Building SAPUI5 applications and putting them out on the server is good. Great !!! Ever wondered when these applications are deployed to the server how it can be accessed. SAP Portal is one option to host all your application developments. You have different ways of launching your applications from SAP Portal (URL or SAPUI5 iView Templates) in newer releases and URL iViews in older releases. So far good, Portal is secured with default authentication mechanisms. But the glitch here is any of these applications can be accessed via a direct URL like the below –


https://<hostname>:<port>/<UI5 Web Project>/index.html


/wp-content/uploads/2014/02/index_398225.jpg


Security !!! That’s what we are talking about. I did not really look at this angle until a couple of days back I saw this thread SAPUI5 App running on Portal – SSO? Thought of following this thread for answers but this thread just kept going back from being seen from users. So, I thought lemme give a shot on how to secure these applications out there lying down in the server. Here are my 2 cents on how we can secure our applications via a BASIC authentication method. There might be other better ways around but this is the one I found which works good for basic authentication. Now let’s get on to some action.


All the SAPUI5 applications comes with the web.xml file which can tweaked a little bit to secure the applications. Find below the code that added to my web.xml



<security-constraint>
        <display-name>Authentication of Users</display-name>
        <web-resource-collection>
            <web-resource-name>SAPUI5</web-resource-name>
            <url-pattern>/*</url-pattern>
            <http-method>GET</http-method>
            <http-method>POST</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>Test</role-name>
        </auth-constraint>
</security-constraint>
<login-config>
       <auth-method>BASIC</auth-method>
       <realm-name>domain_name</realm-name>
</login-config>
<security-role>
       <role-name>Test</role-name>
</security-role>

Explanation of the above code –


1st Part – Security Constraint


Security Constraints are least understood by web developers, even though they are critical for the security of Java EE Web applications. Specifying a combination of URL patterns, HTTP methods, roles and transport constraints can be daunting to a programmer or administrator. It is important to realize that any combination that was intended to be secure but was not specified via security constraints, will mean that the web container will allow those requests. Security Constraints consist of Web Resource Collections (URL patterns, HTTP methods), Authorization Constraint (role names) .


2nd Part – Login config


Here you can define the BASIC authentication mechanism and realm could be depending on the how the users and groups in your organization are controlled. It could be either default or your domain name. In my case I have given my domain name of the server.


Note: There are different mechanisms available like the FORM, CLIENT_CERT etc.


3rd Part – Security Role


This is the same as auth constraint role name. This is the role that will be automatically deployed to your server.


Next and the final step is modifying your web-j2ee-engine.xml file. If you have created a web module project then this is automatically available if not you can create your file inside the Webcontent > WEB_INF folder.


Why do we need this file? This file is going to hold the role mapping between application and the server. From the Web.xml role name Test has to be mapped to a physical role that exists in the server UME database to authorize users who can access the applications. A sample mapping give below –

I am mapping the applications Test role to the Administrator role in Portal UME database.



<?xml version="1.0" encoding="UTF-8"?>
<web-j2ee-engine xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="web-j2ee-engine.xsd">
  <spec-version>2.4</spec-version>
  <security-role-map>
  <role-name>Test</role-name>
  <server-role-name>Administrator</server-role-name>
  </security-role-map>
</web-j2ee-engine>

Now, when you deploy the application to the server this is what you see 😯 when accessing the direct URL.


Auth.png


Now, who can access these applications? Only the users who are part of the Administrator role can view the applications.


/wp-content/uploads/2014/02/app_398240.png


When a user who does not belong to this role access the application below is the error you get.


/wp-content/uploads/2014/02/ananymous_398241.png


Tada 😆 My application is secure. Is your application secure? Share me your thoughts if there are other better ways out there !!!

PS: This is for your server versions where security provider roles and modules are managed via NWA. For older release there is an additional step after the role mapping in the xml file. You will have to manually configure the role and mapping references in the Visual Admin > Secure provider for specific components.


Update on (02/28/2014) – As suggested by Jason in the comments this blog is intended only to securely accessing your SAPUI5 application’s and not to secure the data.

To report this post you need to login first.

10 Comments

You must be Logged on to comment or reply to a post.

  1. Jason Moors

    Hi Nagarajan,

    Thanks for the detailed blog, I think it’s worth mentioning that this actually secures the access to the SAPUI5 JavaScript, not necessarily the data.

    It’s definitely one piece of the jigsaw and has the benefit of creating a SAP logon ticket etc, however people shouldn’t consider that just because they can’t access the JavaScript the application is secure.

    With oData, Web services etc it’s possible to bypass the application, therefore I think the focus should always be on the backend authorisations, rather than relying on just applications to restrict access.

    Many thanks,

    Jason

    (0) 
  2. Amey Mogare

    Hello Nagarajan,

    We are working on NW Portal version 7.4 SP14. Authentication in portal is handled by SAML. We have deployed an SAPUI5 application which displays details of current logged-in user.

    (The SAPUI5 application makes an AJAX call to a Web Service. This web service obtains current-logged-in user from HTTP request object)

    But we are unable to access it without prior login to portal. Following is the URL to access the application:

    http://<host-name:port>/addressbook/index.html

    I tried changing web.xml and web-j2ee-engine.xml as per this blog, and tried to run the application without prior login to portal but application is unable to get current logged-in user.

    Also, this application is required to be accessible to all users, hence I doubt if we need security-constraint and security-role tags in this case.

    Please also suggest the use of realm-name tag and possible values that we can use for it.

    We have following templates available in authentication stack. Can you please suggest if we can use any of them for this application.

    Authentication Stacks.JPG

    (0) 

Leave a Reply