Start of Content Area

Background documentation Security Aspects for BSP  Locate the document in its SAP Library structure

It is important to consider security aspects when you create Web applications using the BSP programming model. Security functions are available both for when you create BSP applications as well as for when you operate them.

Security in AS-ABAP

For basic information about security aspects in an AS-ABAP system in which you are creating your BSB application, see Network Infrastructure and Security and User Administration.

Note

Note in particular Configuration for SSL Support.
The logon ticket cache function is provided for increasing performance when there are multiple logons.

Certain virus scan profiles are delivered by SAP in the standard system. A virus scan can be performed when uploading HTTP (see also Virus Scan Interface).

The Internet Communication Manager (ICM) receives the HTTP requests from the Internet and returns a response.

Logging on to BSP Applications

To access a BSP application, AS-ABAP uses the HTTP framework from the Internet Communication Manager (ICF), which provides functions for Logging on to the AS-ABAP.

Caution

Refer to Activating and Deactivating Services. For security reasons, the only services that should be active in the HTTP service tree are those services that you really need. If, however, you activate nodes at a higher level, this means that the whole part of the service tree below this level also active and completely open, and therefore not secure for instance if an anonymous user is defined.

You can find a list of the services required for each usage scenario in Business Server Pages Administration.

To create logon procedures for your BSP application there is a simple procedure for developing and configuring the system logon. Security functions are included in this procedure. For more information see System Logon.

Accessing a BSP Application

A browser accesses your BSP application using HTTP or HTTPS. The most important aspects are summarized in Accessing a BSP Application.

You can also determine that your BSP should always be accessed using HTTPS. You can find more information about defining the transmission options in the description of the Properties of a BSP application.

You have to configure the secure sockets layer (SSL) so that your BSP application can communicate with the browser. Make sure that your BSP application supports HTTP POST requests. For more information, see SAP Note 904249.

Security Risk List

A white list infrastructure in the HTTP framework fends off XSS attacks. Security Risk List

URL Generation

See URL Generation in an AS-ABAP - Web Dispatcher Configuration

SAP Notes

Relevant SAP Notes

SAP Note Number

Title

510007

Setting up SSL on the Web Application Server

517860

Logging on to BSP Applications

434918

DNS Configuration for BSP Applications under Windows 2000

420085

Logon Ticket Cache

853878

HTTP White-List Check (Security)

904249

Allow BSP to be started with a POST request

 

 

End of Content Area