It is important to consider security aspects when you create Web applications using the BSP programming model. Security functions are available both for when you create BSP applications as well as for when you operate them.
Security in AS-ABAP
For basic information about security aspects in an AS-ABAP system in which you are creating your BSB application, see the security guide under
Network Infrastructure and
Security in AS-ABAP.
Note in particular the Configuration for SSL Support. Furthermore, a function is provided for increasing performance in the case of multiple logons, namely the
Certain Virus Scan Profiles are delivered by SAP in the standard system. A virus scan is possible during an HTTP Upload (you can find more information about keyword Virus Scan Interface in the security guide).
The Internet Communication Manager (ICM) receives the HTTP requests from the Internet and returns a response.
Logging on to BSP Applications
To access a BSP application, AS ABAP uses the HTTP framework from the Internet Communication Manager (ICF), which provides functions for logging on to the AS ABAP.
Refer in particular to Activating and Deactivating Services. For security reasons, the only services that should be active in the HTTP service tree are those services that you really need. If, however, you activate nodes at a higher level, this means that the whole part of the service tree below this level is completely open and is therefore not secure if an anonymous user is defined, for example.
You can find a list of the services required for each usage scenario in Business Server Pages Administration.
To create logon procedures for your BSP application there is a simple procedure for developing and configuring the system logon. For more information, see System Logon.
Accessing a BSP Application
A browser accesses your BSP application using HTTP or HTTPS. The most important aspects are summarized in Accessing a BSP Application.
You can also determine that your BSP should always be accessed using HTTPS. You can find more information about defining the transmission options in the description of the Properties of a BSP application.
You have to configure the secure sockets layer (SSL) so that your BSP application can communicate with the browser. Make sure that your BSP application supports HTTP POST requests. For more information, see SAP Note 904249.
Security Risk List
A white list infrastructure in the HTTP framework fends off XSS attacks: Security Risk List
URL Generation
Notes
Note Number |
Title |
Setting Up SSL on the Web Application Server |
|
Logging on to BSP Applications |
|
DNS Configuration for BSP Applications under Windows 2000 |
|
Logon Ticket Cache |
|
HTTP Whitelist Check (security) |
|
Start BSP with a POST Request |
|
BSP XSRF Framework as Transport Files (only for stateful applications) |
|
XSRF Protection for Stateless BSP (also for stateless applications) |