Show TOC

Background documentationSecurity Aspects for BSP Locate this document in the navigation structure


It is important to consider security aspects when you create Web applications using the BSP programming model. Security functions are available both for when you create BSP applications as well as for when you operate them.

Security in AS-ABAP

For basic information about security aspects in an AS-ABAP system in which you are creating your BSB application, see the security guide under

  • Network Infrastructure and

  • Security in AS-ABAP.

Note Note

Note in particular the Configuration for SSL Support. Furthermore, a function is provided for increasing performance in the case of multiple logons, namely the

Logon Ticket Cache.

End of the note.

Certain Virus Scan Profiles are delivered by SAP in the standard system. A virus scan is possible during an HTTP Upload (you can find more information about keyword Virus Scan Interface in the security guide).

The Internet Communication Manager (ICM) receives the HTTP requests from the Internet and returns a response.

Logging on to BSP Applications

To access a BSP application, AS ABAP uses the HTTP framework from the Internet Communication Manager (ICF), which provides functions for logging on to the AS ABAP.

Caution Caution

Refer in particular to Activating and Deactivating Services. For security reasons, the only services that should be active in the HTTP service tree are those services that you really need. If, however, you activate nodes at a higher level, this means that the whole part of the service tree below this level is completely open and is therefore not secure if an anonymous user is defined, for example.

You can find a list of the services required for each usage scenario in Business Server Pages Administration.

To create logon procedures for your BSP application there is a simple procedure for developing and configuring the system logon. For more information, see System Logon.

End of the caution.
Accessing a BSP Application

A browser accesses your BSP application using HTTP or HTTPS. The most important aspects are summarized in Accessing a BSP Application.

You can also determine that your BSP should always be accessed using HTTPS. You can find more information about defining the transmission options in the description of the Properties of a BSP application.

You have to configure the secure sockets layer (SSL) so that your BSP application can communicate with the browser. Make sure that your BSP application supports HTTP POST requests. For more information, see SAP Note 904249.

Security Risk List

A white list infrastructure in the HTTP framework fends off XSS attacks: Security Risk List

Relevant SAP notes

Note Number



Setting Up SSL on the Web Application Server


Logging on to BSP Applications


DNS Configuration for BSP Applications under Windows 2000


Logon Ticket Cache


HTTP white list check (security)


Start BSP with a POST Request


BSP XSRF Framework as Transport Files (only for stateful applications)


XSRF Protection for Stateless BSP (also for stateless applications)