SAP HANA SPS 09: New Developer Features; Miscellaneous Security Features

This blog is part of the larger series on all new developer features in SAP HANA SPS 09: http://scn.sap.com/community/developer-center/hana/blog/2014/12/02/sap-hana-sps-09-new-developer-features

In this blog we will have a first look at the new miscellaneous security features added to development model in SAP HANA SPS 09.

Full CORS (Cross-Origin Resource Sharing) Support.

Since SPS 06, we’ve had basic CORS support which could be configured at the package level.  This support allowed you to either enable or disable CORS, but in SPS 09 we expand the configuration options to allow filtering by origins, headers and http methods.

Custom Headers/X-Frame

This new feature allows you to control if the browser should allow a page within this HANA page to be rendered within a frame, iframe, or object.  This helps to avoid clickjacking attacks by keeping content from being embedded within a malicious site.

Possible values:

• DENY The page cannot be displayed in a frame, regardless of the site attempting to do so.
• SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself.
• ALLOW-FROM uri The page can only be displayed in a frame on the specified origin. In other words, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

Various Authentication Features

• Secure HTTP Session Cookies
• Support for Clietn Certificates from F5’s Big IP
• SAML Single Logout (SLO) support
• SAML Authentication in Authorization header

Support for Virus Scan Interface (VSI) for applications

New XSJS API ($.security.AntiVirus) to access and use the SAP Virus Scan Interface from your server side JavaScript coding.

• The scan needs a Virus Scan Adapter (VSA) to be installed on the host
• The setup and configuration is available with SAP note 2081108
• This class uses the SAP certified interface NW-VSI 2.00 (see SAP note 1883424)
• For a list of the AV products supported, see SAP note 1494278

Code Sample for using the new Virus Scan Interface from XSJS:

try {
  //create a new $.security.AntiVirus object using the default profile
  var av = new $.security.AntiVirus();
  av.scan($.request.body);
} catch (e) {
  $.response.setBody(e.toString());
}