Skip to Content
Technical Articles
Author's profile photo Appala Naidu Uppada

IP Allowlisting in SAP Cloud Integration

Introduction

This blog proposes a stop-gap solution for all the customers, who wish to do the IP Allowlisting for all the incoming requests into SAP Cloud Integration.

This is a short-term solution from SAP Cloud Integration and I recommend all the customers to switch to Platform level IP Allowlisting as soon as it is available for consumption.

In this blog, I would explain the necessary steps needed to handle IP Allowlisting for an integration flow that accepts incoming requests through HTTP Sender adapter.  The scenario mentioned here is an example for blocking an incoming request from a suspected IP address. You can apply the same approach for any other integration flows having SOAP,IDoc,AS2,OData sender adapters.

 NOTE:  Since it is easy to forge an x-forwarded-for header, the information provided below should be used with care.

 

Scenario: Block requests from a particular IP address using script:

  • Add the x-forwarded-for header in Allowed header(s) of the integration flow Run time configuration.

 

  • Write the  below sample script immediately after the sender adapter(applicable for HTTPS, AS2 and OData ) to block incoming requests from suspected client IP.

 

import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
def Message processData(Message message) {
//body
def body = message.getBody()

//headers
def map = message.getHeaders()
def value = map.get(“x-forwarded-for”);
def splitterValues = value != null ? value.split(“,”): null
if(splitterValues != null && splitterValues.length > 0){
clientIP = splitterValues[splitterValues.length -1]
if(“xxx.xxx.xxx.xxx” == clientIP){
   throw new RuntimeException(“Request not allowed from IP address:” + clientIP + splitterValues)
   }
  }
return message
}

 

If there are multiple x-forwarded-for headers in the incoming request, then all the headers are consolidated into a single x-forwarded-for header with comma separated values ( e.g: 100.100.100,100,  xxx.xxx.xxx.xxx ).

Actual client IP address ( i.e, xxx.xxx.xxx.xxx) can be retrieved from the last value in the list as shown in the above mentioned script.

  •   For CXF-based Adapters ( IDoc and SOAP) ,the header values are returned as List of strings, hence the sample script looks slightly different than the above mentioned script.

import com.sap.gateway.ip.core.customdev.util.Message;
import java.util.HashMap;
def Message processData(Message message) {
//body
def body = message.getBody()

//headers
def map = message.getHeaders()
def value = map.get(“x-forwarded-for”);

boolean isContainingListOfIPs = value instanceof Collection

def clientActualIP = null
if(isContainingListOfIPs){
  //Get the last value from List
   clientActualIP = value.last()
   }else {
   clientActualIP = value
 }

if(clientActualIP != null){
     if(“xxx.xxx.xxx.xxx” == clientActualIP.trim()){
     throw new RuntimeException(“Request not allowed from IP address:” + clientActualIP)
     }
  }
  return message
}

 

Always remember to adjust and redeploy the Integration flow (Script) whenever there are network /IP address changes on the sender side.

Assigned tags

      7 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Sven Huberti
      Sven Huberti

      Thanks Appala! Very usefull!

      Just one remark: for the sake of usability, could you paste your code as text (instead of screenshots) for other developers to re-use it easily? This is exactly where the power of your blog entry resides: in the scripts! 😉

      Cheers,
      Sven

      Author's profile photo Appala Naidu Uppada
      Appala Naidu Uppada
      Blog Post Author

      Hello Sven,

      Thanks for your feedback. Replaced the screenshots with the scripts.

      Thanks,

      Appala

      Author's profile photo Richard McArthur
      Richard McArthur

      Cut and Paste coding should always be discouraged, +1 for screen shots. Who knows what malicious code will be the in your next cut and paste.

      Author's profile photo Ravi Bandari
      Ravi Bandari

      Hello Appala/Experts,

       

      I have gone through this blog and it was nice.

      But here my requirement is to while list IP RANGE in CPI, where I have IP ranges more than 50.

      Below are the sample IP ranges:

      10.33.55.01 - 10.33.78.255

      55.22.48.04 - 55. 38.22.255

      Like the above i have multiple IP ranges to white list in CPI.

      Let me know how to handle this. It will be very helpful and this is bit urgent.

       

      Regards,

      Krishna

      Author's profile photo shiva Prasad
      shiva Prasad

      Hi Ravi,

      Good Day!!

      My requirement is similar to yours , did you achieve IP Range white list through CPI

       

      Regards

      Shiva

      Author's profile photo Venkata Chundi
      Venkata Chundi

      Hi Ravi,

       

      You can use expression on your code to handle it.

       

      Thanks

      Venkat

      Author's profile photo Ruchita Vanjari
      Ruchita Vanjari

      Thanks Appala for an amazing blog

      Is there any alternative to extract the source system IP other than x-forwarded-for?

      Many Thanks ,

      Ruchita