Skip to Content
0
Former Member
Apr 10, 2012 at 10:04 AM

How to disable scripting attack on J2EE- (SAP Note 1651004)

144 Views

We applied some patch java on our Solution Manager 71 just upgraded, as for Oss note 1639266, then we found out we are unable to logon to the /nwa or /sld services of the J2EE.

A blank , empty page is displayed whitout no errors popup.

Every time we try to access these pages, or the /useradmin too , into the default trace file this error is loged :

".......

#1.#D2F75EB47F03006C00000001006100340004BD4FA23DF9BA#1334049628879#com.sap.engine.services.security.authentication.logonapplication#sap.com/com.sap

.security.core.admin#com.sap.engine.services.security.authentication.logonapplication.executeRequest#J2EE_GUEST#0##69ECEE1F82EE11E19D6D00000035F4B2#

69ecee1f82ee11e19d6d00000035f4b2-0#69ecee1f82ee11e19d6d00000035f4b2#SAPEngine_Application_Thread[impl:3]_19##0#0#Fatal##Java###Fatal Logon error

[EXCEPTION]

{0}#1#com.sap.security.core.logonadmin.AccessToLogicException: Error while executing the compilation process: [/usr/sap/TSM/DVEBMGS00/j2ee/cluster/

server0/apps/sap.com/com.sap.security.core.admin/servlet_jsp/logon/work/jsp_umLogonPage1334049627523.java:97: cannot resolve symbol

symbol : variable BLOCK_EXT_LOGON_APP_EMBEDDING

location: class com.sap.security.core.util.imp.LogonUtils

boolean isFrameEmbeddingDisabled = UMFactory.getProperties().getBoolean(LogonUtils.BLOCK_EXT_LOGON_APP_EMBEDDING, false);

........... " ^

We get a loook into the file :

/usr/sap/TSM/DVEBMGS00/j2ee/cluster/server0/apps/sap.com/com.sap.security.core.admin/servlet_jsp/logon/work/jsp_umLogonPage1334050873388.java

and we found this, among other:

"....

Check if the logon application can be embedded in pages from different locations. If not, it will not be displayed at all.

.....

An access denied error will be thrown here if the page that embeds the logon page is in a different domain. Essentially this is the very problem fixed by this JavaScript, but not all browsers ban access between the document objects of the two frames (i.e. some browsers will not throw an error when the embedded page tries to access the embedding page

.......

A possible Cross-Frame Scripting attack has been prevented. Please contact your system administrator

or refer to SAP Note 1651004 for more information

......."

Pratically for some reason the system is managing my proper access attempts as cross scripting attack, blocking me out of the system.

I read note SAP Note 1651004, but into the configtool I'm not able to find the property indicated to verify the value.

Any advise how to disable the scripting protection ?

regards