Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Web Dispatcher / NetWeaver 7.3 / URL Filter, permission table

Hi all

We want to use the SAP Web Dispatcher 720P113 to secure our external facing NetWeaver 7.3 Portal.

The Web Dispatcher can of course filter parts of the URL.

With this we would like to restrict the access from the internet to the necessary NetWeaver Portal Applications.

We hoped to create a minimum permission table file and started with the following:

#SAP Web Dispatcher permission table
P /irj/*
#DENY ALL
D *

Then we realised we also had to permit /logon_ui_resources/* to be able to see the logon screen. Afterwards we could login, but could not see any portal images and so on.

Especially we don't want anyone to open /nwa or /sld or /startPage... and I don't know how many more critical URLs there are. Even if we block e.g. /sld somebody who knows the complete URL webdynpro/dispatcher/sap.com/tcsldwd~main/Main can login to SLD.

Of course we use SSL & firewall to the system, along with secure OS settings.

Has anyone implemented a permission table file with SAP Web Dispatcher and can supply us with a working, secure configuration or give any hints on how to identify critical portal applications?

BR

Michael

Former Member
Former Member replied

Hi Raoul,

I think I have, here's the ptabfile we use as whitelist:

######### SAP Web Dispatcher permission table

######### Whitelist principle

######### DENY Critical Apps #########

D       /nwa

D       /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/*

D       /sld

D       /webdynpro/dispatcher/sap.com/tc~sld~wd~main/*

D       /startPage

D       /nwa/sysinfo

D       /wsnavigator

D       /useradmin

D       /webdynpro/welcome/*

D       /webdynpro/dispatcher/sap.com/tc~wd~tools/*

D       /sr_central

D       /sapmc

D       /utl/UsageTypesInfo

D       /ejbexplorer

D       /webdynpro/resources/sap.com/tc~lm~itsam~ui~mainframe~wd/*

D       /webdynpro/dispatcher/sap.com/tc~esi~esp~wsnav~ui/*

D       /webdynpro/dispatcher/sap.com/tc~sec~ume~wd~umeadmin/*

#

######### ALLOW #########

### SAP PORTAL ###

P       /AFPServlet/*

P       /com.sap.netweaver.coll.appl.ui.room/scripts/*

P       /com.sap.portal.*

P       /com.sap.ui.lightspeed/js/*

P       /com.sap.workflow.admin.template_jwf/images/*

P       /htmlb/*

P       /irj/go/km/*

P       /irj/portal/*

P       /irj/portal*

P       /irj/servlet/prt/*

[snip]

### SAP ABAP ###

#Custom

P       /sap/bc/webdynpro/SAP/Z_APP1*

P       /sap/bc/webdynpro/SAP/Z_APP2*

P       /sap/bc/webdynpro/sap/z_app3*

#SAP Common

P       /sap/public/bc/webdynpro/ssr/*

P       /sap/public/bc/ur/Design2002/*

P       /sap/public/bc/ur/nw5/*

P       /sap/public/bc/icons/*

P       /sap/public/bc/WebIcons/ur/default/l/Icon/*

#

######### FOR DEBUGGING ALLOW ALL #########

#P      *

######### DENY EVERYTHING ELSE #########

D       *

Where it says [snip] we also added custom logon screen urls.

Basically I used Firebug and/or IE Developer Tools to capture the URLs visited while browsing the Portal. After quick filtering the results in Excel along with some other excel-capabilities we got to this list.

I know I could have left away the inital Denys due to the final Deny-all-rule but I felt safer with them.

Any ideas / design flaws are still welcome.

Michael

0 View this answer in context
Not what you were looking for? View more on this topic or Ask a question