Which freaking PaaS should I use (2/2)?
As promised this is the continuation of my first blog which describes how to deploy the application as is on SAP NetWeaver Cloud (aka Neo).
This time i will not just deploy the applications as is but have a look into the source code and make the app a bit more enterprise ready (hey we are SAP ;-).
I will exclusively focus on command line tools. I’m rather one of the old fashioned guys which believe that vi is the ultimate RAD tool for real developers. Well, or at least for some specific use cases. All of this should of course work with Eclipse/EGit which is the preferred IDE for NW Cloud.
Step 1: Get the sources from github
$git clone https://github.com/lpintosil/OSIL
This took roughly 1-2 seconds.
Step 2: Enable Authentication for the application
I would like to secure the application and enable user authentication. In order to do this i’m following the documentation on Securing SAP NetWeaver Cloud Applications.
I will use the SAP ID Service which is the default identity provider for NetWeaver Cloud. All SCN community members can use their credentials to login to the now secured application. You can configure trust to your Customers IdP and thus use the existing corporate user base. If you are interested in more details, and you are in Las Vegas next week, then have a look at the session presented by Martin Raepple :
For the Enablement of the User Authentication i will add declarative Authentication by simply changing the web.xml of the application.
After this i have changed the welcome screen of the app and made it a bit more personal. In the jsp i get the userId of the authenticated user and use this in the welcome greeting.
String userId = request.getRemoteUser();
Now, the welcome screen looks like this:
Step 3: Rebuild the Application with Enabled Authentication
Luckily the sample application already uses Apache Maven as the build tool. Maven is as well the tool of choice for ISVs working with the NetWeaver Cloud SDK. The SDK already contains a comprehensive set of samples which show how to build, deploy and test web applications with NetWeaver Cloud.
I’m starting Maven in the source folder of the application.
SpringGrannyMVC$mvn clean install
This takes roughly 10 seconds and produces a new version of the war file which includes my modifications in the web.xml. I’ll deploy and start the application with the same commands as described in my first blog. Now only registered SCN users are able to access the application and they have to authenticate before they can use the application.
Step 4: Protect the Application against XSS (Cross Side Scripting)
The thoughtful reader might have noticed a section in the NetWeaver Cloud Documentation how the application can be protected against XSS. A first quick check of the source code confirmed my suspicions because there is no input check for the http parameters and they are presented to other users as is. If you want to learn more about XSS and how to prevent such attacks then the OWASP website has an XSS prevention cheat sheet that you should go through. The exploit is very simple, just enter a specific text which contains javascript in the adress field.
” name=”address”><script>javascript:alert(“Gotcha!”)</script><option selected=”unselected” nameTag=gone
Other users which might view that data will execute the javascript snipped in their browser and with their own authenticated user. In order to protect this i changed the jsp and added the respective Html escapes by using a very popular Apache StringEscapeUtils open source class. After this i added the required dependency to the pom.xml of the project and Maven will resolve the build dependencies and assemble the library with the app. After this i rebuild the application again and deployed it to the cloud so it’s available to you now. I gave it a new name – “Not Granny” and deployed it as a new instance in parallel to the previous unmodified version. It’s extremly easy to deploy and run multiple versions of the same application to your NetWeaver Cloud account.
Summary
Securing the application, including several compile, build, deploy and run iterations was very simple and possible within a very short time. Using popular open source frameworks is supported very well and maven is a very powerful tool which enables this process. Of course you can check the new Enterprise ready application on NetWeaver Cloud. The usage is still at you own risk. I don’t plan to productise the app or take it through the SAP product standards, that would take significantly more time.
The app is now live at this location: https://notgrannyharald.netweaver.ondemand.com/ and you might have noticed that i gave it a new name: Not Grannys Adressbook, powered by SAP NetWeaver Cloud.
Hi Harald,
nice blog again - could get used to see you blogging twice a week! 😉
Cheers,
Matthias
Superb!
Eagerly waiting for Part 3: Replacing the lame HSQLDB persistence provider with the enterprise ready Neo Persistence Service.
Hehe... yeap, but then the question of which "hibernate.dialect" to be used may come up. Maybe the SQL used in the demo app is that simple that we could find a dialect that would be compatible with either SAP HANA or MaxDB... once we got ASE it would work for sure! 😉
But you should worry about this property only if you keep using the Hibernate persistence provider. Is there any reason to do so? As far as I can see this application uses standard JPA 1.0 for persistency. So, you may just follow the nice tutorial for consuming JPA in Neo and replace Hibernate with EclipseLink. Perhaps, this should also require to touch the spring xml descriptors.
Well, sure... but I would call that a rather invasive modification then. I mean you could write the whole from scratch as well. Hibernate is very popular and a very powerful ORM framework. If given the choice JPA vs Hibernate I'd always opt for the later personally... the only thing is that the license is not as liberal as I'd want it to be...
And the story continues: