Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 
appalanaidu_uppada
Active Participant

Introduction


This blog proposes a stop-gap solution for all the customers, who wish to do the IP Allowlisting for all the incoming requests into SAP Cloud Integration.

This is a short-term solution from SAP Cloud Integration and I recommend all the customers to switch to Platform level IP Allowlisting as soon as it is available for consumption.

In this blog, I would explain the necessary steps needed to handle IP Allowlisting for an integration flow that accepts incoming requests through HTTP Sender adapter.  The scenario mentioned here is an example for blocking an incoming request from a suspected IP address. You can apply the same approach for any other integration flows having SOAP,IDoc,AS2,OData sender adapters.

 NOTE:  Since it is easy to forge an x-forwarded-for header, the information provided below should be used with care.

 

Scenario: Block requests from a particular IP address using script:



  • Add the x-forwarded-for header in Allowed header(s) of the integration flow Run time configuration.




 

  • Write the  below sample script immediately after the sender adapter(applicable for HTTPS, AS2 and OData ) to block incoming requests from suspected client IP.


Neo Environment:


Sample Script for Allow listing in Neo



Sample Script for Allow listing in CF


 

Neo Environment: If there are multiple x-forwarded-for headers in the incoming request, then all the headers are consolidated into a single x-forwarded-for header with comma separated values( e. g: 100.100.100,100,  xxx.xxx.xxx.xxx ).

CF Environment: The value is last but one in the list as shown in the previous scripts

 

For CXF-based Adapters ( IDoc and SOAP) ,the header values are returned as List of strings, hence the sample script looks slightly different than the above mentioned script.

import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
def Message processData(Message message) {
//body
def body = message.getBody()

//headers
def map = message.getHeaders()
def value = map.get("x-forwarded-for");

boolean isContainingListOfIPs = value instanceof Collection

def clientActualIP = null
if(isContainingListOfIPs){
  //Get the last value from List
   clientActualIP = value.last()
   }else {
   clientActualIP = value
 }

if(clientActualIP != null){
     if("xxx.xxx.xxx.xxx" == clientActualIP.trim()){
     throw new RuntimeException("Request not allowed from IP address:" + clientActualIP)
     }
  }
  return message
}

 

Always remember to adjust and redeploy the Integration flow (Script) whenever there are network /IP address changes on the sender side.
15 Comments