skip to main content

SAP NetWeaver Newbie

Filtering URLs by using Permission Table in SAP Web Dispatcher

Let us say, you have installed a Web Dispatcher in the DMZ and it is used so that the business partners can send SOAP messages over the internet to you. From a security perspective, you may want the business partners to access the SOAP URLs alone; they should even be calling admin related URLs.

To achieve this, you can use a permission table (ptab) in the Web Dispatcher.

Create a file (say ptabfile) which allows SOAP URL pattern /XISOAPAdapter/MessagingServlet*, so that a call to the SOAP URL (http://<host>:<port>/XISOAPAdapter/MessagingServlet?channel=<party>:<sendersystem>:<CC_sender>) is permitted. The contents of the file would then be:

P    /XISOAPAdapter/MessagingServlet*
D   *

Add the following parameter to the web dispatcher profile file:
wdisp/permission_table = <absolute_path_to_ptabfile>

Restart web dispatcher for the change to get activated.

When a call to the web dispatcher is made containing the pattern http(s)://<web dispatcher host>:<web dispatcher port>/XISOAPAdapter/MessagingServlet*, the Web Dispatcher reads the first line of the ptabfile and finds that it is permitted. As it is a valid rule, it stops evaluating further permissions (thereby ignoring deny all patterns D   *). The end result is that the caller can proceed further.

If a call to the WD admin port (http(s)://<web dispatcher host>:<web dispatcher port>/sap/admin) is made (for example), the WD evaluates the first line, finds it irrelevant, then proceeds to the next line which matches the URI and evaluates it a deny all. The end-user/business partner calling this URL will get a 403 error.

No comments:

Post a Comment

Email Subscription

Get every new post into your inbox by subscribing us.

Want a reason to subscribe?
1. This sitemap might convince you to subscribe.
2. We do not misuse email IDs. We respect privacy.

© 2008 - 2017 sapnwnewbie. All rights reserved.