Skip to end of metadata
Go to start of metadata

 

Purpose

Demonstrate how the Web Dispatcher can be used as a URL filter. This page will show examples of how the Authentication and Modification Handlers of the Web Dispatcher can be used to perform URL filtering.

Using the Authentication Handler

Define an icm/HTTP/auth_<xx> parameter using the PERMFILE argument. For example:

icm/HTTP/auth_0 = PREFIX=/, PERMFILE=D:\usr\sap\WDP\SYS\profile\perm_filter.txt

Then, create the perm_filter.txt file at the given path. You can now create the desired rules inside that file (each line is a rule). It is possible to add comments at the file by using a line starting with the "#" character. Otherwise, each line has to start with either "P" (for "Permit"), "D" (for "Deny") or "S" (for "Secure", meaning that the access is permitted only if HTTPS is used).

The next field on the line is the URI pattern, or URL path / prefix. For example, "/sap/bc/*". The next fields define a user ID, group, client IP address (IP address from the end user) and server IP address (IP address of the Web Dispatcher server). The rules are applied in the order they appear in the file, from top to bottom, and the first rule that matches the request is applied. There is an implicit "deny all" rule that is added to the end of the file, at runtime. Therefore, it is recommended to use "positive rules" (create only P or S rules, as everything else will be denied by default).

Example of "perm_filter.txt" file:

# This is the "permission file" used by the Web Dispatcher Authentication handler

# We allow access to the WEB GUI, but only through HTTPS

S /sap/bc/gui/sap/its/webgui * * * *

 

# We allow access to the "ping" service either through HTTP or HTTPS, but only if

# accessed through the "administration network IP address" of the

# Web Dispatcher server - in this example, 192.168.100.35

P /sap/public/ping * * * 192.168.100.35/32

 

# We allow access to all webdynpros, but only if the client is from specific networks

P /sap/bc/webdynpro/* * * 10.10.10.0/24 *

P /sap/bc/webdynpro/* * * 10.20.20.0/24 *

 

# We allow access to all BSP pages, but only if the client is from a specific network

# AND if it access the Web Dispatcher using a specific virtual hostname (which points

# to a dedicated IP address configured at the Web Dispatcher server) AND through HTTPS

S /sap/bc/bsp* * * 10.20.20.0/24 192.168.200.15/32

 

# Everything not listed above will be denied because of the final implicit rule "D * * * * *"

This is the same set of rules as above, but without the comment lines (for clarity purposes):

S /sap/bc/gui/sap/its/webgui * * * *

P /sap/public/ping * * * 192.168.100.35/32

P /sap/bc/webdynpro/* * * 10.10.10.0/24 *

P /sap/bc/webdynpro/* * * 10.20.20.0/24 *

S /sap/bc/bsp* * * 10.20.20.0/24 192.168.200.15/32

Using the Modification Handler

It is also possible to use the parameter icm/HTTP/mod_<xx> to perform URL filtering.

Although this setup could be a bit more complex than using the Authentication Handler, it also allows more actions to be performed, besides the equivalent of the P/D/S actions from the Authentication Handler.

Example of parameter:

icm/HTTP/mod_0 = PREFIX=/, FILE=D:\usr\sap\WDP\SYS\profile\filter_rules.txt

Then, create the filter_rules.txt file at the given path. You can now create the desired rules inside that file (ach line is a rule). It is possible to add comments at the file by using a line starting with the "#" character. Otherwise, the line must contain the rule.

The rules are applied in the order they appear in the file, from top to bottom. One or more rule can be applied for the same request, depending on how the rules were created. No implicit "deny all" rule is added at the end, unlike when using the Authentication Handler.

Notice that a "negative list" has to be created, instead of a "positive list" like in the Authentication Handler.

In addition, we need to use conditions, variables and even link conditions, in order to create more elaborate rules to achieve the same filters as with the Authentication handler. Also notice that the order of the conditions is important. Some of the examples below use regular expressions. Example of "filter_rules.txt" file:

# This is the "filter rules file" used by the Web Dispatcher Modification handler

# We deny access to the "ping" service

RegForbiddenURL ^/sap/public/ping(.*) - [break]

 

# We allow access to the WEB GUI, but only through HTTPS

# The indentation is optional

if %{SERVER_PROTOCOL} !stricmp "HTTPS" [and]

if %{PATH} regimatch ^/sap/bc/gui/sap/its/webgui(.*)

RegForbiddenURL ^/sap/bc/gui/sap/its/webgui(.*) - [break]

 

# We allow access to all webdynpros, but only if the client is from specific networks

if %{PATH} regimatch ^/sap/bc/webdynpro/(.*) [and]

if %{REMOTE_ADDR} !regimatch 10.10.10.(.*) [and]

if %{REMOTE_ADDR} !regimatch 10.20.20.(.*)

RegForbiddenURL ^/sap/bc/webdynpro/(.*) - [break]

 

# We allow access to all BSP pages, but only if the client is from a specific network

# AND if it access the Web Dispatcher using a specific virtual hostname (which points

# to a dedicated IP address configured at the Web Dispatcher server) AND through HTTPS

#

# We will need multiple rules for this

# First, we test whether the desired server IP address of the Web Dispatcher was used

if %{PATH} regimatch ^/sap/bc/bsp/(.*) [and]

if %{SERVER_ADDR} !regimatch 192.168.200.15

RegForbiddenURL ^/sap/bc/bsp/(.*) - [break]

 

# Then, we test whether the request came from the allowed (client) network

if %{PATH} regimatch ^/sap/bc/bsp/(.*) [and]

if %{REMOTE_ADDR} !regimatch 10.20.20.(.*)

RegForbiddenURL ^/sap/bc/bsp/(.*) - [break]

 

# Finally, we test whether HTTPS is used

if %{PATH} regimatch ^/sap/bc/bsp/(.*) [and]

if %{SERVER_PROTOCOL} !stricmp "HTTPS"

RegForbiddenURL ^/sap/bc/bsp/(.*) - [break]

Multiple rules are required for the last scenario because the Web Dispatcher will stop testing the next conditions if one condition is already false. To illustrate that, consider the following rule:

if %{PATH} regimatch ^/sap/bc/bsp/(.*) [and]

if %{REMOTE_ADDR} !regimatch 10.20.20.(.*) [and]

if %{SERVER_ADDR} !regimatch 192.168.200.15

RegForbiddenURL ^/sap/bc/bsp/(.*) - [break]

Now, consider that the client from the IP address 10.20.20.55 accessed a bsp page (/sap/bc/bsp/...), but it reached the Web Dispatcher through its IP address 192.168.0.77. The request would not be denied by the rule above.

That is because the second condition ("if %{REMOTE_ADDR} !regimatch 10.20.20.(.*)") will be evaluated as "false" (the client is from the allowed network), and the Web Dispatcher will stop evaluating the next conditions. This is the same set of rules as above, but without the comment lines (for clarity purposes):

RegForbiddenURL ^/sap/public/ping(.*) - [break]

 

if %{SERVER_PROTOCOL} !stricmp "HTTPS" [and]

if %{PATH} regimatch ^/sap/bc/gui/sap/its/webgui(.*)

RegForbiddenURL ^/sap/bc/gui/sap/its/webgui(.*) - [break]

 

if %{PATH} regimatch ^/sap/bc/webdynpro/(.*) [and]

if %{REMOTE_ADDR} !regimatch 10.10.10.(.*) [and]

if %{REMOTE_ADDR} !regimatch 10.20.20.(.*)

RegForbiddenURL ^/sap/bc/webdynpro/(.*) - [break]

 

if %{PATH} regimatch ^/sap/bc/bsp/(.*) [and]

if %{SERVER_ADDR} !regimatch 192.168.200.15

RegForbiddenURL ^/sap/bc/bsp/(.*) - [break]

 

if %{PATH} regimatch ^/sap/bc/bsp/(.*) [and]

if %{REMOTE_ADDR} !regimatch 10.20.20.(.*)

RegForbiddenURL ^/sap/bc/bsp/(.*) - [break]

 

if %{PATH} regimatch ^/sap/bc/bsp/(.*) [and]

if %{SERVER_PROTOCOL} !stricmp "HTTPS"

RegForbiddenURL ^/sap/bc/bsp/(.*) - [break]

 

 

  • No labels