Solved: Web Dispatcher / NetWeaver 7.3 / URL Filter, permi...

Former Member · ‎2012 Feb 15

Hi all

We want to use the SAP Web Dispatcher 720P113 to secure our external facing NetWeaver 7.3 Portal.

The Web Dispatcher can of course filter parts of the URL.

With this we would like to restrict the access from the internet to the necessary NetWeaver Portal Applications.

We hoped to create a minimum permission table file and started with the following:


#SAP Web Dispatcher permission table
P /irj/*
#DENY ALL
D *

Then we realised we also had to permit /logon_ui_resources/* to be able to see the logon screen. Afterwards we could login, but could not see any portal images and so on.

Especially we don't want anyone to open /nwa or /sld or /startPage... and I don't know how many more critical URLs there are. Even if we block e.g. /sld somebody who knows the complete URL webdynpro/dispatcher/sap.com/tc_sldwd~main/Main can login to SLD.

Of course we use SSL & firewall to the system, along with secure OS settings.

Has anyone implemented a permission table file with SAP Web Dispatcher and can supply us with a working, secure configuration or give any hints on how to identify critical portal applications?

BR

Michael

Former Member · ‎2012 Feb 20

Hello Michael,

I had the same issue today and it was resolved by creating the permission file as follows:


P /irj*
P /irj/*
P /logon_ui_resources/*
P /logon_ui_resources*
P /AFPServlet/*
P /AFPServlet*
P /com.sap*
P /com.sap/*
P /webdynpro/resources*
P /webdynpro/resources/*

In this case you will have all the images displayed and functional and it will bllock all the administration URL.

Maybe after we should deny or permit other URL depends on the needs.

Hope that it helps you

Hassan

mvoros · ‎2012 Feb 15

Hi,

You can use any modern browser (IE has developer tools F12, Firefox has Firebug) to capture all URLs requested. So you can just browse your portal for a while and soon you'll get basic URLs that need to be accessible. I haven't done this for Portal but for ABAP AS and it was just couple of URLs and pretty easy process. Another approach could be to allow everything on web dispatcher and check access log what URLs are requested.

Cheers

Former Member · ‎2012 Feb 20

Hello Michael,

I had the same issue today and it was resolved by creating the permission file as follows:


P /irj*
P /irj/*
P /logon_ui_resources/*
P /logon_ui_resources*
P /AFPServlet/*
P /AFPServlet*
P /com.sap*
P /com.sap/*
P /webdynpro/resources*
P /webdynpro/resources/*

In this case you will have all the images displayed and functional and it will bllock all the administration URL.

Maybe after we should deny or permit other URL depends on the needs.

Hope that it helps you

Hassan

Former Member · ‎2012 Feb 22

Hi Hassan,

thanks for your answer but this does NOT block NWA nor SLD in NW 7.3.

As soon as we have a configuration that is reliable in our case I'll post it here.

Muadib · ‎2012 Mar 13

Hello Michael,

Have you been able to make any progress in protecting your Portal accesses ?

Former Member · ‎2012 May 08

Hi Raoul,

I think I have, here's the ptabfile we use as whitelist:

######### SAP Web Dispatcher permission table
######### Whitelist principle
######### DENY Critical Apps #########
D       /nwa
D       /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/*
D       /sld
D       /webdynpro/dispatcher/sap.com/tc~sld~wd~main/*
D       /startPage
D       /nwa/sysinfo
D       /wsnavigator
D       /useradmin
D       /webdynpro/welcome/*
D       /webdynpro/dispatcher/sap.com/tc~wd~tools/*
D       /sr_central
D       /sapmc
D       /utl/UsageTypesInfo
D       /ejbexplorer
D       /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/*
D       /webdynpro/dispatcher/sap.com/tc~esi~esp~wsnav~ui/*
D       /webdynpro/dispatcher/sap.com/tc~sec~ume~wd~umeadmin/*
#
######### ALLOW #########
### SAP PORTAL ###
P       /AFPServlet/*
P       /com.sap.netweaver.coll.appl.ui.room/scripts/*
P       /com.sap.portal.*
P       /com.sap.ui.lightspeed/js/*
P       /com.sap.workflow.admin.template_jwf/images/*
P       /htmlb/*
P       /irj/go/km/*
P       /irj/portal/*
P       /irj/portal*
P       /irj/servlet/prt/* 
[snip]
### SAP ABAP ###
#Custom
P       /sap/bc/webdynpro/SAP/Z_APP1*
P       /sap/bc/webdynpro/SAP/Z_APP2*
P       /sap/bc/webdynpro/sap/z_app3*
#SAP Common
P       /sap/public/bc/webdynpro/ssr/*
P       /sap/public/bc/ur/Design2002/*
P       /sap/public/bc/ur/nw5/*
P       /sap/public/bc/icons/*
P       /sap/public/bc/WebIcons/ur/default/l/Icon/*
#
######### FOR DEBUGGING ALLOW ALL #########
#P      *
######### DENY EVERYTHING ELSE #########
D       *

Where it says [snip] we also added custom logon screen urls.

Basically I used Firebug and/or IE Developer Tools to capture the URLs visited while browsing the Portal. After quick filtering the results in Excel along with some other excel-capabilities we got to this list.

I know I could have left away the inital Denys due to the final Deny-all-rule but I felt safer with them.

Any ideas / design flaws are still welcome.

Michael

former_member186852 · ‎2016 Mar 25

Hi Experts,

We want to restrict Administrator Group access like User administration, content administration and system administration access.

We have maintained

D /webdynpro/dispatcher/sap.com/tc~sec~ume~wd~umeadmin/*

If we are accessing user admin directly in that case its restricting but if we navigate through Role in that case its not working.

any suggestion ?

Regards,

Meghal Shah

Web Dispatcher / NetWeaver 7.3 / URL Filter, permission table