Show TOC

Server SecurityLocate this document in the navigation structure

Server security comprises topics such as cross-origin resource sharing and resource handlers.

SAPUI5 contains only a small server-side part to support loading of resources by the client framework. The use of the resource handlers is not mandatory, SAPUI5 also offers a static version of the libraries, which can be used with an arbitrary HTTP server.

Cross-Origin Resource Sharing

Usually the XMLHttpRequest for security reasons does only allow accessing resources from the same domain as the originating document. As there are a lot of web-based services available today, starting with RSS or Atom feeds, WebServices or OData services, there is a need to be able to also access data sources from different domains within the browser, which was addressed with the CORS (Cross-Origin Resource Sharing) standard. This allows the server to set special headers on their responses, which are telling the XMLHttpRequest object, whether it is allowed to process the requested data or not.

This CORS capability also plays an important role in SAPUI5 based applications. In case the application itself and the data visualized are coming from different servers, the CORS header has to be configured correctly on the data providing server, to allow the application server domain to access the data.

SAPUI5 is using CORS header on its CDN based library to be able to load additional scripts, styles, and resources from the CDN server.

Resource Handler (ABAP)

The resource handler for ABAP is used to serve the resources from the MIME repository.

Note After the installation of SAP Note 2075016 (available for all support packages), you can use the Business Add-In (BAdI) /UI5/BADI_CONFIG_HTTP_HANDLER to limit the lifetime of the http browser cache for SAPUI5 applications. This means that users of the application do not have to clear the browser cache manually after an update of the software on the server. You can also use this BAdI to activate private cache control.
Resource Handler for Application Resources (ABAP, NW 7.x)

The resource handler for application resources for ABAP, NW 7.x is used to serve the resources from the SAPUI5 repository based on BSP repository.

Note After the installation of SAP Note 2075016 (available for all support packages), you can use the Business Add-In (BAdI) /UI5/BADI_CONFIG_HTTP_HANDLER to limit the life time of the http browser cache for SAPUI5 applications. This means users of the application do not have to clear the browser cache manually after an update of the software on the server. You can also use this BAdI to activate private cache control.