Personas 2.0&3.0: how to secure the WebRFC call used by Personas?
Hi Personas experts,
As we see, one can implement a function module (eg, based on a user name to return the initial as JSON) that can be called by Personas WebRFC.
My question is: would it be possible that such a function module can be called by any applications from outside the company's network? If so, how to prevent such risk? The "Whitelisk", in my understanding, is to prevent the Personas apps calling any urls. But can it be used to block the RFC calls from outside world?
Thanks a lot in advance!
Steve Rumsby replied
You still have to login to the backend system when calling a WebRFC, so it isn't completely open. You don't notice this normally, because once you login to get access to Personas initially the same login cookie works for the WebRFC call also. Try calling a WebRFC URL from a clean browser environment and you'll see - you'll be prompted to login first.
Aside from that you'll need to think about firewall protection if you want to prevent any access at all from outside your company network. How are your SAP systems normally protected? Are they accessible from outside?