Skip to Content

This article gives a brief overview of the different types of URL filtering available in the SAP Web Dispatcher and Internet Communication Manager (ICM).

h4. Quick introduction to URL filtering

The concept of URL filtering is quite straightforward. An http (or https) request can be accepted or rejected based on the URL. The criteria could be all or part of the URL or URLs that match certain patterns.

There are three types of URL filtering available each offering different power and flexibility. The simplest permits and denies requests by doing  simple URL matching with basic wildcard support. The more sophisticated methods allow pattern matching with regular expressions, the ability to permit or block based on IP address and the possibility of addition additional authentication for certain URLs.

h4. The three types of filtering

The three types of filters are governed by three profile parameters:

* parameter</td><td>name</td><td>notes *<\sscript[^>]>(.)<\s/script\s></p><p>For 7.01 and above</p><p>(<\s(script|object|iframe|embed|img)[^>]>(.)<\s/(script|object|iframe|embed|img)\s>)|({0,5}script\:)|(<\s/script\s>(.*)//)

This will filter URLs like the following:

bq. http://host:port/sap/bc/bsp/sap/bc470_was/start.htm“>

The patterns that the filter uses can be overridden or added to by creating a file as follows:

bq. DIR_INSTANCE/sec/sappattern.dat

where DIR_INSTANCE is the directory specified in your profile.

This file can contain patterns specified in regular expressions as outlined in the documentation here .

If this file is created it will override the default patterns. Creating a blank file for example will let all URLs through. The default patterns mentioned above can be added to the file to maintain the default filtering behavior in addition to any new filters that are specified.

Detailed documentation of the authentication handler can be found in the online help here .The first item is one of the four URL filtering actions (RegForbiddenUrl, RegGoneUrl, RegIForbiddenUrl and RegIGoneUrl) and the second item is a regular expression which specified which URLs to apply the action to. This line will reject all request to URLs starting with ‘/admin’. More detailed information on the contents of an action file can be found here .

Detailed information on the modification handler can be found in the online help here .

h4. URL filter: wdisp/permission_table

The Web Dispatcher’s URL filter consists of a file that specifies URLs that are either to be permitted or denied. The file is specified with a profile parameters, for example:

bq. wdisp/permission_table = myPermFile.txt

The contents of the file might look as follows:

/sap/public/ping 

D

*.php 

The first line permits access to ‘/sap/public/ping’. The second line denies access to any URL ending with ‘.php’.

For any incoming ULR the filter is applied to the section of the URL indicated as the translated path in this diagram .

Although use of the wildcard * is allowed at the beginning or the end of a term, it is not allowed at both the beginning AND the end.

For example

bq. D *ping

would deny any URL that ends in ping

bq. P /sap/bc*

would permit any URL that starts with /sap/bc

Using wild cards at the beginning and end would not match any URL containing the term between the two wildcards. For example, the following

bq. D alert

would not deny permission to any URL that contained the term alert. Instead it would deny any URL that ended in the exact string alert* i.e. it would try and match the second star character.

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply