Skip to Content
Author's profile photo Harald Mueller

Which freaking PaaS should I use (2/2)?

As promised this is the continuation of my first blog which describes how to deploy the application as is on SAP NetWeaver Cloud (aka Neo).

This time i will not just deploy the applications as is but have a look into the source code and make the app a bit more enterprise ready (hey we are SAP ;-).

I will  exclusively  focus on command line tools. I’m rather one of the old fashioned guys which believe that vi is the ultimate RAD tool for real developers. Well, or at least for some specific use cases. All of this should of course work with Eclipse/EGit which is the preferred IDE for NW Cloud.

Step 1: Get the sources from github 

$git clone

This took roughly 1-2 seconds.

Step 2: Enable Authentication for the application

I would like to secure the application and enable user authentication. In order to do this i’m following the documentation on  Securing SAP NetWeaver Cloud Applications.

Screen Shot 2012-10-12 at 12.57.04 AM.png

I will use the SAP ID Service which is the default identity provider for NetWeaver Cloud. All  SCN community members can use their  credentials to login to the now secured application. You can configure trust to your Customers IdP and thus use the existing corporate user base. If you are interested in more details, and you are in Las Vegas next week, then have a look at the session presented by Martin Raepple

The Sky is the Limit – Cloud Single Sign-on and On-Premise Identity Federation with the SAP NetWeaver Cloud”

For the Enablement of the User Authentication i will add declarative Authentication by simply changing the web.xml of the application.

Screen Shot 2012-10-12 at 1.12.38 AM.png

After this i have changed the welcome screen of the app and made it a bit more personal. In the jsp i get the userId of the authenticated user and use this in the welcome greeting.

String userId = request.getRemoteUser();

Now, the welcome screen looks like this:

Screen Shot 2012-10-12 at 3.46.53 PM.png

Step 3: Rebuild the Application with Enabled Authentication

Luckily the sample application  already uses Apache Maven as the build tool. Maven is  as well the  tool of choice for ISVs working with the NetWeaver Cloud SDK. The SDK already contains a comprehensive set of samples which show how to build, deploy and test web applications with NetWeaver Cloud.

I’m starting Maven in the source folder of the application. 

SpringGrannyMVC$mvn clean install

This takes roughly 10 seconds and produces a new version of the war file which includes my modifications in the web.xml. I’ll deploy and start the application with the same commands as described in my first blog. Now only registered SCN users are able to access the application and they have to authenticate before they can use the application.

Step 4: Protect the Application against XSS (Cross Side Scripting)

The thoughtful reader might have noticed a section in the NetWeaver Cloud Documentation how the application can be protected against XSS. A first quick check of the source code confirmed my suspicions because there is no input check for the http parameters and they are presented to other users as is. If you want to learn more about XSS and how to prevent such attacks then the OWASP website has an XSS prevention cheat sheet that you should go through. The exploit is very simple, just enter a specific text which contains javascript in the adress field.

” name=”address”><script>javascript:alert(“Gotcha!”)</script><option selected=”unselected” nameTag=gone

Other users which might view that data will execute the javascript snipped in their browser and with their own authenticated user. In order to protect this i  changed the jsp and added the respective Html escapes by using a very popular Apache StringEscapeUtils open source class. After this i added  the required dependency to the  pom.xml of the project and Maven will resolve the build dependencies and assemble the library with the app. After this i rebuild the application  again and deployed it to the cloud so it’s available to you now. I gave it a new name – “Not Granny” and deployed it as a new instance in parallel to the previous unmodified version. It’s extremly easy to deploy and run multiple versions of the same application to your NetWeaver Cloud account.


Securing the application, including several compile, build, deploy and run iterations was very  simple and possible within a very short time. Using popular open source frameworks is supported very well and maven is a very powerful tool which enables this process. Of course you can check the new Enterprise ready application on NetWeaver Cloud. The usage is still at you own risk.  I don’t plan to productise the app or take it through the SAP product standards, that would take significantly more time.

The app is now live at this location: and you might have noticed that i gave it a new name: Not Grannys Adressbook, powered by SAP NetWeaver Cloud.

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Matthias Steiner
      Matthias Steiner

      Hi Harald,

      nice blog again - could get used to see you blogging twice a week! 😉



      Author's profile photo Former Member
      Former Member


      Eagerly waiting for Part 3: Replacing the lame HSQLDB persistence provider with the enterprise ready Neo Persistence Service.

      Author's profile photo Matthias Steiner
      Matthias Steiner

      Hehe... yeap, but then the question of which "hibernate.dialect" to be used may come up. Maybe the SQL used in the demo app is that simple that we could find a dialect that would be compatible with either SAP HANA or MaxDB... once we got ASE it would work for sure! 😉

      Author's profile photo Former Member
      Former Member

      But you should worry about this property only if you keep using the Hibernate persistence provider. Is there any reason to do so? As far as I can see this application uses standard JPA 1.0 for persistency. So, you may just follow the nice tutorial for consuming JPA in Neo and replace Hibernate with EclipseLink. Perhaps, this should also require to touch the spring xml descriptors.

      Author's profile photo Matthias Steiner
      Matthias Steiner

      Well, sure... but I would call that a rather invasive modification then. I mean you could write the whole from scratch as well. Hibernate is very popular and a very powerful ORM framework. If given the choice JPA vs Hibernate I'd always opt for the later personally... the only thing is that the license is not as liberal as I'd want it to be...

      Author's profile photo Matthias Steiner
      Matthias Steiner

      And the story continues:

      "It will take this kind of nimble out of the box thinking to make the A-list in the PaaS space as everyone tries to push their way to the top. It is clear that while these guys may not intuitively be number one on your mind (as they weren't on mine), but obviously they try harder. These guys will be at the top of the list for contacts on follow up articles because I know that they not only know their stuff but will put forth the effort. It is hard to imagine customers not having a similar mindset if their customer service is half as good as their technical evangelism team."