cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to disable scripting attack on J2EE- (SAP Note 1651004)

Go to solution
Former Member

on ‎04-10-2012 11:04 AM

0 Kudos

We applied some patch java on our Solution Manager 71 just upgraded, as for Oss note 1639266,  then we found out we are unable to logon to the /nwa or /sld services of the J2EE.

A blank , empty page is displayed whitout no errors popup.

Every time we try to access these pages, or the /useradmin too , into the default trace file this error is loged :

".......

#1.#D2F75EB47F03006C00000001006100340004BD4FA23DF9BA#1334049628879#com.sap.engine.services.security.authentication.logonapplication#sap.com/com.sap

.security.core.admin#com.sap.engine.services.security.authentication.logonapplication.executeRequest#J2EE_GUEST#0##69ECEE1F82EE11E19D6D00000035F4B2#

69ecee1f82ee11e19d6d00000035f4b2-0#69ecee1f82ee11e19d6d00000035f4b2#SAPEngine_Application_Thread[impl:3]_19##0#0#Fatal##Java###Fatal Logon error

[EXCEPTION]

{0}#1#com.sap.security.core.logonadmin.AccessToLogicException: Error while executing the compilation process: [/usr/sap/TSM/DVEBMGS00/j2ee/cluster/

server0/apps/sap.com/com.sap.security.core.admin/servlet_jsp/logon/work/jsp_umLogonPage1334049627523.java:97: cannot resolve symbol

symbol  : variable BLOCK_EXT_LOGON_APP_EMBEDDING

location: class com.sap.security.core.util.imp.LogonUtils

boolean isFrameEmbeddingDisabled = UMFactory.getProperties().getBoolean(LogonUtils.BLOCK_EXT_LOGON_APP_EMBEDDING, false);

...........  "                                                                            ^

We get a loook into the file :

/usr/sap/TSM/DVEBMGS00/j2ee/cluster/server0/apps/sap.com/com.sap.security.core.admin/servlet_jsp/logon/work/jsp_umLogonPage1334050873388.java

and we found this, among other:

"....

Check if the logon application can be embedded in pages from different locations. If not, it will not be displayed at all.

.....

An access denied error will be thrown here if the page that embeds the logon page is in a different domain. Essentially this is the very problem fixed by this JavaScript, but not all browsers ban access between the document objects of the two frames (i.e. some browsers will not throw an error when the embedded page tries to access the embedding page

.......

A possible Cross-Frame Scripting attack has been prevented. Please contact your system administrator

or refer to SAP Note 1651004 for more information

......."

Pratically for some reason the system is managing my proper access attempts as cross scripting attack, blocking me out of the system.

I read note SAP Note 1651004, but into the configtool I'm not able to find the property indicated to verify the value.

Any advise how to disable the scripting protection ?

regards

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

nelis
Active Contributor
‎04-10-2012 2:01 PM
0 Kudos

Hi Roberto,

I have this same issue also and did not find a solution but as a "work around" you can login to your system using the "System Information" link http://hostname:port/monitoring/SystemInfo

You will get a popup instead of the usual login dialog but at least it by-passes this login method. Enter your admin username/password and then with the System Information page still open you should be able to automatically go to /useadmin and /sld without logging in as it will use the same login session.

I don't use /useradmin or /sld often so the above works until SAP release a solution or correction if they haven't done so already.

Regards,

Nelis

Show replies
Show replies
Former Member
‎04-10-2012 2:10 PM
0 Kudos

Thanks for the workaround for the login on the /nwa or /sld

What about the problems on SOLUTION_WORKCENTER or SOLMAN_SETUP, did you encounter also these errors ?

regards

nelis
Active Contributor
‎04-10-2012 2:19 PM
0 Kudos

From within SOLUTION_WORKCENTER it uses login info from your SAPgui session, same with SOLMAN_SETUP so I did not encounter this issue. In fact, even if I tell it to open new pages within SOLUTION_WORKCENTER instead of embedded it opens fine without an issue using normal login dialog. 

Nelis

Former Member
‎04-10-2012 5:31 PM
0 Kudos

We applied the SCA files described in note 1651004 and now the problems

on the /nwa , /usermanagement or /sld are solved.

But we are still unable to open the tx SOLMAN_WORKCENTER or SOLMAN_SETUP;

we are continuosly receiving errors during the execution of the scripts.

It's something related to the new  tecnology LIGHTSPEED rendering and to the parameter WDLIGHTSPEED=X as for note 1107662, but still no reason why it's not working here.

regards

Answers (0)

Ask a Question