Show TOC

 7.8 Whitelist Locate this document in the navigation structure

 

In some situations, a framework or application on the ABAP server receives information from the outside that it potentially uses in the next steps of its interaction with the browser or with NWBC. The problem is that this externally received information could actually point to a website that is not trusted. The whitelist infrastructure allows the application to verify that the value specified is in a trusted range. It is a store where applications or frameworks can check that the received data fits to a set of configured data to be in a valid range.

It is the responsibility of the functionality provider to validate all received input before it is used. For central framework-provided functionality, the framework itself must validate these specific URL parameters to be in a valid range against the whitelist.

You need to define explicit whitelist entries in the registry if your system contains navigation to external targets. For example, an ABAP transaction on system ABC calls a remote transaction on system XYZ. To allow this navigation, you need to create a whitelist entry for system XYZ. Another example for an external target is a web navigation to http://www.google.com.

In the registry, for key HKEY_LOCAL_MACHINE\SOFTWARE\SAP\NWBC\Settings\WhiteList, define a subkey. The name of the subkey is the SID of the corresponding back-end system.

Example Example

If you have defined a system with a name such as MySystem that connects to a system with SID ABC, the path is HKEY_LOCAL_MACHINE\SOFTWARE\SAP\NWBC\Settings\WhiteList\ABC.

End of the example.

For this subkey, define a string entry with name value. The content is the concatenation of the whitelist entries separated by blanks.

Example Example

value=*://*.sap.com:*/* http://*.google.com:*/* https://www.microsoft.com:*/*

End of the example.

Note Note

On 64-bit operating systems (for example, Vista 64–bit or Windows 7 64–bit), the registry key is virtualized as NWBC is a 32-bit process. That is, the above key MUST be edited using the 32-bit version of Regedit (which is typically located under C:\Windows\SysWOW64\regedit.exe).

You can verify the correctness in standard Regedit (C:\Windows\regedit.exe) by checking the key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\SAP\NWBC\Settings\WhiteList.

End of the note.

Note Note

For a complex system landscape, it might be easier to just allow a whole domain. This can be accomplished by defining a single registry key that additionally contributes to each system's whitelist. The key is HKEY_LOCAL_MACHINE\SOFTWARE\SAP\NWBC\Settings\GlobalWhiteList and contains a string value named value as mentioned earlier.

End of the note.

An entry for the connected system is created automatically (dynamically) on the client and added to the list fetched from the server.

Note Note

In case NWBC is connected to a portal, follow the same steps as mentioned above (registry), but instead of the SID use the connection name as the name of the subkey.

End of the note.

Note Note

To disable the whitelist, which means you allow everything, create an entry *://*:*/* (any protocol, any host, any port, and any path).

End of the note.

Note Note

For whitelist entries, you should always specify the fully qualified domain name, which includes the domain. For file:// URLs, you can also specify UNC paths to network shares.

Example: file://\\myhost\myshare\some\path\*

End of the note.