Show TOC

Function documentationSAP Web Dispatcher as a URL Filter Locate this document in the navigation structure

 

You can use the SAP Web dispatcher as a URL filter. This means requests are accepted or rejected by the SAP Web dispatcher depending on their URL.

Purpose

This SAP Web dispatcher function provides additional security. In addition to the secure configuration with a firewall and a demilitarized zone (see the graphic in Architechture and Functions of the SAP Web Dispatcher), you can use the URL filter to prevent external users from executing applications. Even if users are able to log onto the SAP System without permission, you can set explicitly which applications can be executed.

Authentication Handler

In addition to the URL filter function described here the authentication handler function of the Web Dispatcher provides a significantly more thorough security check. If you set up the authentication handler using parameter icm/HTTP/auth_<xx>, you can deactivate both the configuration described here and the authentication for the Web-based administration interface (option AUTHFILE of the parameter.

Deactivate icm/HTTP/admin_<xx>).

Prerequisites

You are using the SAP Web dispatcher as the only point of access for HTTP(S) requests.

Features

Use the URI permission table to determine the rules according to which the SAP Web dispatcher should handle incoming URLs. This is a file that lists the rules in rows.

The principle "first match" applies as for the route permission table in the SAProuter. The first entry in the table that matches a request is valid. The other rows are no longer important.

Syntax Syntax

Each row has the form

  1. P/D/S <URI-pattern>
End of the code.

where the letter at the start of the row has the following meaning.

  • P lets the request through. It is forwarded by the SAP Web dispatcher to the appropriate application server.

  • D refuses the request and sends a message to the client.

  • S only allows secure connections (HTTPS) for the URL prefix.

  • <URI pattern> is the section of the URL that is labeled in the cache key section as translated path.

  • You can use the wildcard character *, but only at the start or the end of the <URI pattern> string.

Caution Caution

Note that the URI permission table is case sensitive.

End of the caution.

In addition to profile parameter wdisp/permission_table (more information below) there are further profile parameters that you can use to control the size of the URI permission table. You can find detailed information as well as the maximum and minimum values in the parameter documentation (Transaction RZ11).

Parameters

Unit

Meaning

Default Value

wdisp/max_permitted_uri_len

Integer

Maximum length of the URI (number of characters)

2048

wdisp/permitted_uri_char_range

n-m

n<m Integer

The range in which the URL characters must be located (ASCII). 32-127 are the normal keyboard characters, for example. No entry permits all characters in the URL.

-

wdisp/max_permission_table_size

Integer

Maximum number of entries (rows) in the URI permission table.

300

wdisp/max_permission_table_entry_size

Integer

Maximum number of characters of one entry (row) in the URI permission table.

256

Activities

If you want to use the SAP Web dispatcher as a URL filter, create a file <ptabfile> in which you enter the rules. Note that every URL is evaluated according to the first match strategy, that is, the first rule in the table that matches the URL is used. The table is no longer searched for any (other) rules. Below is an example of such a file.

If you have maintained the table, you must maintain parameter wdisp/permission_table in the SAP Web dispatcher profile:

wdisp/permission_table = <ptabfile>,

where <ptabfile> is the absolute or relative path of the file.

For more information, see: Example: Profile file of a SAP Web Dispatcher

Example

Example

A URI permission table could look like this:

Syntax Syntax

  1. # SAP Web Dispatcher test permission table
P       /sap/bc/test.cgi            
D       *.cgi        
P       /sap/bc/cachetest
P       /sap/bc/public/*
P       /sap/bc/ping
D       *
End of the code.

The table reflects the following configuration.

The CGI script test.cgi under /sap/bc may be executed (row 1), the request is forwarded according to load balancing to the appropriate SAP NetWeaver AS (according to Server Selection and Load Balancing Using the SAP Web Dispatcher). Otherwise, no CGI script may be executed (row 2).

Note Note

First match means that if the first 2 rows in the table were swapped, /sap/bc/test.cgi could not be executed either: since the first row watches for the URL prefix, the second is not evaluated at all.

End of the note.

The HTTP request handler behind ICF service /sap/bc/cachetest may be executed, as can all ICF services under /sap/bc/public/ as well as the connection test service /sap/bc/ping (rows 3-5). You should not execute any ICF services that have not explicitly been mentioned here (row 6). The SAP Web dispatcher refuses this request.

Recommendation Recommendation

Use Positive Lists

Since the URI permission table is case sensitive, it is important to create the table as a positive list. Execute all URLs that the SAP Web Dispatcher is to permit and at the end of the table set row D * . In this way URLs that are correct might still get rejected (in the example above /sap/bc/ping, which would definitely be recognized by the ICF), but you do not have the problem, that URLs could bypass the Web Dispatcher because they are written differently to a prohibited URL indicated with a D. The above is an example of a positive list. CGI scripts must be written in lower case in order to be executed and therefore this is not a gap in the security.

End of the recommendation.