cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Encoded URL Parameters??

Go to solution
Former Member

on ‎07-06-2010 2:44 PM

0 Kudos

Hi All,

My Web Dynpro Application is being called with the uname as a parameter. As a matter of course, not everybody is supposed to call the application of another user and see his Information by just entering the uname of the person in the URL.

Is there a way to pass URL parameters encoded?

THANKS, Johannes

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

thomas_jung
Developer Advocate
Developer Advocate
‎07-06-2010 3:26 PM
0 Kudos

It is never a good idea to pass anything sensitive via URL parameters. Yes you could encode the parameter. You could encode in base64 for example and decode on the receiving side. Both sending and receiving applications would have to be modified to encode/decode the data. This is not something provided by the framework. However this just obscures the data. It is still perfectly possible for someone else to cut and paste an encode section of someone else's ID (or for someone technically savy to just create an encoded string). This is hardly any security at all.

Show replies
Show replies
Former Member
‎07-06-2010 4:22 PM
0 Kudos

Thoams,

So, what would you recommend to start the application and supply the information (uname)?

THANKS, Johannes

thomas_jung
Developer Advocate
Developer Advocate
‎07-06-2010 4:36 PM
0 Kudos

I would never recommend such a design in general. The user should always be properly authenticated (for licensing reasons as well as security ones). If you need transparent authentication consider Portal/NWBC/SSO or Certificates. Passing some form of external authentication without the use of encryted SSO tickets or Certificates, just isn't going to be secure.

ChrisPaine
Active Contributor
‎07-07-2010 2:30 AM
0 Kudos

Whilst I have to agree with Thomas - you really should be authenticating the user and then using standard SAP security to limit access to other's data - I can see that their might be cases where for one reason or other this is not possible.

<caveat>

However, please be very careful as allowing such unauthenticated access is probably a breach of your licensing agreement with SAP. (They know who you are and where you work Please discuss the potential use case with your SAP account manager!

</caveat>

I am going to assume that the launch of the application is from outside of the SAP landscape and that there is no way that you can persist the private information in some kind of shared data store which both the launching app and the WDA can access and cannot be accessed by other application - using a publicly shared key (GUID) which can be passed in the URL. (if I'm wrong in the assumption - please use the above method.)

Now were I needing to pass some information via a URL parameter (any info) that was potentially sensitive, I'd encrypt it. The accepted way of doing this such that it is hard to break the encryption is the public private key method. However, to my knowledge if you want to implement full RC4 encryption/decryption you'll have to implement it yourself. SAP contains some useful functionality in this respect - FM MD5_CALCULATE_HASH_FOR_RAW is one, but the [RC4 encryption routines (or a version of) are publicly available. |http://www.mozilla.org/projects/security/pki/nss/draft-kaukonen-cipher-arcfour-03.txt]

That said, it really depends on your risk - it's a lot of effort to implement public private key algorithms (and it might be even more in your source application) so you might be best off just using simpler cryptographic methods - perhaps just converting to base64 and XORing the result with a "secret" key-phase.

Good luck however you solve the issue.

Chris

Edited by: Chris Paine on Jul 7, 2010 11:35 AM - better link to ARC4 routines

Answers (1)

Answers (1)

Sharathmg
Active Contributor
‎07-06-2010 2:55 PM
0 Kudos

Dear Johannes,

Declare the custom parameter in the startup plug method of the Web Dynpro application. Then assign the same parameter from F4 help as an application parameter.

Now, when the application is run, by default the parameter is not shown in the URL.

Caveat: However, if any developer/user knows the name of the parameter then he can append the parameter and provide the value.

Regards,

Sharath M G

Show replies
Show replies
Ask a Question