Solved: Using authorisation object in web services

Former Member · ‎02-24-2010

HI ,

I create a WS proxy via ESR and I want to avoid malicious attack ,

do i need to use the Following authorization object ?

AUTHORITY-CHECK OBJECT 'S_ICF' 
        ID 'ICF_FIELD' FIELD 'PROXY'
        ID 'ICF_VALUE' FIELD 'PROXY_NAME'.

Regards

James

Edited by: James Herb on Feb 25, 2010 9:45 AM

Former Member · ‎02-25-2010

in S_ICF

ICF_feild will protect the call of service in Internet frame work

Service and Dest

ICF_Value will must match the value entered in SICF

Thanks,

Prasant

Former Member · ‎02-25-2010

in S_ICF

ICF_feild will protect the call of service in Internet frame work

Service and Dest

ICF_Value will must match the value entered in SICF

Thanks,

Prasant

Former Member · ‎02-25-2010

HI Prasant ,

You write: ICF_Value will must match the value entered in SICF ,

How i find this name ?this is the name of the proxy or the name of the WS ?

Regards

James

Former Member · ‎02-25-2010

Go to transaction SICF and display the Service Data. There is a SAP Auth Group field. F1 on that will explain the client side protection -> object S_ICF.

What you are looking for is most likely object S_SERVICE. Do a search on table USOBHASH.

Cheers,

Julius

Former Member · ‎02-27-2010

HI

Julius

Thanks for the relay ,

do you think that this is the right way to protect the WS (the WS is created via ESR which generate proxy )

Regards

James

Former Member · ‎02-27-2010

Why do you want to hardcode the proxy name and where?

You should not hardcode the proxy_name (the name of the authorization group assigned to it is actually the value!) nor the hash of the service name anywhere, as they may change.

If you cannot group the proxies in a meaningfull way (e.g. all users would need it), then go for S_SERVICE. I recommend reading the docs and the OSS notes on the object. The severity of the checks have improved over the years.

Cheers,

Julius

Former Member · ‎02-27-2010

HI

Julius ,

I dont want to hardcore the proxy name I just i read on the help for S_ICF but i am not sure that this is the way

to protect the WS and i go to the forum to verify it.

any idea how ?

Regards

James

Former Member · ‎02-28-2010

S_ICF is to protect the SAP auth. group of the proxy itself from being called (and an impact on admin access in SICF as well), but with ESR you will most likely have to give that to all your users and still you don't know which service they are consuming. So... use S_SERVICE.

As the name of such a URL generally exceeds the length of an authorization field... S_SERVICE uses a "hash" to represent it. Executing the service will generate the hash.

The easy way to collect them is via an ST01 trace on each application server and maintain SU24 manually.

The Rolls-Royce way to collect them is via the "original data" trace of SU22, then process the results carefully in SU25 step 2b... thereby maintaining SU24. Take a closer look at the posts by SAP security guru Frank Buchholz in the thread for more details.

I assume that you are a developer so if you have not used this before and what I have described above makes only limited sense for you, then I suggest talking to the security person on site to show it to you or going to a training on it the first time.

Anyway, if the checks are "native" in the system, then this is a security job so find the person building the roles for the services. Most likely they are already ontop of this and will take care of it for you.

Cheers,

Julius