Skip to Content

This blog is part of the larger series on all new developer features in SAP HANA SPS 09: http://scn.sap.com/community/developer-center/hana/blog/2014/12/02/sap-hana-sps-09-new-developer-features

In this blog we will have a first look at the new miscellaneous security features added to development model in SAP HANA SPS 09.

Full CORS (Cross-Origin Resource Sharing) Support.

Since SPS 06, we’ve had basic CORS support which could be configured at the package level.  This support allowed you to either enable or disable CORS, but in SPS 09 we expand the configuration options to allow filtering by origins, headers and http methods.

HANABlog1.png

Custom Headers/X-Frame

This new feature allows you to control if the browser should allow a page within this HANA page to be rendered within a frame, iframe, or object.  This helps to avoid clickjacking attacks by keeping content from being embedded within a malicious site.

Possible values:

  • DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.
  • SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
  • ALLOW-FROM uri The page can only be displayed in a frame on the specified origin. In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

HANABlog2.png

Various Authentication Features

  • Secure HTTP Session Cookies
  • Support for Clietn Certificates from F5’s Big IP
  • SAML Single Logout (SLO) support
  • SAML Authentication in Authorization header

Support for Virus Scan Interface (VSI) for applications

New XSJS API ($.security.AntiVirus) to access and use the SAP Virus Scan Interface from your server side JavaScript coding.

  • The scan needs a Virus Scan Adapter (VSA) to be installed on the host
  • The setup and configuration is available with SAP note 2081108
  • This class uses the SAP certified interface NW-VSI 2.00 (see SAP note 1883424)
  • For a list of the AV products supported, see SAP note 1494278

Code Sample for using the new Virus Scan Interface from XSJS:


try {
  //create a new $.security.AntiVirus object using the default profile
  var av = new $.security.AntiVirus();
  av.scan($.request.body);
} catch (e) {
  $.response.setBody(e.toString());
}

To report this post you need to login first.

4 Comments

You must be Logged on to comment or reply to a post.

  1. Koorma Pramodh Yellapu

    Hi Thomas,

    Can you please recommend the best way to create CORS enabled OData requests on HANA SPS09 with authentication?

    I tried XSADMIN as well as  XSACCESS without success

    regards

    Pramodh

    (0) 
    1. Thomas Jung Post author

      Perhaps its best if you create a forum thread for your problem. Describe what you have tried and what problem you’ve encountered.  You haven’t really described much here; certainly not enough to answer based upon.

      (0) 

Leave a Reply