Skip to Content
0
May 13, 2005 at 09:51 AM

Security hole when I use BSP iViews with User Mapping !?

23 Views

Hello all,

We're using some standard BSP iViews with user mapping because there is a group of users that access to them using the same user and password.

Then I've noticed that if you click on the BSP with the right button of your mouse (contextual menu) and select "Properties" (if you are using IE) you can see the BSP url with a lot of parameters:

http:// : /sap( )/bc/bsp/sap/ / default.htm? &sap-user= &sap-password=

And the mapped user and password is shown too! So everyone can see this info... Is there any way to hide this user and password send it using POST method instead of GET method?

I know that if you use POST method someone can obtain this info too using a simple sniffer, but then I can use SSL and encrypt the transmited info.

When I do the same with a BW Report iView using mapped user and password I only can see the bw url: http://<bw_name>:<bw_port>/sap/bw/BEx.

Thanks in advance and best regards,

jc!