You can use the SAP Web dispatcher as a URL filter. This means requests are accepted or rejected by the SAP Web dispatcher depending on their URL.
This SAP Web dispatcher function provides additional security. In addition to the secure configuration with a firewall and a demilitarized zone (see the graphic in Architechture and Functions of the SAP Web Dispatcher ), you can use the URL filter to prevent external users from executing applications. Even if users are able to log onto the SAP System without permission, you can set explicitly which applications can be executed.
In addition to the URL filter function described here the authentication handler function of the Web Dispatcher provides a significantly more thorough security check. If you set up the authentication handler using parameter icm/HTTP/auth_<xx> , you can deactivate both the configuration described here and the authentication for the Web-based administration interface (option AUTHFILE of the parameter.
Deactivate icm/HTTP/admin_<xx> ).
You are using the SAP Web dispatcher as the only point of access for HTTP(S) requests.
Use the URI permission table to determine the rules according to which the SAP Web dispatcher should handle incoming URLs. This is a file that lists the rules in rows.
The principle "first match" applies as for the route permission table in the SAProuter. The first entry in the table that matches a request is valid. The other rows are no longer important.
Each row has the form
where the letter at the start of the row has the following meaning.
P lets the request through. It is forwarded by the SAP Web dispatcher to the appropriate application server.
D refuses the request and sends a message to the client.
S only allows secure connections (HTTPS) for the URL prefix.
<URI pattern> is the section of the URL that is labeled in the cache key section as translated path.
You can use the wildcard character * , but only at the start or the end of the <URI pattern> string.
Note that the URI permission table is case sensitive.
In addition to profile parameter wdisp/permission_table (more information below) there are further profile parameters that you can use to control the size of the URI permission table. You can find detailed information as well as the maximum and minimum values in the parameter documentation (Transaction RZ11 ).
Maximum length of the URI (number of characters)
The range in which the URL characters must be located (ASCII). 32-127 are the normal keyboard characters, for example. No entry permits all characters in the URL.
Maximum number of entries (rows) in the URI permission table.
Maximum number of characters of one entry (row) in the URI permission table.
If you want to use the SAP Web dispatcher as a URL filter, create a file <ptabfile> in which you enter the rules. Note that every URL is evaluated according to the first match strategy, that is, the first rule in the table that matches the URL is used. The table is no longer searched for any (other) rules. Below is an example of such a file.
If you have maintained the table, you must maintain parameter wdisp/permission_table in the SAP Web dispatcher profile:
wdisp/permission_table = <ptabfile> ,
where <ptabfile> is the absolute or relative path of the file.
For more information, see: Example: Profile file of a SAP Web Dispatcher
A URI permission table could look like this:
# SAP Web Dispatcher test permission table P /sap/bc/test.cgi D *.cgi P /sap/bc/cachetest P /sap/bc/public/* P /sap/bc/ping D *
The table reflects the following configuration.
The CGI script test.cgi under /sap/bc may be executed (row 1), the request is forwarded according to load balancing to the appropriate SAP NetWeaver AS (according to Server Selection and Load Balancing Using the SAP Web Dispatcher ). Otherwise, no CGI script may be executed (row 2).
First match means that if the first 2 rows in the table were swapped, /sap/bc/test.cgi could not be executed either: since the first row watches for the URL prefix, the second is not evaluated at all.
The HTTP request handler behind ICF service /sap/bc/cachetest may be executed, as can all ICF services under /sap/bc/public/ as well as the connection test service /sap/bc/ping (rows 3-5). You should not execute any ICF services that have not explicitly been mentioned here (row 6). The SAP Web dispatcher refuses this request.
Use Positive Lists
Since the URI permission table is case sensitive, it is important to create the table as a positive list. Execute all URLs that the SAP Web Dispatcher is to permit and at the end of the table set row D * . In this way URLs that are correct might still get rejected (in the example above /sap/bc/ping, which would definitely be recognized by the ICF), but you do not have the problem, that URLs could bypass the Web Dispatcher because they are written differently to a prohibited URL indicated with a D . The above is an example of a positive list. CGI scripts must be written in lower case in order to be executed and therefore this is not a gap in the security.