on 11-22-2007 2:53 PM
Hi Experts,
I am facing one security issue for BW Iviews in EP.
If I am taking the properties of BWIview by right clicking the iview->properties at runtime(ie. in explorer), it shows the address url as
http://<b><BWServerIPAddress></b>:8000/sap/bw/BEx.
But, due to some security reasons, I dont want this info to be displayed.
Please help me. It's very urgent.
Regards,
Krishnaveni.
Hi Krishnaveni,
If I understand you right: You mean right clicking "just in the middle" of the BW-iView and checking the properties, using the IE context menu.
This is all but a security issue. BW iView are URL isolated, i.e. iFrames. Of course iFrames have their own target URL, and of course you can check where this is coming from. Even if you would achieve that the context menu of the IE would not work (I think this is possible), the URL would be saved within the IE history. Do it really doesn't make to try to hide this info.
In fact, a security issue is if you need to hide the IP... You should avoid atacking possibilities on the server itself! Or do you try to secure your home by (1) letting the door open but (2) not telling anyone where you live?!?!
Hope it helps
Detlev
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Detlev,
Thanks for your valuable reply. You got my problem correctly.
Do you mean to say that there is no option other than disabling the context menu of explorer to avoid this?
Here the interesting thing is, the ip address is getting displayed only for BW iviews, but not for other portal iviews. If the ip address is displayed in context menu of explorer, then it will be a security flaw right? How can I avoid this?
Is there any way to display the fully qualified hostname instead of this ip address? Or atleast for the time being, how can I disable the context menu of explorer?
Thanks
krishnaveni
Hi Atul,
I already tried the same, but was not working. One thing I noted was, after deleting the entire BW server host details from host file, the BW iview is getting displayed with the url properties as ip address of BW server. I am not getting from where it is taking the ip address.
Please give me some suugestions..
Thanks,
Krishnaveni
Check SAP Note :805344
how URLs are generated automatically from the BW front end:
Other terms
URL, generation, RSBB_URL_PREFIX_GET, message server, HTTPURLLOC
Reason and Prerequisites
If you execute a query or template in the Web from the Web Application Designer, BEx Query Designer or BEx Analyzer, a URL of the form http://host.domain.com:8000/sap/bw/BEx. is automatically created. The following section describes the steps used to generate this URL.
Solution
The function module RSBB_URL_PREFIX_GET is used to generate the URL in BW. That is, when you click "Launch in Web Browser" in the BEx Anaylzer, "Display Query on the Web" in the BEx Query Designer or "Execute in the browser" in the Web Application Designer, the function module is called and this returns the protocol, host, domain, port and service.
The function module essentially runs through three steps:
Determine the settings on the server application,
Determine the settings relating to the message server, provided that it is used,
Determines the settings for an exception, if maintained.
First, the application server settings are created. If a message server is used, the settings relating to host and port are replaced with the message server settings. If an exception is maintained, the host and port are replaced by the exception.
Protocol
The HTTP or HTTPS protocol is created in accordance with the setting in transaction SPRO under "Business Information Warehouse" --> "Reporting-relevant settings" --> "Web-based settings" --> "Maintain Web log (HTTP/HTTPS)". Refer to note 512337.
Settings on the application server
The host and domain of the application server are defined in the parameter SAPLOCALHOSTFULL or icm/host_name_full in accordance with Note 773830. A fully qualified host name should always be maintained to prevent SSO and/or HTTPS problems in advance. This means that, due to the valid Internet standards, the corresponding parameter should include the host and domain. For more information about this, see Notes 434918 and 654982.
The port of the application server is defined in the parameter icm/server_port_X.
To evaluate these parameter values, the function module RSBB_URL_PRFIX_GET calls the Basis function module HTTP_GET_URL2 .
Example: No message server is activated and no exception is defined.
Protocol = HTTP
icm/host_name_full = apphost.domain.com
icm/server_port_0 = PROT=HTTP, PORT=50015
Generated URL: http://apphost.domain.com:50015/sap/bw/BEx.
Settings for the message server
You can use the message server to distribute the load of incoming HTTP requests across several application servers. In this case, the initial URL is rendered with the host and port of the message server, which then forwards the request to an available application server. The message server-specific settings for host and port are saved in the parameters rdisp/mshost and ms/http_port or ms/https_port or ms/server_port_X. The port of the message server must not be the same as the port of the application server on which it is running. Note 493475 contains additional information about this.
Example: In addition to the above configuration, a message server is used.
rdisp/mshost = mshost
ms/http_port = 8000
Generated URL: http://mshost.domain.com:8000/sap/bw/BEx.
Web dispatcher/exception table HTTPURLLOC
You can maintain exceptions in the table HTTPURLLOC. For example, here you can implement the settings in such a way that all HTTP requests on the application /sap/bw/BEx should be forwarded to a Web dispatcher or reverse proxy. The first hit found is created, provided that several exceptions apply for an incoming request . Note 561885 contains more information about this topic.
Example: An exception is maintained for the application /SAP/bw/BEx.
PROTOCOL = HTTP
APPLICATN = /sap/bw/BEx
HOST = www.webdispatcher.com
PORT = 1000
Generated URL: http://www.webdispatcher.com:1000/sap/bw/BEx.
User | Count |
---|---|
85 | |
10 | |
10 | |
10 | |
7 | |
6 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.