5 Replies Latest reply: May 8, 2012 1:05 PM by Michael Schüßler RSS

Web Dispatcher / NetWeaver 7.3 / URL Filter, permission table

Michael Schüßler
Currently Being Moderated

Hi all

We want to use the SAP Web Dispatcher 720P113 to secure our external facing NetWeaver 7.3 Portal.

The Web Dispatcher can of course filter parts of the URL.

With this we would like to restrict the access from the internet to the necessary NetWeaver Portal Applications.

 

We hoped to create a minimum permission table file and started with the following:

#SAP Web Dispatcher permission table
P /irj/*
#DENY ALL
D *

Then we realised we also had to permit /logon_ui_resources/* to be able to see the logon screen. Afterwards we could login, but could not see any portal images and so on.

 

Especially we don't want anyone to open /nwa or /sld or /startPage... and I don't know how many more critical URLs there are. Even if we block e.g. /sld somebody who knows the complete URL webdynpro/dispatcher/sap.com/tcsldwd~main/Main can login to SLD.

Of course we use SSL & firewall to the system, along with secure OS settings.

 

Has anyone implemented a permission table file with SAP Web Dispatcher and can supply us with a working, secure configuration or give any hints on how to identify critical portal applications?

 

BR

Michael

  • Re: Web Dispatcher / NetWeaver 7.3 / URL Filter, permission table
    Martin Voros
    Currently Being Moderated

    Hi,

     

    You can use any modern browser (IE has developer tools F12, Firefox has Firebug) to capture all URLs requested. So you can just browse your portal for a while and soon you'll get basic URLs that need to be accessible. I haven't done this for Portal but for ABAP AS and it was just couple of URLs and pretty easy process. Another approach could be to allow everything on web dispatcher and check access log what URLs are requested.

     

    Cheers

  • Re: Web Dispatcher / NetWeaver 7.3 / URL Filter, permission table
    Hassan KHANAFER
    Currently Being Moderated

    Hello Michael,

     

    I had the same issue today and it was resolved by creating the permission file as follows:

    P /irj*
    P /irj/*
    P /logon_ui_resources/*
    P /logon_ui_resources*
    P /AFPServlet/*
    P /AFPServlet*
    P /com.sap*
    P /com.sap/*
    P /webdynpro/resources*
    P /webdynpro/resources/*
    

     

     

    In this case you will have all the images displayed and functional and it will bllock all the administration URL.

    Maybe after we should deny or permit other URL depends on the needs.

     

    Hope that it helps you

     

    Hassan

    • Re: Web Dispatcher / NetWeaver 7.3 / URL Filter, permission table
      Michael Schüßler
      Currently Being Moderated

      Hi Hassan,

      thanks for your answer but this does NOT block NWA nor SLD in NW 7.3.

      As soon as we have a configuration that is reliable in our case I'll post it here.

      • Re: Web Dispatcher / NetWeaver 7.3 / URL Filter, permission table
        Raoul Shiro
        Currently Being Moderated

        Hello Michael,

         

        Have you been able to make any progress in protecting your Portal accesses ?

        • Re: Web Dispatcher / NetWeaver 7.3 / URL Filter, permission table
          Michael Schüßler
          Currently Being Moderated

          Hi Raoul,

           

          I think I have, here's the ptabfile we use as whitelist:

          ######### SAP Web Dispatcher permission table

          ######### Whitelist principle

          ######### DENY Critical Apps #########

          D       /nwa

          D       /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/*

          D       /sld

          D       /webdynpro/dispatcher/sap.com/tc~sld~wd~main/*

          D       /startPage

          D       /nwa/sysinfo

          D       /wsnavigator

          D       /useradmin

          D       /webdynpro/welcome/*

          D       /webdynpro/dispatcher/sap.com/tc~wd~tools/*

          D       /sr_central

          D       /sapmc

          D       /utl/UsageTypesInfo

          D       /ejbexplorer

          D       /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/*

          D       /webdynpro/dispatcher/sap.com/tc~esi~esp~wsnav~ui/*

          D       /webdynpro/dispatcher/sap.com/tc~sec~ume~wd~umeadmin/*

          #

          ######### ALLOW #########

          ### SAP PORTAL ###

          P       /AFPServlet/*

          P       /com.sap.netweaver.coll.appl.ui.room/scripts/*

          P       /com.sap.portal.*

          P       /com.sap.ui.lightspeed/js/*

          P       /com.sap.workflow.admin.template_jwf/images/*

          P       /htmlb/*

          P       /irj/go/km/*

          P       /irj/portal/*

          P       /irj/portal*

          P       /irj/servlet/prt/*

          [snip]

          ### SAP ABAP ###

          #Custom

          P       /sap/bc/webdynpro/SAP/Z_APP1*

          P       /sap/bc/webdynpro/SAP/Z_APP2*

          P       /sap/bc/webdynpro/sap/z_app3*

          #SAP Common

          P       /sap/public/bc/webdynpro/ssr/*

          P       /sap/public/bc/ur/Design2002/*

          P       /sap/public/bc/ur/nw5/*

          P       /sap/public/bc/icons/*

          P       /sap/public/bc/WebIcons/ur/default/l/Icon/*

          #

          ######### FOR DEBUGGING ALLOW ALL #########

          #P      *

          ######### DENY EVERYTHING ELSE #########

          D       *

           

          Where it says [snip] we also added custom logon screen urls.

           

          Basically I used Firebug and/or IE Developer Tools to capture the URLs visited while browsing the Portal. After quick filtering the results in Excel along with some other excel-capabilities we got to this list.

           

          I know I could have left away the inital Denys due to the final Deny-all-rule but I felt safer with them.

           

          Any ideas / design flaws are still welcome.

           

          Michael

Actions