Skip to Content
avatar image
Former Member

Web Dispatcher / NetWeaver 7.3 / URL Filter, permission table

Hi all

We want to use the SAP Web Dispatcher 720P113 to secure our external facing NetWeaver 7.3 Portal.

The Web Dispatcher can of course filter parts of the URL.

With this we would like to restrict the access from the internet to the necessary NetWeaver Portal Applications.

We hoped to create a minimum permission table file and started with the following:

#SAP Web Dispatcher permission table
P /irj/*
#DENY ALL
D *

Then we realised we also had to permit /logon_ui_resources/* to be able to see the logon screen. Afterwards we could login, but could not see any portal images and so on.

Especially we don't want anyone to open /nwa or /sld or /startPage... and I don't know how many more critical URLs there are. Even if we block e.g. /sld somebody who knows the complete URL webdynpro/dispatcher/sap.com/tcsldwd~main/Main can login to SLD.

Of course we use SSL & firewall to the system, along with secure OS settings.

Has anyone implemented a permission table file with SAP Web Dispatcher and can supply us with a working, secure configuration or give any hints on how to identify critical portal applications?

BR

Michael

Add comment
10|10000 characters needed characters exceeded

  • Follow
  • Get RSS Feed

2 Answers

  • Best Answer
    avatar image
    Former Member
    Feb 20, 2012 at 05:16 PM

    Hello Michael,

    I had the same issue today and it was resolved by creating the permission file as follows:

    P /irj*
    P /irj/*
    P /logon_ui_resources/*
    P /logon_ui_resources*
    P /AFPServlet/*
    P /AFPServlet*
    P /com.sap*
    P /com.sap/*
    P /webdynpro/resources*
    P /webdynpro/resources/*
    

    In this case you will have all the images displayed and functional and it will bllock all the administration URL.

    Maybe after we should deny or permit other URL depends on the needs.

    Hope that it helps you

    Hassan

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Experts,

      We want to restrict Administrator Group access like User administration, content administration and system administration access.

      We have maintained

      D /webdynpro/dispatcher/sap.com/tc~sec~ume~wd~umeadmin/*

      If we are accessing user admin directly in that case its restricting but if we navigate through Role in that case its not working.

      any suggestion ?

      Regards,

      Meghal Shah

  • Feb 15, 2012 at 10:12 PM

    Hi,

    You can use any modern browser (IE has developer tools F12, Firefox has Firebug) to capture all URLs requested. So you can just browse your portal for a while and soon you'll get basic URLs that need to be accessible. I haven't done this for Portal but for ABAP AS and it was just couple of URLs and pretty easy process. Another approach could be to allow everything on web dispatcher and check access log what URLs are requested.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded