URL Filtering in the SAP ICM and Web Dispatcher
This article gives a brief overview of the different types of URL filtering available in the SAP Web Dispatcher and Internet Communication Manager (ICM).
h4. Quick introduction to URL filtering
The concept of URL filtering is quite straightforward. An http (or https) request can be accepted or rejected based on the URL. The criteria could be all or part of the URL or URLs that match certain patterns.
There are three types of URL filtering available each offering different power and flexibility. The simplest permits and denies requests by doing simple URL matching with basic wildcard support. The more sophisticated methods allow pattern matching with regular expressions, the ability to permit or block based on IP address and the possibility of addition additional authentication for certain URLs.
h4. The three types of filtering
The three types of filters are governed by three profile parameters:
* parameter</td><td>name</td><td>notes *<\sscript[^>]>(.)<\s/script\s></p><p>For 7.01 and above</p><p>(<\s(script|object|iframe|embed|img)[^>]>(.)<\s/(script|object|iframe|embed|img)\s>)|({0,5}script\:)|(<\s/script\s>(.*)//)
This will filter URLs like the following:
bq. http://host:port/sap/bc/bsp/sap/bc470_was/start.htm“>
The patterns that the filter uses can be overridden or added to by creating a file as follows:
bq. DIR_INSTANCE/sec/sappattern.dat
where DIR_INSTANCE is the directory specified in your profile.
This file can contain patterns specified in regular expressions as outlined in the documentation here .
If this file is created it will override the default patterns. Creating a blank file for example will let all URLs through. The default patterns mentioned above can be added to the file to maintain the default filtering behavior in addition to any new filters that are specified.
Detailed documentation of the authentication handler can be found in the online help here .The first item is one of the four URL filtering actions (RegForbiddenUrl, RegGoneUrl, RegIForbiddenUrl and RegIGoneUrl) and the second item is a regular expression which specified which URLs to apply the action to. This line will reject all request to URLs starting with ‘/admin’. More detailed information on the contents of an action file can be found here .
Detailed information on the modification handler can be found in the online help here .
h4. URL filter: wdisp/permission_table
The Web Dispatcher’s URL filter consists of a file that specifies URLs that are either to be permitted or denied. The file is specified with a profile parameters, for example:
bq. wdisp/permission_table = myPermFile.txt
The contents of the file might look as follows:
P |
/sap/public/ping |
D |
*.php |
The first line permits access to ‘/sap/public/ping’. The second line denies access to any URL ending with ‘.php’.
For any incoming ULR the filter is applied to the section of the URL indicated as the translated path in this diagram .
Although use of the wildcard * is allowed at the beginning or the end of a term, it is not allowed at both the beginning AND the end.
For example
bq. D *ping
would deny any URL that ends in ping
bq. P /sap/bc*
would permit any URL that starts with /sap/bc
Using wild cards at the beginning and end would not match any URL containing the term between the two wildcards. For example, the following
bq. D alert
would not deny permission to any URL that contained the term alert. Instead it would deny any URL that ended in the exact string alert* i.e. it would try and match the second star character.