Skip to Content
avatar image
Former Member

How to disable scripting attack on J2EE- (SAP Note 1651004)

We applied some patch java on our Solution Manager 71 just upgraded, as for Oss note 1639266,  then we found out we are unable to logon to the /nwa or /sld services of the J2EE.

A blank , empty page is displayed whitout no errors popup.

Every time we try to access these pages, or the /useradmin too , into the default trace file this error is loged :

".......

#1.#D2F75EB47F03006C00000001006100340004BD4FA23DF9BA#1334049628879#com.sap.engine.services.security.authentication.logonapplication#sap.com/com.sap

.security.core.admin#com.sap.engine.services.security.authentication.logonapplication.executeRequest#J2EE_GUEST#0##69ECEE1F82EE11E19D6D00000035F4B2#

69ecee1f82ee11e19d6d00000035f4b2-0#69ecee1f82ee11e19d6d00000035f4b2#SAPEngine_Application_Thread[impl:3]_19##0#0#Fatal##Java###Fatal Logon error

[EXCEPTION]

{0}#1#com.sap.security.core.logonadmin.AccessToLogicException: Error while executing the compilation process: [/usr/sap/TSM/DVEBMGS00/j2ee/cluster/

server0/apps/sap.com/com.sap.security.core.admin/servlet_jsp/logon/work/jsp_umLogonPage1334049627523.java:97: cannot resolve symbol

symbol  : variable BLOCK_EXT_LOGON_APP_EMBEDDING

location: class com.sap.security.core.util.imp.LogonUtils

boolean isFrameEmbeddingDisabled = UMFactory.getProperties().getBoolean(LogonUtils.BLOCK_EXT_LOGON_APP_EMBEDDING, false);

...........  "                                                                            ^

We get a loook into the file :

/usr/sap/TSM/DVEBMGS00/j2ee/cluster/server0/apps/sap.com/com.sap.security.core.admin/servlet_jsp/logon/work/jsp_umLogonPage1334050873388.java

and we found this, among other:

"....

Check if the logon application can be embedded in pages from different locations. If not, it will not be displayed at all.

.....

An access denied error will be thrown here if the page that embeds the logon page is in a different domain. Essentially this is the very problem fixed by this JavaScript, but not all browsers ban access between the document objects of the two frames (i.e. some browsers will not throw an error when the embedded page tries to access the embedding page

.......

A possible Cross-Frame Scripting attack has been prevented. Please contact your system administrator

or refer to SAP Note 1651004 for more information

......."

Pratically for some reason the system is managing my proper access attempts as cross scripting attack, blocking me out of the system.

I read note SAP Note 1651004, but into the configtool I'm not able to find the property indicated to verify the value.

Any advise how to disable the scripting protection ?

regards

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Best Answer
    Apr 10, 2012 at 01:01 PM

    Hi Roberto,

    I have this same issue also and did not find a solution but as a "work around" you can login to your system using the "System Information" link http://hostname:port/monitoring/SystemInfo

    You will get a popup instead of the usual login dialog but at least it by-passes this login method. Enter your admin username/password and then with the System Information page still open you should be able to automatically go to /useadmin and /sld without logging in as it will use the same login session.

    I don't use /useradmin or /sld often so the above works until SAP release a solution or correction if they haven't done so already.

    Regards,

    Nelis

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Nelis Lamprecht

      We applied the SCA files described in note 1651004 and now the problems

      on the /nwa , /usermanagement or /sld are solved.

      But we are still unable to open the tx SOLMAN_WORKCENTER or SOLMAN_SETUP;

      we are continuosly receiving errors during the execution of the scripts.

      It's something related to the new  tecnology LIGHTSPEED rendering and to the parameter WDLIGHTSPEED=X as for note 1107662, but still no reason why it's not working here.

      regards