My 2 cents on Securing SAPUI5 Applications
Building SAPUI5 applications and putting them out on the server is good. Great !!! Ever wondered when these applications are deployed to the server how it can be accessed. SAP Portal is one option to host all your application developments. You have different ways of launching your applications from SAP Portal (URL or SAPUI5 iView Templates) in newer releases and URL iViews in older releases. So far good, Portal is secured with default authentication mechanisms. But the glitch here is any of these applications can be accessed via a direct URL like the below –
https://<hostname>:<port>/<UI5 Web Project>/index.html
Security !!! That’s what we are talking about. I did not really look at this angle until a couple of days back I saw this thread SAPUI5 App running on Portal – SSO? Thought of following this thread for answers but this thread just kept going back from being seen from users. So, I thought lemme give a shot on how to secure these applications out there lying down in the server. Here are my 2 cents on how we can secure our applications via a BASIC authentication method. There might be other better ways around but this is the one I found which works good for basic authentication. Now let’s get on to some action.
All the SAPUI5 applications comes with the web.xml file which can tweaked a little bit to secure the applications. Find below the code that added to my web.xml
<security-constraint> <display-name>Authentication of Users</display-name> <web-resource-collection> <web-resource-name>SAPUI5</web-resource-name> <url-pattern>/*</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>Test</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>BASIC</auth-method> <realm-name>domain_name</realm-name> </login-config> <security-role> <role-name>Test</role-name> </security-role>
Explanation of the above code –
1st Part – Security Constraint
Security Constraints are least understood by web developers, even though they are critical for the security of Java EE Web applications. Specifying a combination of URL patterns, HTTP methods, roles and transport constraints can be daunting to a programmer or administrator. It is important to realize that any combination that was intended to be secure but was not specified via security constraints, will mean that the web container will allow those requests. Security Constraints consist of Web Resource Collections (URL patterns, HTTP methods), Authorization Constraint (role names) .
2nd Part – Login config
Here you can define the BASIC authentication mechanism and realm could be depending on the how the users and groups in your organization are controlled. It could be either default or your domain name. In my case I have given my domain name of the server.
Note: There are different mechanisms available like the FORM, CLIENT_CERT etc.
3rd Part – Security Role
This is the same as auth constraint role name. This is the role that will be automatically deployed to your server.
Next and the final step is modifying your web-j2ee-engine.xml file. If you have created a web module project then this is automatically available if not you can create your file inside the Webcontent > WEB_INF folder.
Why do we need this file? This file is going to hold the role mapping between application and the server. From the Web.xml role name Test has to be mapped to a physical role that exists in the server UME database to authorize users who can access the applications. A sample mapping give below –
I am mapping the applications Test role to the Administrator role in Portal UME database.
<?xml version="1.0" encoding="UTF-8"?> <web-j2ee-engine xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="web-j2ee-engine.xsd"> <spec-version>2.4</spec-version> <security-role-map> <role-name>Test</role-name> <server-role-name>Administrator</server-role-name> </security-role-map> </web-j2ee-engine>
Now, when you deploy the application to the server this is what you see 😯 when accessing the direct URL.
Now, who can access these applications? Only the users who are part of the Administrator role can view the applications.
When a user who does not belong to this role access the application below is the error you get.
Tada 😆 My application is secure. Is your application secure? Share me your thoughts if there are other better ways out there !!!
PS: This is for your server versions where security provider roles and modules are managed via NWA. For older release there is an additional step after the role mapping in the xml file. You will have to manually configure the role and mapping references in the Visual Admin > Secure provider for specific components.
Update on (02/28/2014) – As suggested by Jason in the comments this blog is intended only to securely accessing your SAPUI5 application’s and not to secure the data.