Checking and Validating Application Requests
SAP Gateway can check and verify the semantically correct state of technical and business context (such as, the status of business objects, and interdependencies of arguments) supplied by the requests coming from consumer applications.
Checks and validations are applicable as follows:
Deploying and running applications securely in segmented networks.
Entries received through component interfaces.
For more information, see Checks and Validations of Entries Received through Components.
Developers of consumer applications, targeted to run on SAP Gateway must decide whether semantic checks and validations are relevant for their applications.
We recommend that you implement semantic validation in the following cases:
Where checks and verifications on the SAP Gateway hub are simple to implement, and do not require huge sets of replicated data.
Where the checks and validation can enormously improve performance, as no additional round-trip to the backend is required, because the request can be rejected or answered on the SAP Gateway hub (for use in cases where public data is requested frequently). This data can be replicated to the hub.
Implementation Proposal
You must deploy the IW_BEP add-on component in the SAP Gateway hub server.
Use the OData Channel of the SAP Netweaver to implement your specific business Data Provider Class (a subclass of the abstract class /IWBEP/CL_MGW_ABS_DATA). The class must contain all the necessary checks for validating an incoming request from the business perspective.
ExampleIn case you must read an entity in the backend, the class must check if the supplied key property in the request conforms with its definition in the backend system.
Certain data must be replicated to the SAP Gateway hub from the backend system for validation, such as, F4 Helps, application specific customizing, or certain tables.
NoteWhere you must replicate private information (non-public data) in the SAP Gateway hub, you must protect it at the same level as in the backend system, by replicating the authorization concept to the hub as well.
To support secure network setup, make sure that the following is met:
Base all network communications on the TCP/IP family of protocols.
The IPv6 protocol must be supported including privacy enhancements.
No addresses, including host names, IP addresses, port numbers, and any combination of these, must be hardcoded.
No IP addresses must be used as return and callback addresses in communication protocols, for example, FTP and DCOM..
Connection setup requests, such as, TCP SYN, shall always occur from one and from only the same peer.
For applications that are exposed to the Internet, a protocol boundary must exist between product components implementing input validation functions, and business logic functions.
You should be able to run input validation functions, and business logic, on two separate hosts.
Applications on mobile devices must not act as a server listening on an open port, and accepting connection setup requests from clients.
Only client connections that have been initiated by mobile applications (authorized by the user), and the mobile platform's standard notification services must receive data and messages.
For more information, see Checks and Validations of Entries Received through Components.