Skip to Content
0
Former Member
Oct 31, 2012 at 08:03 PM

HANA XSengine HTTP delete method

158 Views

Hello

Does anyone know how to configure HTTP delete method to return "Forbidden" on the HANA sapwebdispatcher?

For example. Due to security vulnerability, HTTP delete should be disallowed. We have tried editing the file sapwebdisp.pfl and added line:

# Modification of HTTP Requests

icm/HTTP/mod_0 = PREFIX=/,FILE= /sapmnt/HDD/global/security/icm_filter_rules.txt

The icm_filter_rules.txt entry is as below:

# check for forbidden method

if %{REQUEST_METHOD} !stricmp "GET" [AND]

if %{REQUEST_METHOD} !stricmp "POST"

RegForbiddenUrl ^/(.*) -

Restarted the HANA DB,

The above configuration is done referencing http://help.sap.com/saphelp_nwpi71/helpdata/en/48/9266ffaa6b17cee10000000a421937/content.htm.

Sadly when testing/checking this configuration, we see:

#curl --head -X DELETE http://<server>:8000

HTTP/1.1 200 OK

set-cookie: xsSessionId=EFA2BA34B8556E4781A887F387FEE070; path=/; HttpOnly

content-type: text/html

content-length: 12227

cache-control: no-cache

The desired outcome is:

# curl --head -X DELETE http://<server>:8000
HTTP/1.1 403 Forbidden
date: Fri, 05 Oct 2012 23:01:11 GMT
connection: close
content-type: text/html
server: SAP NetWeaver Application Server 8.02 / ICM 8

Any ideas?

Thanks