SAP HANA SPS 09: New Developer Features; Miscellaneous Security Features
This blog is part of the larger series on all new developer features in SAP HANA SPS 09: http://scn.sap.com/community/developer-center/hana/blog/2014/12/02/sap-hana-sps-09-new-developer-features
In this blog we will have a first look at the new miscellaneous security features added to development model in SAP HANA SPS 09.
Full CORS (Cross-Origin Resource Sharing) Support.
Since SPS 06, we’ve had basic CORS support which could be configured at the package level. This support allowed you to either enable or disable CORS, but in SPS 09 we expand the configuration options to allow filtering by origins, headers and http methods.
Custom Headers/X-Frame
This new feature allows you to control if the browser should allow a page within this HANA page to be rendered within a frame, iframe, or object. This helps to avoid clickjacking attacks by keeping content from being embedded within a malicious site.
Possible values:
- DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.
- SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
- ALLOW-FROM uri The page can only be displayed in a frame on the specified origin. In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.
Various Authentication Features
- Secure HTTP Session Cookies
- Support for Clietn Certificates from F5’s Big IP
- SAML Single Logout (SLO) support
- SAML Authentication in Authorization header
Support for Virus Scan Interface (VSI) for applications
New XSJS API ($.security.AntiVirus) to access and use the SAP Virus Scan Interface from your server side JavaScript coding.
- The scan needs a Virus Scan Adapter (VSA) to be installed on the host
- The setup and configuration is available with SAP note 2081108
- This class uses the SAP certified interface NW-VSI 2.00 (see SAP note 1883424)
- For a list of the AV products supported, see SAP note 1494278
Code Sample for using the new Virus Scan Interface from XSJS:
try {
//create a new $.security.AntiVirus object using the default profile
var av = new $.security.AntiVirus();
av.scan($.request.body);
} catch (e) {
$.response.setBody(e.toString());
}
Hi
Thank you for the updates.
Kind regards
Hi Thomas,
Can you please recommend the best way to create CORS enabled OData requests on HANA SPS09 with authentication?
I tried XSADMIN as well as XSACCESS without success
regards
Pramodh
Perhaps its best if you create a forum thread for your problem. Describe what you have tried and what problem you've encountered. You haven't really described much here; certainly not enough to answer based upon.
My apologies Thomas.
I created a thread here Allowing CORS on OData with authentication in HANA SPS09