Community
Application Development and Automation Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Web service: security

Go to solution
Former Member

‎2006 Dec 28 2:02 PM

0 Likes
441

Hi,

I have a general question regarding security in webservices.

We have a webservice for which a SAP user and password is required.

The external system that consumes the webservice, works automatically so I guess they have the SAP user and password hardcoded in their system. ( The SAP system and external system are on the same ‘secure’ network, there is no firewall in between ).

Concerning authorization roles, we will restrict the role for this SAP user to the transaction that is being called in the webservice, but still I feel uneasy with the idea that someone who knows the SAP user and password can build code and start calling the webservice.

Question is: can you give me some advice on how security for a webservice is usually set up in this situation ?

Thank you,

Rolf

1 ACCEPTED SOLUTION
Read only

Go to solution
Former Member

‎2006 Dec 29 2:09 PM

0 Likes
399

Rolf,

Hi. If you are concerned then there are a couple of things that can be done to ensure that no-one can 'pick-up' the user-name/password just by monitoring the network.

1) Ask the calling site to ensure they use a POST call not a GET. This is standard internet security and is generally adhered to by web developers.

2) You could request the web service be via HTTPS (A setting in SICF will 'require' this protocol when calling your web service). This will mean no 'sniffers' on the network will be able to identify data passed between the two applications i.e. user-name/password.

If your concern is that the people storing the user-name/password are doing this in a manner that someone might have access to this, then I would suggest you get then to store this in a more secure manner.

One other option is to hard-code the user-name/password into the web service (SICF) and when they call your webservice it wont ask for user signon. Seems like an option if the web service doesn't allow them to do anything except a simple tcode call.

SDN has many interesting topics/documents on web security, so you could always scan the blogs for a more detailed analysis.

Cheers

Rob

2 REPLIES 2
Read only

Go to solution
Former Member

‎2006 Dec 29 2:09 PM

0 Likes
400

Rolf,

Hi. If you are concerned then there are a couple of things that can be done to ensure that no-one can 'pick-up' the user-name/password just by monitoring the network.

1) Ask the calling site to ensure they use a POST call not a GET. This is standard internet security and is generally adhered to by web developers.

2) You could request the web service be via HTTPS (A setting in SICF will 'require' this protocol when calling your web service). This will mean no 'sniffers' on the network will be able to identify data passed between the two applications i.e. user-name/password.

If your concern is that the people storing the user-name/password are doing this in a manner that someone might have access to this, then I would suggest you get then to store this in a more secure manner.

One other option is to hard-code the user-name/password into the web service (SICF) and when they call your webservice it wont ask for user signon. Seems like an option if the web service doesn't allow them to do anything except a simple tcode call.

SDN has many interesting topics/documents on web security, so you could always scan the blogs for a more detailed analysis.

Cheers

Rob

Read only

Go to solution
Former Member

‎2007 Jan 08 9:16 AM

0 Likes
399

Thanks, i'll check it out.