Technology Blogs by Members
Explore a vibrant mix of technical expertise, industry insights, and tech buzz in member blogs covering SAP products, technology, and events. Get in the mix!
cancel
Showing results for 
Search instead for 
Did you mean: 
Former Member

Same Origin Policy. Is that really necessary?

SOP is an important security concept in browsers. Put simply, SOP allows client-side programming languages, such as JavaScript, only access to resources in the same domain. First picture shows the problem. SOP is very important for internet applications, because you want to prevent, that everybody can access to your services and content. However, this regulation is often unnecessary and obstructive in enterprise environments. Because it's no option to turn down your browser security config, I will show you, how you can solve this problem in different ways.

1. Use JSONP to make cross-domain Ajax requests

In my previous post, I explained how you can call a web service from a different domain with jQuery, without getting security issues. This approach is sometimes very useful and easy to implement. But when you can't enhance your services to provide JSONP (or maybe you just refuse to do this), there are some other solutions to handle this problem.

2. Establish a Reverse Proxy with Apache HTTP Server

2.1 The theory

A reverse proxy is a special kind of a web server. This text passage from the official documentation explains very precisely the features:

A reverse proxy (or gateway) appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin.


A typical usage of a reverse proxy is to provide Internet users access to a server that is behind a firewall. Reverse proxies can also be used to balance load among several back-end servers, or to provide caching for a slower back-end server. In addition, reverse proxies can be used simply to bring several servers into the same URL space.

The last sentence is very important for us to prevent SOP. The following picture shows the enhanced infrastructure.

  1. SAPUI5-Apps will no longer be available under http://myapps.com/, but under http://central.com/apps/.
  2. SAP NetWeaver will no longer be avaiable under http://saphrp.mycompany.com/, but under http://central.com/saphrp/.
  3. IIS will no longer be avaiable under http://otherservices.com/, but under http://central.com/otherservices.

All systems are in the same domain, so you can call services without getting security issues.

2.2 The practice

Now i will show you, how you can test the functionality of a reverse proxy on your local PC. I will use Windows 7 as operating system and the windows version of Apache HTTP Server. Before we start, just a short note: If you are going to work with Apache HTTP Server in your company, i recommend to use UNIX/Linux as OS and not Windows. Besides, you will need a system engineer or a web-admin to create a complete environment with a thorough configuration. Important issues are security, load-balancing and caching.

2.2.1 Download Apache HTTP Server

As you can see on this site, you can choose different kind of options for deploying Apache httpd on Windows. We will use the server of Apache Lounge. Go to this site and download the latest version Apache win32 binaries (e.g. httpd-2.4.4-win32.zip).

2.2.2 The Setup

After downloading, unzip the Apache<version> folder to C:\Apache<version> (that is the ServerRoot in the config). When you unzip to an other location, you have to do some changes in the configuration. For testing, it's better to use C:\Apache<version> (in my example: C:\Apache24).

2.2.3 Start the Server

After that, open your console and go to C:\Apache24\bin and start the httpd.exe. When everything is fine, you should see a console like this.

Now the server is running. The message AH00558 is just a warning. To fix this, go to C:\Apache24\conf and open the httpd.conf file (this is the place, where all important configurations are done). Search for 'ServerName' and remove the hash at the start of line (so it's no longer a comment). For our test, you can choose any kind of name, for exaple:

ServerName www.test.com:80

When you now restart the Server (press Ctrl+C in console and start httpd.exe again), the message should be disappeared.

2.2.4 Test

Open your browser an call http://localhost. You should see a simple "It works!". When you have problems to start your server, make sure that no other service is running under port 80. Besides, be sure that you have installed the Visual C++ 2010 SP1 Redistributable Package x86. You can download it from here. If you want to check an error.log for more information, go to C:\Apache24\logs and open error.txt.

2.2.5 Activating Modules for Reverse Proxy

Apache supports a variety of features, many implemented as compiled modules which extend the core functionality. To activate the basic reverse proxy features for HTTP, go to C:\Apache24\conf and open httpd.conf. Remove the hash at LoadModule proxy_module modules/mod_proxy.so and LoadModule proxy_http_module modules/mod_proxy_http.so. Restart your server.

2.2.6 Adding a simple Configuration

Let's say, we no longer want to call the start page of amazon.com over http://www.amazon.com but over localhost/amazon. Add in your httpd.conf at the end of file this two lines:

ProxyPass /amazon http://www.amazon.com/

ProxyPassReverse /amazon http://www.amazon.com/

Restart your server and go to localhost/amazon. You should see the start page of amazon.com! And that's it!

2.3 Some more Information

This was just a tiny and minimal configuration for reverse proxy functionality. For enterprise environments, you will need a lot of more configuration in order to cover all requirements. Some issues of this solution, which can be solved by adding additional modules and configuration, are listed here:

  1. When you click on a link on localhost/amazon, you will get a HTTP 404 Error. You have to ensure, that all resources of a domain are available over your reverse proxy.
  2. For Java applications i recommend to use modules, which handle the communication between reverse proxy and server over a specific protocol. For Java-Servers (Tomcat, Jetty etc.) you can use mod_proxy_ajp or mod_jk, which implement the Apache JServ Protocol.
  3. For SSL-support, you need further modules like mod_ssl.
  4. If you want to deliver a query string to an application server(this is normally very important for SAPUI5-Apps), you will need a rewrite engine like mod_rewrite.

Beside AJP and HTTP, you can use a reverse proxy for other protocols, too. Currently there are modules for AJP, HTTP, CONNECT(for SSL), FastCGI, ftp and SCGI.

3. Cross-origin resource sharing

An other approach to solve SOP is Cross-origin resource sharing (CORS). This article of mozilla developer network explained very well the characteristics of CORS. Here a little extract:

Cross-site HTTP requests initiated from within scripts have been subject to well-known restrictions, for well-understood security reasons.  For example HTTP Requests made using the XMLHttpRequest object were subject to the same-origin policy.  In particular, this meant that a web application using XMLHttpRequest could only make HTTP requests to the domain it was loaded from, and not to other domains.  Developers expressed the desire to safely evolve capabilities such as XMLHttpRequest to make cross-site requests, for better, safer mash-ups within web applications.

The Cross-Origin Resource Sharing standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information using a web browser.

To test this feature, look at the header-data of this service: http://ip.jsontest.com/.

When you call this service with jQuery without JSONP, you will still get an answer (you can test this call right here). This is only possible because of the response header "Access-Control-Allow-Origin".

This solution means, that you don't have to establish an additional server instance in your infrastructure. Instead, you have to enhance your services with HTTP-Headers. There are some ways, how you can achieve this.

3.1 Example for ICF-based Services

When you create simple HTTP-Services with ICF, you can add very easily additional header information. Besides, you can implement this feature in an own HTTP-Handler-Class, which will be added to your Handler-List in SICF.

SERVER->response->set_header_field(
      EXPORTING
          name = 'Access-Control-Allow-Origin'
          value = '*'
).

3.2 Example for a Java-Filter

When you can't configure your Java-Server to add new headers, you can write a simple filter for your web-application to add CORS-Headers.

import java.io.*;
import javax.servlet.*;
import javax.servlet.http.*;
public class CORSFilter implements Filter {
          public CORSFilter() {
          }
          public void init(FilterConfig fConfig) throws ServletException {
          }
          public void destroy() {
          }
          public void doFilter(ServletRequest request, ServletResponse response,
                              FilterChain chain) throws IOException, ServletException {
                    ((HttpServletResponse) response).addHeader(
                                        "Access-Control-Allow-Origin", "*");
                    chain.doFilter(request, response);
          }
}

This is the enhancement for your web.xml.

<filter>
<filter-name>CORSFilter</filter-name>
<filter-class>CORSFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>CORSFilter</filter-name>
<url-pattern>/service/*</url-pattern>
</filter-mapping>

3.3 Adding Header-Field with Server-Config

It depends on your server, if it's possible and how easy it is to add custom header-fields. A short interview with your admins should give you more information.

I hope, all this information will help you to get rid of SOP. I wish you success!

33 Comments
Labels in this area