Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Which freaking PaaS should I use (2/2)?

harald_mueller
Participant
‎10-12-2012 3:12 PM

As promised this is the continuation of my first blog which describes how to deploy the application as is on SAP NetWeaver Cloud (aka Neo).

This time i will not just deploy the applications as is but have a look into the source code and make the app a bit more enterprise ready (hey we are SAP ;-).

I will  exclusively  focus on command line tools. I'm rather one of the old fashioned guys which believe that vi is the ultimate RAD tool for real developers. Well, or at least for some specific use cases. All of this should of course work with Eclipse/EGit which is the preferred IDE for NW Cloud.

Step 1: Get the sources from github 

$git clone https://github.com/lpintosil/OSIL

This took roughly 1-2 seconds.

Step 2: Enable Authentication for the application


I would like to secure the application and enable user authentication. In order to do this i'm following the documentation on  Securing SAP NetWeaver Cloud Applications.

I will use the SAP ID Service which is the default identity provider for NetWeaver Cloud. All  SCN community members can use their  credentials to login to the now secured application. You can configure trust to your Customers IdP and thus use the existing corporate user base. If you are interested in more details, and you are in Las Vegas next week, then have a look at the session presented by martin.raepple

The Sky is the Limit – Cloud Single Sign-on and On-Premise Identity Federation with the SAP NetWeave...

For the Enablement of the User Authentication i will add declarative Authentication by simply changing the web.xml of the application.

After this i have changed the welcome screen of the app and made it a bit more personal. In the jsp i get the userId of the authenticated user and use this in the welcome greeting.

String userId = request.getRemoteUser();

Now, the welcome screen looks like this:

Step 3: Rebuild the Application with Enabled Authentication


Luckily the sample application  already uses Apache Maven as the build tool. Maven is  as well the  tool of choice for ISVs working with the NetWeaver Cloud SDK. The SDK already contains a comprehensive set of samples which show how to build, deploy and test web applications with NetWeaver Cloud.

I'm starting Maven in the source folder of the application. 

SpringGrannyMVC$mvn clean install

This takes roughly 10 seconds and produces a new version of the war file which includes my modifications in the web.xml. I'll deploy and start the application with the same commands as described in my first blog. Now only registered SCN users are able to access the application and they have to authenticate before they can use the application.

Step 4: Protect the Application against XSS (Cross Side Scripting)

The thoughtful reader might have noticed a section in the NetWeaver Cloud Documentation how the application can be protected against XSS. A first quick check of the source code confirmed my suspicions because there is no input check for the http parameters and they are presented to other users as is. If you want to learn more about XSS and how to prevent such attacks then the OWASP website has an XSS prevention cheat sheet that you should go through. The exploit is very simple, just enter a specific text which contains javascript in the adress field.

" name="address"><script>javascript:alert("Gotcha!")</script><option selected="unselected" nameTag=gone

Other users which might view that data will execute the javascript snipped in their browser and with their own authenticated user. In order to protect this i  changed the jsp and added the respective Html escapes by using a very popular Apache StringEscapeUtils open source class. After this i added  the required dependency to the  pom.xml of the project and Maven will resolve the build dependencies and assemble the library with the app. After this i rebuild the application  again and deployed it to the cloud so it's available to you now. I gave it a new name - "Not Granny" and deployed it as a new instance in parallel to the previous unmodified version. It's extremly easy to deploy and run multiple versions of the same application to your NetWeaver Cloud account.

Summary


Securing the application, including several compile, build, deploy and run iterations was very  simple and possible within a very short time. Using popular open source frameworks is supported very well and maven is a very powerful tool which enables this process. Of course you can check the new Enterprise ready application on NetWeaver Cloud. The usage is still at you own risk.  I don't plan to productise the app or take it through the SAP product standards, that would take significantly more time.

The app is now live at this location: https://notgrannyharald.netweaver.ondemand.com/ and you might have noticed that i gave it a new name: Not Grannys Adressbook, powered by SAP NetWeaver Cloud.

6 Comments
Labels in this area
Popular Blog Posts