Disabling InvokerServlet
date post
27-Dec-2015Category
Documents
view
41download
1
Embed Size (px)
Transcript of Disabling InvokerServlet
1
Disabling the Invoker Servlet
Feature Globally
Applies to:
SAP NetWeaver, releases: 2004, 7.0, 7.1, 7.2, 7.3
Application Server Java (AS Java)
Summary
This document contains information about the Invoker Servlet feature, which has to be disabled by default. The information is relevant for you if you use the Invoker Servlet.
Created on:
26 October, 2010
Disabling the Invoker Servlet Feature Globally
2010 SAP AG 2
Table of Contents
Applies to: ........................................................................................................................................................... 1
Summary............................................................................................................................................................. 1
Table of Contents ............................................................................................................................................... 2
Introduction ......................................................................................................................................................... 3
Identifying Invoker Servlet Usage ....................................................................................................................... 3 For SAP NetWeaver 2004 and 7.0 ............................................................................................................................... 3
For SAP NetWeaver 7.1 to 7.3 ..................................................................................................................................... 8
Disabling Invoker Servlet Globally .................................................................................................................... 10 For SAP NetWeaver 2004 and 7.0 ............................................................................................................................. 10
For SAP NetWeaver 7.1 to 7.3 ................................................................................................................................... 11
Adoption of Existing Applications Which Use the Invoker Servlet Feature ...................................................... 14
Disabling Invoker Servlet Locally for an Application ......................................................................................... 17
Related Content ................................................................................................................................................ 18
Copyright........................................................................................................................................................... 18
Disabling the Invoker Servlet Feature Globally
2010 SAP AG 3
Introduction
The Invoker Servlet feature enables HTTP clients to invoke arbitrary servlets even if not defined in the
web.xml file of the application. For security reasons, the Invoker Servlet has to be disabled by default to
avoid malicious invocation of application servlets.
First, you have to identify whether you use the Invoker Servlet feature in your application, and if yes, disable
it globally as described in the sections below.
If the Invoker Servlet is disabled centrally by default (as in versions 7.2 and 7.3), you need to modify your
application so that there are no functional implications for it. Your application should not rely on the Invoker
Servlet feature, but use local servlets (defined in its own web.xml file) only. In general, the change can be
made entirely in the web.xml file of the application without any code changes.
Remember to adjust your security constraints (or programmatic security) according to the servlet mapping
changes that you have made. They should follow the security scheme of your application - for example, if
you expect only admin users to be able to invoke the servlet, make sure that all servlet mappings of this
servlet are protected and require an admin role.
Identifying Invoker Servlet Usage
The procedure describes how to identify if the Invoker Servlet is used for common scenarios. If the Invoker Servlet is used, then you need to apply the correction for the corresponding application before disabling the Invoker Servlet globally.
Note that the below described log scan does not provide full guarantee. Instead, we recommend that you perform code scan on the application and identify usage of servlets with the prefix "/servlet/".
For SAP NetWeaver 2004 and 7.0
You can identify invoker servlet usage by means of SAP NetWeaver Administrator or Visual Admin.
Using SAP NetWeaver Administrator
1. Start SAP NetWeaver Administrator. 2. Go to System Management -> Configuration -> Log Configuration. 3. Select Tracing Locations from the dropdown menu. 4. Expand the tree and navigate to the Invoker Servlet: ROOT Location -> com -> sap -> engine ->
services -> servlets_jsp -> server -> servlet -> InvokerServlet 5. Change the severity from ERROR to WARNING.
Disabling the Invoker Servlet Feature Globally
2010 SAP AG 4
6. Choose Save Configuration. 7. Go to Analysis -> Debug -> Logs and Traces 8. Select Show Custom View and Create New View from the dropdown menus. The value of the
dropdown item will change to New View 1. 9. In the Filter by Content, select the filter
Location: com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet
10. Choose Apply Filters.
Disabling the Invoker Servlet Feature Globally
2010 SAP AG 5
11. If there are log records displayed, then the Invoker Servlet is used in the requests during the specified period.
Using the Visual Administrator
1. Start the Visual Administrator.
2. In Cluster, choose any server node from the tree.
3. Under the Services node, select the Log Configurator service.
4. Choose the Locations tab on the right.
5. Expand the tree and navigate to the Invoker Servlet: ROOT Location -> com -> sap -> engine ->
services -> servlets_jsp -> server -> servlet -> InvokerServlet
6. Change the severity from ERROR to WARNING.
7. Choose Save and select the option Apply to all server nodes.
8. Monitor the system during its normal usage for a certain period of time.
Disabling the Invoker Servlet Feature Globally
2010 SAP AG 6
9. Load the generated default traces in the Standalone Log Viewer.
10. Apply filter
Text: com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet
In column: Location
11. Choose Include in Current Log.
Disabling the Invoker Servlet Feature Globally
2010 SAP AG 7
12. If there are entries left in the Log Message View, then the Invoker Servlet is used in the requests
during the specified period.
Disabling the Invoker Servlet Feature Globally
2010 SAP AG 8
13. In case of a cluster with more than one server nodes, you will need to merge the default traces and
run the search or filter on the merged set of trace entries.
14. The trace message by default contains:
a. Class name of the servlet which is being invoked
b. Alias of the web application in which servlets are being invoked
c. Name of the application in which servlets are being invoked
d. Reference to Note 1445998
If the severity of location com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet is set to DEBUG, a stack trace of the invocation is also printed.
For SAP NetWeaver 7.1 to 7.3
1. In SAP NetWeaver Administrator, open Log Configuration. 2. In the Show menu, select Tracing Locations. 3. Navigate to the following location:
com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet 4. Change the severity of this location from ERROR to WARNING and choose Save Configuration.
Disabling the Invoker Servlet Feature Globally
2010 SAP AG 9
5. Monitor the system during its normal usage for a certain period of time.
6. Load the generated default traces in the Log Viewer in SAP NetWeaver Administrator.
7. Apply filter
Text: com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet
In column: Location
Disabling the Invoker Servlet Feature Globally
2010 SAP AG 10
8. If there are entries left in the Log Message View, then the Invoker Servlet is used in the requests
during the specified period.
9. The trace message by default contains:
a. Class name of the servlet which is being invoked
b. Alias of the web application in which servlets are being invoked
c. Name of the application in which servlets are being invoked
d. Reference to Note 1445998
Disabling Invoker Servlet Globally
For SAP NetWeaver 2004 and 7.0
You have to disable the Invoker Servlet feature by default for all Web applications centrally in the Web Container. After verifying it is no longer used by applications, follow this procedure:
1. Make sure the version of the J2EE Engine is updated to the recommended by Note 1445998.
2. Start the Config Tool.
3. In the Cluster-data tree on the left, select Global Server Configuration.
4. In the Services node, navigate to servlet_jsp
5. In the Global properties list on the right, select the EnableInvokerServletGlobally key.
6. In the Value ed
