cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Secure password transfer from WD application to runtime.

Go to solution
Former Member

on ‎01-23-2009 10:28 AM

0 Kudos

Hi experts,

I have a standard scenario of a WD application, asking for user credentials to transfer them to the ABAP WD runtime. And the runtime performs a Webservice (SOAP using an ABAP Proxy) call to start e.g a specific server.

Please note that credentials are needed to perform the Webservice call and not to enter the application.

I used an input field (password field) which is bound to a component attribute of type string.

I think I have two security issues at this level: first the password is saved to a string variable ( can be observed during a debugger session), second the transfer from the WD applicatio to the ABAP runtime happens via http, so a listener can spy the protocol layer.

I found out that using methods of class CL_HTTP_UTILITY, it is possible to encrypt strings to BASE64-Encoded String or to UTF8 encoded byte string.

This encoding can only take place when data binding has happened. This does not avoid the security issues mentioned above.

Do you have any suggestions how to solve this problem?

kind regards,

Sahla

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

thomas_jung
Developer Advocate
Developer Advocate
‎01-23-2009 1:04 PM
0 Kudos

You should absolutely at least set your application service node to run in HTTPS. This will take care of the data being visible on the network during communications as it will encrypt the entire HTTP request/response.

However the problem of the debugger is not so simple. There is no functionality to encrypt the field so early that it is never available in the debugger. This is why the logon functionality of the SAPGUI and the ICM are both done at the kernel level before any connection to the ABAP runtime is made.

You should consider using WS-Security profiles and not individual authentication per user for your web service calls if you must avoid exposing this password to the debugger.

Show replies
Show replies
Former Member
‎01-23-2009 1:35 PM
0 Kudos

Hi Thomas,

Thanks a lot for your answer.

What are WS-security profiles???

kind regards,

Sahla

thomas_jung
Developer Advocate
Developer Advocate
‎01-23-2009 2:07 PM
0 Kudos

We are really outside the realm of Web Dynpro here, but I suggest that you start by having a look at this help page and the links within it:

http://help.sap.com/saphelp_nw70ehp1/helpdata/en/48/8ebbba66be06b2e10000000a42189b/frameset.htm

It details different security measures, include WS-SECURITY. But basically it involves securing your webservice within the message instead of at the transport level. But also you should consider if your service really needs individual username/password from each user. Consider instead check the user's local authorization checks and using that to assign them to pre-existing security profiles with fixed authtentication.

Answers (0)

Ask a Question