This appendix goes over some topics that should be considered for secure Kapsel apps.
Cross-Site Request Forgery (CSRF)
Sharing Credentials between Applications
Accessing the SMP 3.0 Server From Outside a Corporate Firewall or on a Cellular Network
Using the X.509 Certificate Provider to Register using a Client Certificate
Things to Consider Before Release
SiteMinder
Additional Security Topics in Part 1
CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. See Cross-Site Request Forgery (CSRF) for additional details.
The SAP Netweaver Gateway system protects against CSRF attacks by requiring that all modifying requests include an X-CSRF-Token in the header of the request. The value of this is returned from a GET request. See Cross-Site Request Forgery Protection for additional details. The included index.html demonstrates how to perform create, update and delete operations that make use of the CSRF header. To use this provide the user id and password for the OData source on line 6, place a copy of datajs-1.1.2.min.js into the same folder as the HTML file and deploy the Kapsel app. Notice below that the carrier ID AA has been deleted and the currency for AC has been changed to USD.
If multiple applications on a device connect to the same SAP Mobile Platform server and use the same user name and password or certificate, those can be shared between apps so that they only need to be entered once. The shared credentials are managed by an application called Client Hub which integrates with the Logon plugin. The Client Hub is provided as an Android and iOS project that can be built and installed on a mobile device or simulator. It is part of the mobile SDK native SDK.
C:\SAP\MobileSDK3\ClientHub
For additional details see Client Hub.
Note the applications that are sharing credentials can be either native mobile applications or Kapsel applications.
Note that it is not recommended to use Client Hub with iOS simulators.
The Client Hub project and the Kapsel projects must be signed by the same certificate. For more information on Android application signing see Signing Your Applications.
Perform the following steps to share credentials between two Kapsel apps.
Host=10.7.171.208
Port=8080
HTTPS=false
SecurityConfiguration=Config123
UserCreationPolicy=automatic
FarmID=0
Domain=default
URLSuffix=
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Host</key>
<string>10.7.171.208</string>
<key>Port</key>
<string>8080</string>
<key>HTTPS</key>
<false/>
<key>SecurityConfiguration</key>
<string>Config456</string>
<key>UserCreationPolicy</key>
<string>automatic</string>
</dict>
</plist>
com.mycompany.logon2
Support for the Relay Server was added as part of the SMP 3.0 SP03 release. SAP provides a publicly hosted relay server that can be used in development to enable a server such as the SMP 3.0 server to be available to devices outside of a corporate firewall or on a different network. In a production environment it is recommended that you install the relay server into your own environment.
The relay server works by establishing a persistent connection between the rsoe.exe (outbound enabler) which typically runs on the same machine as the SMP 3.0 server and a relay server (which is publically reachable). The publicly hosted relay server is running at http://relayserver.sybase.com and more recently at http://relayserver.sap.com.
The complete documentation is available at Relay Server.
The relay server is part of the SAP Sybase SQL Anywhere product. If you do not already have a copy of it, a trial version can be downloaded from SAP Sybase SQL Anywhere 16 Developer Edition. During the install, ensure the option Relay Server is checked.
The following steps demonstrate how to use the publicly hosted relay server to enable a Kapsel app to be able to connect to an SMP 3.0 server running behind a corporate firewall or on a different network. Before following the below steps, make sure that the server connections in the SMP 3.0 server are using test data only or have sufficient security setup.
-f dan.van.leeuwen.rsFarm
-id rsoeSMP
-t d5337df5a9a26141ce52bd0f5b59
-cr "host=relayserver.sap.com;https=1;port=443;proxy_host=proxy;proxy_port=8080;url_suffix=/rs1/server/rs_server.dll"
-cs "host=localhost;port=8080"
-v 4
-o c:\temp\rsoe_smp.log
-os 10M
The outbound enabler options are documented here. Note the settings for proxy_host and proxy_port. If your network does not use a proxy server, remove these values. rsoe @c:\Kapsel_Projects\rsoeSMP.config
http://relayserver.sap.com/rs1/client/rs_client.dll/dan.van.leeuwen.rsFarm/sapui5/
var context = {
"serverHost": "relayserver.sap.com", //Place your SMP 3.0 server name here
"https": "false",
"serverPort": "80",
"user": "i82xxx", //Place your user name for the OData Endpoint here
"password": "xxx", //Place your password for the OData Endpoint here
//once set can be changed by calling sap.Logon.changePassword()
"communicatorId": "REST",
"passcode": "password", //note hardcoding passwords and unlock passcodes are strictly for ease of use during development
//once set can be changed by calling sap.Logon.managePasscode()
"unlockPasscode": "password",
"passcode_CONFIRM":"password",
"farmId" : "dan.van.leeuwen.rsFarm",
"resourcePath" : "rs1/client/rs_client.dll"
};
Client certificates can be used by applications to uniquely identify a user to the SMP 3.0 server or to an OData backend. Client certificates can be passed to the Logon Plugin via the X.509 Certificate Provider Interface. On iOS, only certificates that are part of the application's key chain are displayed. For this reason, apps that use client certificates often use a mobile device management solution such as SAP Afaria to provision the client certificate to an application. For further details see Making Certificates and Keys Available To Your App and Finding a certificate for further details.
The X.509 Certificate Provider is an interface that can be used to integrate mobile device management software with the Logon plugin. For additional details see Using the X.509 Certificate Provider Interface to Integrate with Third-Party Certificate Providers and https://github.com/SAP/mobilesdk-certificateprovider.
Consider minifying or even obfuscating your code if you wish to make it harder for someone to examine your code.
Ensure that the app cannot be debugged. See the debugging section for additional details.
Remove any hardcoded passwords. Many of the samples have these set in the context variable so they do not need to be entered for ease of use during development.
Ensure that the log level is set appropriately and that the log commands that are left are intended to be in the production code. Review the log output to ensure that nothing is being logged that should not.
Review the client password policy and ensure that it is set appropriately.
Consider adding a Mobile Device Management solution such as SAP Afaria to enforce a lock screen, a password policy, to enable remote wipes of a device and to prevent devices from being rooted or jail broken.
On Android it is possible to restrict an application from having its screen be captured by specifying a layout flag of FLAG_SECURE in the MainActivity. For additional details see WindowManager.LayoutParams.
To try this out on edit the MainActivity.java file for your project and add the two bolded lines shown below.
C:\SAP\MobileSDK3\KapselSDK\apps\fiori_client\FioriClient\platforms\android\src\com\sap\fiori\MainActivity.java
package com.sap.fiori;
import android.os.Bundle;
import org.apache.cordova.*;
import android.view.WindowManager.LayoutParams;public class MainActivity extends CordovaActivity
{
@Override
public void onCreate(Bundle savedInstanceState)
{
getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
super.onCreate(savedInstanceState);
// Set by in config.xml
loadUrl(launchUrl);
}
}
Note, the registration screens are presented in an InAppBrowser window. To disable screen sharing for the InAppBrowser window make the following bolded change.
C:\SAP\MobileSDK3\KapselSDK\apps\fiori_client\FioriClient\platforms\android\src\org\apache\cordova\inappbrowser\InAppBrowser.java
// Create dialog in new thread
Runnable runnable = new Runnable() {
...
public void run() {
// Let's create the main dialog
dialog = new InAppBrowserDialog(cordova.getActivity(), android.R.style.Theme_NoTitleBar);
dialog.getWindow().getAttributes().windowAnimations = android.R.style.Animation_Dialog;
dialog.getWindow().setFlags(LayoutParams.FLAG_SECURE, LayoutParams.FLAG_SECURE);
SiteMinder is a commonly used access management solution that can be used with the SMP 3.0 platform. The following links provide additional details.
CA SiteMinder
Single Sign-on Integration with SiteMinder
How-To: Set up SUP with SiteMinder
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
12 | |
10 | |
9 | |
7 | |
7 | |
7 | |
6 | |
6 | |
5 | |
4 |