Entering content frame

Background documentation Security Aspects for BSP Locate the document in its SAP Library structure

It is important to consider security aspects when you create Web applications using the BSP programming model. Security functions are available both for when you create BSP applications as well as for when you operate them.

Security in AS-ABAP

For basic information about security aspects in an AS-ABAP system in which you are creating your BSB application, see Structure linkNetwork Infrastructure and Security in AS-ABAP.

Note

Note in particular the Structure linkConfiguration for SSL Support.
Furthermore, a function is provided for increasing performance in the case of multiple logons, namely the Structure linkLogon Ticket Cache.

Certain Structure linkVirus Scan Profiles are delivered by SAP in the standard system. A virus scan can be performed when uploading HTTP (see also Structure linkVirus Scan Interface).

The Structure linkInternet Communication Manager (ICM) receives the HTTP requests from the Internet and returns a response.

Logging on to BSP Applications

To access a BSP application, AS-ABAP uses the HTTP framework from the Internet Communication Manager (ICF), which provides functions for Structure linkLogging on to the AS-ABAP.

Caution

Refer in particular to Structure linkActivating and Deactivating Services. For security reasons, the only services that should be active in the HTTP service tree are those services that you really need. If, however, you activate nodes at a higher level, this means that the whole part of the service tree below this level is completely open and is therefore not secure if an anonymous user is defined, for example.

For a list of the services that have to be activated depending on their usage in note 517484.

To create logon procedures for your BSP application there is a simple procedure for developing and configuring the system logon. Security functions are included in this procedure. For more information see Structure linkSystem Logon.

Accessing a BSP Application

A browser accesses your BSP application using HTTP or HTTPS. The most important aspects are summarized in Structure linkAccessing a BSP Application.

Furthermore, you can determine that your BSP should always be accessed using HTTPS. For more information about defining the transmission options, see the description of the Structure linkProperties of a BSP application.

Security Risk List

A white list infrastructure in the HTTP framework fends of XSS attacks: Security Risk List.

URL Generation

See URL Generation in an AS-ABAP - Web Dispatcher Configuration

Notes

Relevant SAP notes

Note Number

Title

517484

Inactive Services in the Internet Communication Framework

510007

Setting Up SSL on the Web Application Server

517860

Logging on to BSP Applications

434918

DNS Configuration for BSP Applications Under Windows 2000

420085

Logon Ticket Cache

853878

HTTP White List Check (Security)

 

 

 

Leaving content frame