We had a requirement to block users from seeing certain SAP PI/PO messages. In SAP PI it is only possible to limit users from seeing all payloads or no payloads at all. We have some PI test messages that we should not show to users because they are confidential.

We wanted the simplest approach for it without having to develop a new monitor.

We found we could use the SAP Web dispatcher to help intercept the Webdynpro applications and then filter the messages that users should not see. It means that we did not need to create new applications to manage this. The web dispatcher has some much bigger options than is normally used.

Possibility to intercept a request from UI and add custom logic.
SAP allows modifying HTTP requests. We took this article as a basis https://help.sap.com/viewer/683d6a1797a34730a6e005d1e8de6f22/7.5.9/en-US/86960bf3f8544e0d91c70c9359e...

Our goal is to block Webdynpro Application from watching payloads remotely and then use our own redirect servlet to fetch the normal payload.

Steps

In our case, we needed to forward a request for opening a single message page to our custom Java Servlet and then decide if a user is allowed to view this page according to our custom business logic.
In general, there are a couple of steps to achieve this:
1. Find and open file icm_filter_rules in \usr\sap\<PI System Name>\SYS\global\security\data.
2. Write the rules, which will be used to forward the request to our custom servlet.
Example:

if %{REMOTE_ADDR} !stricmp 127.0.0.1 [AND]

if %{REMOTE_ADDR} !stricmp ::1  [AND]

if %{REQUEST_METHOD} stricmp "GET" [AND]

if %{FORMFIELD:afwmsgkey} !stricmp ""

RegIRedirectUrl ^/webdynpro/dispatcher/sap.com/tc~lm~itsam~ui~mainframe~wd/FloorPlanApp.*$ /webdynpro/dispatcher/sap.com/pro-confidential-data-component/MessagePageServlet [QSA]

It means that a request will be redirected only if an IP address is not localhost, for GET method and if "afwmsgkey" query parameter is not empty. In this case requests which matches the pattern "/webdynpro/dispatcher/sap.com/tc~lm~itsam~ui~mainframe~wd/FloorPlanApp" will be redirected to "/webdynpro/dispatcher/sap.com/pro-confidential-data-component/MessagePageServlet" and all query parameters will be sent as well.

3. Save the file and restart the server.
4. Create a Service Component in SAP NetWeaver. In our case, it consists of two Development Components: ear and web.






5. Create a Java Servlet and implement some custom logic there:



As you can see in if-else clause, it is possible either just to return the response or forward the request further.

This forward context uses the current users credentials, so no need to implement new user authentication.
6. Deploy this Service Component to the SAP system.
7. Finally, the requests will be processed via the custom Java Servlet:

Once we open the viewing of a new message the Get request will be sent via the Figaf Component. POST requests will be sent via a normal endpoint. So it will all work identically.



 

 

Conclusion

I hope you find this interesting and see the Web Dispatcher can help with a lot more on your SAP Netweaver system.

We can now fetch messages payloads outside the SAP PI server. If users log on to the PI system the redirect will not work because they are then on the localhost.