SAP HANA XS enables you to define access to each individual application package that you want to develop and deploy.
The application-access file enables you to specify who or what is authorized to access the content exposed by a SAP HANA XS application package and what content they are allowed to see. For example, you use the
application-access file to specify if authentication is to be used to check access to package content and if rewrite rules are in place that hide or expose target and source URLs.
The application-access file does not have a name; it only has the file extension .xsaccess. The content of the .xsaccess file is formatted according to JSON rules and is associated with the package it belongs to as well as any subpackages lower in the package hierarchy. Multiple .xsaccess files are allowed, but only at different
levels in the package hierarchy. This enables you to specify different application-access rules for individual packages and subpackages in the package hierarchy.
Note
You cannot place two .xsaccess files in the same package. Furthermore, the rules specified in a .xsaccess file that is associated with a subpackage take precedence over any rules specified in a .xsaccess file associated with any parent package higher up the package hierarchy.
The application-access file performs the following operations:
● Data exposure
Use the exposed keyword to specify if package content is to be exposed to client requests via HTTP.
Note
Exposed package content can include design-time objects, for example, tables and views.
● Authentication rules
Use the authentication keyword to enable authorization for the requests in URLs either at the application level or for single packages in an application. The following authentication methods are supported:
○ SAP logon tickets
SAP logon tickets enable single sign-on across SAP boundaries, for example, to set up single sign-on (SSO) between SAP NetWeaver and SAP HANA XS. SAP logon tickets can also be used as authentication for access to third-party applications.
To configure the trust relationship between the issuer of the SAP logon ticket and SAP HANA, you must specify the path to the SAP logon ticket trust store, which contains the trust chain for the ticket issuer.
You can use the SapLogonTicketTrustStore keyword in the xsengine.ini file. Default values are:
$SECUDIR/saplogon.pse or $HOME/.ssl/saplogon.pem.
Note
SAP HANA XS does not issue SAP logon tickets; it only accepts them. Since the tickets usually reside in a cookie, the issuer and SAP HANA XS need to be in the same domain to make sure that your browser sends the SAP logon ticket cookie with each call to SAP HANA XS.
○ Form-based authentication
Redirect the logon request to a form to fill in, for example, on a Web page.
Note
If you need to troubleshoot problems when developing a form-based logon solution for your
application, you can configure the generation of useful trace information in the XSENGINE section of the database trace component using the following entry: xsa:sap.hana.xs.formlogon.
○ Basic (user name and password)
Log on with a recognized user name and password
The authentication methods can also be written as an array, for example, to allow applications to support multiple authentication methods. The order of the authentication methods in the array should proceed from strongest to weakest, for example:
1. SAP logon ticket
2. Form-based
3. Basic authentication
● Application authorization
Use the authorization keyword in the .xsaccess file to specify which authorization level is required by a user for access to a particular application package. The authorization levels you can choose from are defined in the .xsprivileges file, for example, "execute" for basic privileges, or "admin" for administrative privileges on the specified package.
● URL rewrite rules
Use the rewrite_rules keyword in the .xsaccess file to hide internal URL path details from external users, clients, and search engines. It is not possible to define global rewrite rules; the rules you define apply to the specified local application only. Rules are specified as a source-target pair where the source is written in the JavaScript regex syntax, and the target is a simple string where references to the groups found can be inserted using $groupnumber.
● Connection security
Use the force_ssl keyword in the .xsaccess file to enforce the use of secure HTTP (SSL/HTTPS) for client connections. Browser requests that do not use SSL/HTTPS are refused and the 403 Forbidden page is displayed. Note that if you set the force_ssl option, then you must ensure that the SAP Web Dispatcher is configured to accept and manage HTTPS requests. For more information about configuring the SAP Web Dispatcher to use HTTPS/SSL see the SAP HANA Security Guide.
Note
If the SAP Webdispatcher sends the header “x-sap-webdisp-ap” with the HTTPS port, the request is redirected to a HTTPS page, for example: http://..:80/test -> https://..:433/test. Otherwise, a 403 error is displayed.
● Entity Tags
You can allow or prevent the generation of entity tags (etags) for static Web content using the enable_etags keyword in the .xsaccess file. Etags are used to improve caching performance, for example, so that the same data is not resent if no change has occurred since the last request.
● MIME Mapping
MIME means Multipurpose Internet Mail Extensions. You can use the mime_mapping keyword in the .xsaccess file to define the way in which to map certain file suffixes to required MIME types:
"mime_mapping": [ {"extension":"jpg", "mimetype":"image/jpeg"} ]
● Cross-Site Request Forgery (XSRF)
You can use the prevent_xsrf keyword in the .xsaccess file to guard against cross-site request-forgery attacks. XSRF attacks attempt to trick a user into clicking a specific hyperlink, which shows a (usually well-known) Web site and perform some actions on the user’s behalf, for example, in a hidden iframe. The prevent_xsrf keyword checks the validity of a session-specific security token to ensure that it matches the token that SAP HANA XS generates in the backend for the corresponding session.
Example
The Application-Access (.xsaccess) File
The following example, shows the composition and structure of the SAP HANA XS application access
(.xsaccess) file. In this file, data is available to client requests. The authentication methods specified are SAP logon ticket and then, as a fall-back option if the logon with the SAP logon ticket fails, a logon with a user name
and password. Allowing a fall-back log-on mechanism is useful if the requesting client has problems handling Application-Access File Keyword Options [page 59]
The application-access (.xsaccess) file enables you to specify whether or not to expose package content, which authentication method is used to grant access, and what content is visible.