAP Enterprise Portal space. Please write the title in the following format: “SAP Enterprise Portal Movie Critic: <your own title>“.
  • Describe your story in the blog.
  • Check out our YouTube channel, which has many movies showcasing anything from successful implementations to testimonials created by us, customers and our partners. Find a movie which could fit to your story and link/insert it into your blog. Or check out the YouTube playlist of SAP TechEd && d-code. If you think that no movie really fits, just insert any kind of movie/video or screencam, you would like to add.
  • Publish your blog and make sure you inserted the video in it.
  • Add a comment to this instruction document to provide the link to your blog post.

 

II. Win a SAP Portal producer badge: describe your SAP Portal SAP TechEd && d-code story in your own movie

 

To win a SAP Portal producer badge you must go one step further. We would like to get from you a video, you created on your own, this video should show you while giving a short recap of your SAP TechEd experiences and impressions concerning again the topics SAP UX strategy, SAP Fiori and SAP Fiori launchpad, SAP Portal roadmap and strategy. What surprised and impressed you mostly during the event? What did your learn in the sessions, demos and expert discussions, what was new to you, what is the impact for your own business context?

  • Develop an idea for your SAP TechEd recap movie.
  • Create a 3-minute movie/screencam and upload it to any open video platform. YouTube is preferred, but you can also choose other platforms, that are open for public use.
  • Create a blog post in the SAP Enterprise Portal space and write the title in the following format: “SAP Enterprise Portal Movie Producer:<your own title>“.
  • Describe your SAP TechEd story and insert the video into it.
  • Publish your blog.
  • Add a comment to this instruction document to provide your blog post link.

 

Join our SAP Portal movie challenge now and get your SCN badge! Before you start, read the instruction document for the SAP Portal Movie Challenge.

Hi,

 

In this blog you can find 2 topics:

 

  1. Adding response headers to the response coming back from EP server.
  2. Modifying the HTML head section (or any other section in html) of the HTML response coming back from EP server.

 

1. Adding HTTP Response headers in Enterprise Portal


What is an HTTP Header (wikipedia):

HTTP header fields are components of the header section of request and response messages in the Hypertext Transfer Protocol (HTTP). They define the operating parameters of an HTTP transaction.


Sometimes there are cases where you would like to add headers to response. some example can be X-FRAME-OPTIONS for limiting framing or Cache-Control to control caching of the response, or  IE's X-UA-Compatible


Here is sample code of a portal component which adds adds an X-FRAME-OPTIONS response header to deny framing when called:

 

import javax.servlet.http.HttpServletResponse;

import com.sapportals.portal.prt.component.AbstractPortalComponent;

import com.sapportals.portal.prt.component.IPortalComponentContext;

import com.sapportals.portal.prt.component.IPortalComponentProfile;

import com.sapportals.portal.prt.component.IPortalComponentRequest;

import com.sapportals.portal.prt.component.IPortalComponentResponse;

 

public class MyHeaderComponent extends AbstractPortalComponent

{

    private static final String X_FRAME_OPTIONS = "X-Frame-Options"; //The response header key

    private static final String DENY = "DENY"; //The response header value

 

    public void doContent(IPortalComponentRequest request, IPortalComponentResponse response)

    {

            HttpServletResponse servletResponse = request.getServletResponse(false); //gets the original servlet response

            if(servletResponse != null) {

     

               //adds the X-FRAME-OPTIONS Header

                servletResponse.addHeader(X_FRAME_OPTIONS, DENY);                   

                response.write("My Content cannot be displayed inside an iframe!!");

            }

   }

The actual magic is done in line 19.

The response of calling this portal component would be display just "My Content cannot be displayed in an iframe".

If you run it within IE inside an Iframe, you will get the following:

frame.jpg

 

 

Notice the response header that was added : "x-frame-options" .

 

 

2. Modifing the HTML head and html sections of EP response:


Simple structure of an HTML page.

As you know, when working with portal components, Portal Runtime builds and creates an html response that will return to client (after going over all hooks).

It is possible to add additional html code(or remove) to the head or body sections and to change attributes of these sections.


At first we need to have access to the portal HTMLDocument which will allow us access to the html document sections:


/** Getting the PRT HtmlDocument object from the PortalComponentRequest. */

private HtmlDocument getHtmlDocument(IPortalComponentRequest request) {

     HtmlDocument htmlDocument = null;

     IPortalResponse portalResponse = (IPortalResponse) request.getValue(IPortalResponse.class.getName());

      if (portalResponse instanceof PortalHtmlResponse) {

          PortalHtmlResponse portalHtmlResponse = (PortalHtmlResponse) portalResponse;

           htmlDocument = portalHtmlResponse.getHtmlDocument();

      }

     return htmlDocument;

  }

Then in our doContent of portal component we can just add scripts to the head and play with the body:


public void doContent(IPortalComponentRequest request, IPortalComponentResponse response)

{

     HtmlDocument portalHtmlDoc = getHtmlDocument(request);

     Vector headHtmlElements = portalHtmlDoc.getHead().getHtmlElements();

 

     //writing head scripts and modifying body attribs

     headHtmlElements.add( new HtmlString( "<!-- This will appear in the head! --> " ));

     headHtmlElements.add( new HtmlString( "<script type=\"text/javascript\">alert('hello from header!') </script>" ));

  

     //setting css class of body

     portalHtmlDoc.getBody().setClass( "myCSSClass" );

     

     //setting body attributs

     portalHtmlDoc.getBody().addAttribute( "role", "application" );       

     response.write("inside body");

}

 

After we got the portal HTML Document, adding some html code inside the head section is done in line 7,8.

Setting class for the body section in line 11 and adding body attributes in line 14.

Finally we can still write inside the body in line 15.

 

Running this portal component will trigger our javascript alert and give us the following html output:

head.jpg

 

You can see a generic portal html response, but notice the additional changes we have added in our code:

  • 2 lines we wrote were added into the html head section (marked in read).
  • The body section now has role="application and class="myCSSClass" (marked in orange)

 

Inspect the getHead and getBody classes for more methods.

Try it out!

 

Best Regards,

Tal

Hi all,

 

I have discovered the Announcement of SAP Portal and HANA Cloud Portal Gamification Movie Challenge and decided to enter another movie review. The movie I have picked to review is:

 

 

As a new starter to SAP, it is important that I have a comfortable understand of the products and services that SAP offer it's customer base so as to increase my knowledge base.

 

My knowledge of SAP's services and products is growing all the time, and aided by watching movies such as the above has given me a greater understanding of the impact that SAP has in the running of customer businesses, with a strong focus on simplicity and mobility.

 

The movie gives a good overview of a customer's business from the initial stages, where everything was easier to handle with only a small number of documents and systems to manage, onto where the business grew into a larger entity and more complex with more demands and control need for the business to remain effective. This meant the business had to increase the number of tools it used to manage information, this is where the SAP NetWeaver Portal can help to manage the business operation and analytic data in one scale able environment.

 

The movie shows the customer confidence with information the SAP NetWeaver Portal's success:

 

        • Serving the market for over 10 years
        • Over 7000 customers
        • Customers of all sizes

 

The movies goes on to discuss how the customer's business is still expanding and how the business can be managed efficiently through the SAP NetWeaver Portal, with a focus on strong security given that you need users to be able to access the data from many different areas. The simplicity means even non technical users can modify and edit content, with the same ease of use outside than office as expected within.

 

Enterprise Workspaces offers a solution in a:

        • Self service
        • Mobile ready
        • Collaborative

 

With customers wanting to access more and more information on the move, the SAP NetWeaver Portal can be accessed on mobile devices, so anywhere the customer needs to gain access they have that ability!

 

The SAP NetWeaver Portal offers the right end to end solution to cater for customer needs.

 

Finally you can check out more movies on Announcement of SAP Portal and HANA Cloud Portal Gamification Movie Challenge.

Hi everyone!

 

After discovering of the Announcement of SAP Portal and HANA Cloud Portal Gamification Movie Challenge I decided to participate in the challenge. After watching several different videos on the SAP Portal - YouTube channel, I chose to review the following video:

 

 

 

The video is titled:  "SAP Netweaver Portal - mobile edition overview".

The reason I chose to review this video is that I have recently joined SAP, and so I am gradually trying to familiarize myself with SAP's products and services, in order to diversify my knowledge-base.

 

Initially, my knowledge of the functions of SAP Portal mobile edition was rather limited, and so I thought an overview video such as this one would be the perfect way for me to further my learning.

 

From the outset, I found this video to be simple yet highly effective in its delivery of information. At the beginning of the video, we are presented with the statement that SAP Portal Mobile Edition provides a "single point of access to business applications and content via a single point of access from multiple devices at any time". I felt that this statement instantly provided me with a basic understanding of the fundamental capabilities of SAP Portal Mobile Edition.

 

We learn that Netweaver Portal excels at creating multi-channel, elegant low TCO, corporate branded homepages that once built can be run anywhere. In turn, this level of portability has the ability to improve businesses by:

  • significantly boosting productivity
  • reducing costs

 

The video then moves on to present the viewer with a short overview of why one should consider using SAP Portal Mobile Edition. We are informed that it will

  1. Maximize the value of your investment in SAP software for mobile devices.
  2. Aggregate web and native applications (SAP or non-SAP, structured or non-structured) into a common mobile-entry point.

A short demo of these functions on a tablet device accompanies the presentation of this information to illustrate the simplicity of these functions.

 

The video concludes by presenting the viewer with a concise summary of the main functions of SAP Netweaver Portal Mobile Edition. Here we are reminded that with Mobile Edition, you can:

  • create role-based  multi-channel portals.
  • aggregate applications, documents and content.


Furthermore, the final piece of dialogue in the video reinforces the fact that the portals will be available:

  • to anyone
  • at any time
  • on multiple devices


Overall, I enjoyed taking the time to watch this video, as in my opinion, it clearly demonstrates each of the main functions of SAP Portal Mobile Edition without adding complexity, and thus it enables viewers to retain a basic comprehension of the functions available.

 

Thanks for taking the time to read my blog post.


Finally, don't forget to visit the Announcement of SAP Portal and HANA Cloud Portal Gamification Movie Challenge and share your views!

The latest release of SAP NetWeaver 7.4 Support Package Stack 08 (and the corresponding release NW 7.31 SP13 and) contains the following features and changes in SAP Fiori launchpad running in SAP Enterprise Portal:

 

No Activation of Theme Designer Necessary Anymore

 

Previously, to allow SAP Fiori launchpad to run on the portal, administrators had to activate the UI Theme Designer (switch to LESS). This prerequisite is no longer relevant. Administrators only need to perform this switch if they want to customize a portal theme using the UI Theme Designer and then run SAP Fiori Launchpad on Portal using the customized theme. Checkout also note 2036827 - Enable FLP on EP to run also without LESS structure.

 


Personalization of Groups

 

Until the last release end users could not create or manage groups in the SAP Fiori launchpad. Starting from NetWeaver 7.4 SPS8 (and NetWeaver 7.31 SPS13), users can create and remove groups and arrange content/tiles in their home page according to a group personalization.

 

This image shows how a group can be created by an end user (click on image for better reading):

create_group_v3.png

 

Here you see, how a tile is added to a group (click on image for better reading):

 

add_tile_to_group.png

 

Run SAP Fioir Wave 2 Applications using New SAP Fiori iView Template


Starting with NetWeaver 7.4 SPS8  (and corresponding release NW 7.31 SPS13) you can run Fiori wave 2+ transactional applications using the new "SAP Fiori iView" template. These iViews can then be run as tiles in SAP Fiori launchpad on Portal or as standalone applications. By using this iView, you will be able to call a specific Fiori application running on an ABAP back-end system and run it within the portal framework.

 

Prerequisites

  • Your Enterprise Portal version is:
    • 7.3 EHP 1 SPS13 and above
    • 7.4 SPS08 and above
  • Your back-end server has SAP Fiori launchpad SPS08 or above
  • You have made sure that both the portal server and the ABAP server can be reached via the same URL (including the server name). This can be achieved by using a SAP Web Dispatcher.


In this image you can see, how you select the SAP Fiori iView template in order to create an iView based on this template:

create_fioriapp_template.png


For a detailed description how to integrate SAP Fiori wave 2 applications into SAP Portal, read Ido Fishler's blog.


Watch also this video showing the configuration for the integration of SAP Fiori wave 2 apps into Enterprise Portal and how to run them on Fiori launchpad with SAP Enterprise Portal:

 

 

For lower versions of SAP Fiori, you must still create an SAP UI5 iView by copying the relevant application from the Portal Applications GPAL repository. For a more detailed description on how to integrate SAP Fiori wave 1 apps, read this blog by Irena Kull.

 

For more information, see:

 

  • SAP Help Documentation:

What is new in SAP Fiori launchpad?

SAP Fiori launchpad on Portal

Sometimes splash screen is not desired after click on portal logon. It is possible to show/hide splash screen in netweaver portal 7.3x using framework page configuration. Please check SAP KBA: 2035826 - Configuring the Splash Screen in the AJAX Framework Page of the Enterprise Portal

 

You can change the splash screen using the document: How to Customize your Ajax Framework Page with SAP NetWeaver Portal 7.30 .But there is no option to show/hide splash screen in netweaver portal 7.0x.

 

So you need to perform below steps to hide the splash screen after portal logon:

 

  1. Export the theme
    Exporting and Importing Themes - Portal - SAP Library
  2. Open the file from exported theme zip file:
    portal.zip\AFP\images\layout
  3. Remove the image  SplashScreen.png
  4. Save changes in zip file
  5. Import the theme again after above changes and select the option 'Overwrite existing theme'
  6. Clear the browser cache

Hi,

 

In this short blog post, you can find sample code on how to read/save cookies in portal component java code or using javascript.

 

First we build a portal component that demonstrates both.

The main doContent method, calling both techniques:

package com.sap.portal.examples;

 

import javax.servlet.http.Cookie;

import com.sapportals.portal.prt.component.*;

import com.sapportals.portal.prt.resource.IResource;


public class WebCookie extends AbstractPortalComponent

{

     public void doContent(IPortalComponentRequest request, IPortalComponentResponse response)

     {

       handleCookiesByJS(request,response);

       handleCookiesInJava(request,response);

     }

....

 



1. First method, writing cookies in Javascript and then reading them:

 

 

private void handleCookiesByJS(IPortalComponentRequest request, IPortalComponentResponse response)

  {

     //include the javascript source that holds the js method to store/read cookie

     IResource resource = request.getResource(IResource.SCRIPT,"scripts/cookiescript.js");

     response.include(request, resource);

 

     //launch a js method to write cookie

     response.write("<script>write_cookie();</script>");

 

     //launch a js method to read cookie and print on screen

     response.write("Cookie reads = " + "<script>document.write(gettimes());</script>");

  }

Above you can see javascript "cookiescript.js" is included in the response of the portal component. This js contains two methods write_cookie() and gettimes()

After which write_cookie() is called and eventually gettimes()  is called.

 

javascript code cookiescript.js:

 

The write_cookie() method  searches for a cookie named "Basic_Cookie" and adds 1 to the value of the cookie

Eventually the cookie actually stores the number of times this method was called:

 

var cookie_name = "Basic_Cookie"

function write_cookie() {

   var index =document.cookie? document.cookie.indexOf(cookie_name) : -1;

    if (index == -1){

     //creating new cookie which will expire in 2040

    document.cookie=cookie_name+"=1; expires=Wednesday, 01-Aug-2040 08:00:00 GMT";

  }

  else{

     //cookie exists, read its value

    var countbegin = (document.cookie.indexOf("=", index) + 1);

    var countend = document.cookie.indexOf(";", index);

    if (countend == -1) {

      countend = document.cookie.length;

    }

    var count = eval(document.cookie.substring(countbegin, countend)) + 1;

 

     //update the cookie

    document.cookie=cookie_name+"="+count+"; expires=Wednesday, 01-Aug-2040 08:00:00 GMT";

  }

}

 

 

 

The gettimes()  method read value of the "Basic_Cookie" and returns number stored in it:

 

//this method reads the value of the cookie and return number stored in it.

function gettimes() {

     var count = 0;

     if(document.cookie) {

          var index = document.cookie.indexOf(cookie_name);

         if (index != -1){

           var countbegin = (document.cookie.indexOf("=", index) + 1);

           var countend = document.cookie.indexOf(";", index);

           if (countend == -1){

             countend = document.cookie.length;

           }

           count = document.cookie.substring(countbegin, countend);

        }

      }

 

     return (count + " times");

}

 

 

2. Second method, accessing cookie in portal component java code:

 

private void handleCookiesInJava(IPortalComponentRequest request, IPortalComponentResponse response)

{

    response.write("<br>");

    saveToCookie(request,response,"MyCookie","MyCookieValue");

    String val = getCookieValue(request,"MyCookie");

    response.write("Got cookie MyCookie with its value="+val); //first time it will be null, since the response is not written yet

}

Here the component calls a java method saveToCookie with key and value.

Then it reads the cookie value by calling getCookieValue method and prints it.

 

saveToCookie method:

 

cookie is searched in all cookie that came with request, then its deleted and a new cookie is created:

 

private void saveToCookie(IPortalComponentRequest request , IPortalComponentResponse response , String cookieName, String cookieValue)

{

     //getting all cookies from request

     Cookie [] cookies = request.getServletRequest().getCookies();

     if(cookies != null)

     {

        for(int i = 0 ; i < cookies.length ; i++)

        {

             Cookie cookie = cookies[i];

            //find the specific cookie and deletes it

             if(cookie != null && cookie.getName().equals(cookieName))

             {

                  cookie.setMaxAge(0);

                  break;

             }

        }

   }

   //create a new cookie with new value and save it

   Cookie  cookie = new Cookie(cookieName , cookieValue);

   cookie.setPath("/");

   response.addCookie(cookie);

}

 

getCookieValue method:

 

Cookie is searched and its value (or null if not found) is returned:

 

private String getCookieValue(IPortalComponentRequest request, String cookieName)

{

     //get all cookies from request

     Cookie [] cookies = request.getServletRequest().getCookies();

     if(cookies != null)

     {

          for(int i = 0 ; i < cookies.length ; i++)

          {

               Cookie cookie = cookies[i];

               //search for the cookie and get its value

               if(cookie != null && cookie.getName().equals(cookieName))

               {

                    return cookie.getValue();

 

 

               }

            }

       }

       return null;

}

 

After deploying this portal component, If we execute it  3 times, we will get the following output , from both techniques:

 

Cookie reads = 3 times

Got cookie MyCookie with its value=MyCookieValue

 

 

 

 

 

 

Related Links:

 

Important -  Security consideration using cookies

 

http://www.allaboutcookies.org/cookies/

 

http://en.wikipedia.org/wiki/HTTP_cookie

 

 

Enjoy,

Tal

Mobile Edition

 

First Of all, I am really impressed with SAP portal mobile edition, its a great mobile experience, great mobile application gallery and its fully integrated with many mobile devices.

Its available via online, browser-based access, channels.

 

I liked the video too much because its very simple, and it shows the idea of SAP Mobile Portal in simple way and small points.

Also what is cool about the video is that its answer a very important questions "Why you have to use SAP portal mobile edition", it shows you the benefits of SAP portal on mobile as following:

 

-Maximize the value of your investment in SAP software for mobile devices

-Aggregate Web and native applications, SAP and non-SAP, structures and unstructured into a common mobile entry point

-Use a template-based workspace featuring predefined, mobile-ready  modules

 

According to SAP Enterprise Portal, mobile edition document, i just wanted to show the mobile homepage screenshot, which display the awesome view on mobile/tables which is shown in the video

 

mobile_homepage_descr.png

 

 

Also i liked the video Summery

With SAP Portal Mobile edition you will be able to

- Create role-based multichannel portal

- Aggregate applications, documents and contents

- Available to anyone, at anytime, on multiple devices

 

Please all check "SAP Netweaver Portal - Mobile Edition" Overview video:

 

 

Please visit :Announcement of SAP Portal and HANA Cloud Portal Gamification Movie Challenge

We invite you to participate in the "Topic of the Week" campaign for SAP Fiori launchpad. A topic of the week is a selected topic about which you will get up-to-date information on SCN and our social media channels. You can listen to us and also discuss with us on SCN, Twitter, Facebook and LinkedIn on special days. Moreover we will also inform you about our focus topics for this year's SAP TechEd && d-code and make you aware what you can expect when you attend the event in Las Vegas or Berlin.


From September 17-18 we offer you "SAP Fiori Launchpad" as the topic of the week.


What are the highlights of SAP Fiori launchpad as the topic of the week and what can you expect?


ASUG Webinar on September 17

Participate in our ASUG webinar on SAP Fiori launchpad on September 17, and learn also what we plan for SAP TechEd && d-code this year.

 

Product Information

We will use our Social Media channels to give you up-to-date information on SAP Fiori launchpad in general and how it runs in SAP Enterprise Portal

You can access the following channels to follow the information flow and join the conversation:

  • Twitter: Get all kinds of information under hashtag #SAPFiori. You can read tweets also without having an own Twitter account.
  • Facebook: Get images, see videos, get some product insight and some technical overview information etc. You can read the content of our public Facebook page also without having an own Facebook account.
  • LinkedIn: Get more technical information.
  • and visit our SAP Enterprise Portal community on SCN where we also cover SAP Fiori launchpad


We also want your feedback: so we encourage you for interaction, discussion, commentary, questions, feedback.

  • Send your questions on Twitter to @Portal_SAP https://twitter.com/PORTAL_SAP and use hashtag #SAPFiori for your tweets
  • or simply add your feedback and questions as comments to this blog.

 

We are looking forward to meeting you this week at the webinar or on our social media channels.

Applying corporate design guidelines to your SAP Enterprise Portal is about to become much easier.

Are you familiar with the UI Theme Designer tool in SAP Enterprise Portal? If not, I’d like to expose you to an improved theming experience (compared to the Theme Editor you’re probably familiar with).

 

The UI Theme Designer is a browser-based tool that enables easy theme building by modifying one of the theme templates provided by SAP.

 

ScreenshotAFP_Tradeshow.png

Why Use the UI Theme Designer?

 

By using the UI Theme Designer in the Portal, you can benefit from the following:

  • Increased theming efficiency (reduced theming effort for customizing portal and integrated applications).
  • Ease of use – simple and intuitive.
  • Reduced theming effort.


We achieve these benefits providing the following capabilities:

  • Graphical web-based WYSIWYG editor for controls as well as applications.
  • Different levels of theming:
    • Quick theming - Used for general theme settings affecting various SAP UI technologies.
    • Expert theming – Used for SAP UI technology-specific theme settings.
    • CSS - Manual theming based on LESS style sheet notations.
  • Built-in preview pages: Application previous and control overview pages.
  • Enabled for SAPUI5 and Unified Rendering.

 

 

Availability


The UI Theme Designer is available in SAP NetWeaver 7.3 SP10, 7.31 SP9 or 7.4 SP4 onwards.

 

 

Migrating Themes for Use with The UI Theme Designer


You can import portal themes for use with the UI Theme Designer. Themes customized using the Theme Editor must be exported before the UI Theme Designer is activated. The exported themes should be imported (migrated) after activating UI Theme Designer. The following video contains all you need to know about Theme Migration in less than a minute.

 

 

 

 

 

Activation of UI Theme Designer


Configuration for activating the UI Theme Designer is also fast and easy. The configuration is illustrated in the following video in less than a minute.

 

 

 

Examples of Theming Capabilities

 

After doing the previous steps (Theme Migration (if required) and UI Theme Designer activation), you can now enjoy creating and editing themes in an easy, simple, and intuitive way. Examples of different levels of theming: Quick, Expert and CSS are provided in the following video.

 

 

 

Ongoing Improvements

 

Note that UI Theme Designer is in continuous development and therefore additional improvements are also reflected when working with the tool in the Portal. For example, theming based on Fiori Framework Page is supported, starting from SAP NetWeaver 7.31 SP12. Another example is the support of Right-To-Left (RTL), starting from SAP NetWeaver 7.31 SP13.
So you can expect that your experience will continue to improve in the future.

 

 

Notes and Known Limitations

 

  • Note 1890375 - Known Issues of UI Theme Designer for SAP NetWeaver Portal.
  • Note 1927550 - Update UI Theme Designer to version 1.1.4 in the portal.
  • Note 1895989 - UI5 iView stylesheet rendering issues.
  • Note 1959708 - Supporting integration of UI Theme designer and UI5 application in the portal.

 

 

Further Information

 

 

 

Enjoy - We'd appreciate your feedback

 

 

As a new starter to SAP it is important for me to get comfortable with SAP products and how they can add value you to the customer. I have discovered that there is a strong emphasis on making the world simpler at SAP and this video gives a good understanding of how we at SAP can create a simpler world for our customers.

 

The video opens with an intro to Sara, a sales manager, who has been working with SAP applications for years. Now she needs mobile applications in order to do her job, now she has an issue where she is using lots of different applications over the different devices she uses to do her job. There is no similarity between the apps.

 

Peter, the CIO of the company, has a challenging role where he is supporting many different devices, platforms and applications. He is now struggling to control the variety of applications, while at the same time the users are demanding more support and he needs more expertise to maintain the ever growing devices and applications.

 

SAP's solutions to Sara and Peter's problems are covered by Responsive Design.

 

Responsive Design aims to let the user of the applications have similar experiences across different devices, desktop, mobile and tablet, with the views for each device adapted for the device in use. There is a high emphasis on ensuring the content is easy to read and navigate.

 

The video goes on to show how SAP Portal is taking Responsive Design to the next level. On desktop there is full user access, where on tablet there is access to selected information and on tablet only crucial information and options are available. The content is designed to look great and be in a form relevant to the business, user role and user preferences.

 

Users will have a


    • Coherent experience
    • Optimized for the user's needs
    • Single point to manage the content
    • Ability to preview on a wide range of devices
    • Control for the user experience


Based on the latest technologies

    • HTML5
    • OpenSocial
    • OData protocol

Available on

    • HANA
    • On Cloud
    • On Premise

 

I found this video good at explain how SAP can make user experiences simpler for users.

 

What Is Responsive design ?? - YouTube

 

Check out Announcement of SAP Portal and HANA Cloud Portal Gamification Movie Challenge

Actions

Filter Blog

By author:
By date:
By tag: