Skip to Content
avatar image
Former Member

Web Dispatcher Security Issue

Hello,

when coming in to XI via the Web Dispatcher, URL https://webdisp:443/sap/xi/adapter_plain the normal authentication is done after the SSL handshake, so all data transferred is encrypted.

However, it is also possible to logon via the URL https://webdisp:443/sap/xi/adapter_plain?sap-user=user&sap-password=pw which is sent before the line is encrypted, thus username and password are visible in the internet.

Not a good thing.

Most business partners should be responsible enough to use the right URL, but I want to make sure nobody can use the wrong one.

Does anybody know how to change this behaviour, or if it can be changed at all?

So far I could not find an answer to this.

Best regards,

Andreas

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Feb 05, 2008 at 08:59 AM

    Hi Olivier,

    that is my issue - when sent in the URL, the username/password are not encrypted, and I want to make sure that it is not even possible to authenticate this way.

    I use SSL re-encryption, but the same holds true for all methods, because the URL is on the Internet before any SSL-handshake takes place.

    Best regards,

    Andreas

    Edited by: Andreas Niewerth on Feb 5, 2008 10:23 AM

    Add comment
    10|10000 characters needed characters exceeded

  • avatar image
    Former Member
    Feb 04, 2008 at 06:43 PM

    Hi Andreas,

    Are you really sure that the user and password are sent encrypted when sent in the URL line ?

    I did not understand it in that way.

    You don't tell us in your exemple what is the SSL role of the web dispatcher ?

    SSL termination ?

    SSL router ?

    SSL re-encryption ?

    Regards,

    Olivier

    Add comment
    10|10000 characters needed characters exceeded