Disabling InvokerServlet

Click here to load reader

  • date post

    11-Oct-2015
  • Category

    Documents

  • view

    50
  • download

    0

Embed Size (px)

description

Disabling InvokerServlet

Transcript of Disabling InvokerServlet

  • 1

    Disabling the Invoker Servlet

    Feature Globally

    Applies to:

    SAP NetWeaver, releases: 2004, 7.0, 7.1, 7.2, 7.3

    Application Server Java (AS Java)

    Summary

    This document contains information about the Invoker Servlet feature, which has to be disabled by default. The information is relevant for you if you use the Invoker Servlet.

    Created on:

    26 October, 2010

  • Disabling the Invoker Servlet Feature Globally

    2010 SAP AG 2

    Table of Contents

    Applies to: ........................................................................................................................................................... 1

    Summary............................................................................................................................................................. 1

    Table of Contents ............................................................................................................................................... 2

    Introduction ......................................................................................................................................................... 3

    Identifying Invoker Servlet Usage ....................................................................................................................... 3 For SAP NetWeaver 2004 and 7.0 ............................................................................................................................... 3

    For SAP NetWeaver 7.1 to 7.3 ..................................................................................................................................... 8

    Disabling Invoker Servlet Globally .................................................................................................................... 10 For SAP NetWeaver 2004 and 7.0 ............................................................................................................................. 10

    For SAP NetWeaver 7.1 to 7.3 ................................................................................................................................... 11

    Adoption of Existing Applications Which Use the Invoker Servlet Feature ...................................................... 14

    Disabling Invoker Servlet Locally for an Application ......................................................................................... 17

    Related Content ................................................................................................................................................ 18

    Copyright........................................................................................................................................................... 18

  • Disabling the Invoker Servlet Feature Globally

    2010 SAP AG 3

    Introduction

    The Invoker Servlet feature enables HTTP clients to invoke arbitrary servlets even if not defined in the

    web.xml file of the application. For security reasons, the Invoker Servlet has to be disabled by default to

    avoid malicious invocation of application servlets.

    First, you have to identify whether you use the Invoker Servlet feature in your application, and if yes, disable

    it globally as described in the sections below.

    If the Invoker Servlet is disabled centrally by default (as in versions 7.2 and 7.3), you need to modify your

    application so that there are no functional implications for it. Your application should not rely on the Invoker

    Servlet feature, but use local servlets (defined in its own web.xml file) only. In general, the change can be

    made entirely in the web.xml file of the application without any code changes.

    Remember to adjust your security constraints (or programmatic security) according to the servlet mapping

    changes that you have made. They should follow the security scheme of your application - for example, if

    you expect only admin users to be able to invoke the servlet, make sure that all servlet mappings of this

    servlet are protected and require an admin role.

    Identifying Invoker Servlet Usage

    The procedure describes how to identify if the Invoker Servlet is used for common scenarios. If the Invoker Servlet is used, then you need to apply the correction for the corresponding application before disabling the Invoker Servlet globally.

    Note that the below described log scan does not provide full guarantee. Instead, we recommend that you perform code scan on the application and identify usage of servlets with the prefix "/servlet/".

    For SAP NetWeaver 2004 and 7.0

    You can identify invoker servlet usage by means of SAP NetWeaver Administrator or Visual Admin.

    Using SAP NetWeaver Administrator

    1. Start SAP NetWeaver Administrator. 2. Go to System Management -> Configuration -> Log Configuration. 3. Select Tracing Locations from the dropdown menu. 4. Expand the tree and navigate to the Invoker Servlet: ROOT Location -> com -> sap -> engine ->

    services -> servlets_jsp -> server -> servlet -> InvokerServlet 5. Change the severity from ERROR to WARNING.

  • Disabling the Invoker Servlet Feature Globally

    2010 SAP AG 4

    6. Choose Save Configuration. 7. Go to Analysis -> Debug -> Logs and Traces 8. Select Show Custom View and Create New View from the dropdown menus. The value of the

    dropdown item will change to New View 1. 9. In the Filter by Content, select the filter

    Location: com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet

    10. Choose Apply Filters.

  • Disabling the Invoker Servlet Feature Globally

    2010 SAP AG 5

    11. If there are log records displayed, then the Invoker Servlet is used in the requests during the specified period.

    Using the Visual Administrator

    1. Start the Visual Administrator.

    2. In Cluster, choose any server node from the tree.

    3. Under the Services node, select the Log Configurator service.

    4. Choose the Locations tab on the right.

    5. Expand the tree and navigate to the Invoker Servlet: ROOT Location -> com -> sap -> engine ->

    services -> servlets_jsp -> server -> servlet -> InvokerServlet

    6. Change the severity from ERROR to WARNING.

    7. Choose Save and select the option Apply to all server nodes.

    8. Monitor the system during its normal usage for a certain period of time.

  • Disabling the Invoker Servlet Feature Globally

    2010 SAP AG 6

    9. Load the generated default traces in the Standalone Log Viewer.

    10. Apply filter

    Text: com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet

    In column: Location

    11. Choose Include in Current Log.

  • Disabling the Invoker Servlet Feature Globally

    2010 SAP AG 7

    12. If there are entries left in the Log Message View, then the Invoker Servlet is used in the requests

    during the specified period.

  • Disabling the Invoker Servlet Feature Globally

    2010 SAP AG 8

    13. In case of a cluster with more than one server nodes, you will need to merge the default traces and

    run the search or filter on the merged set of trace entries.

    14. The trace message by default contains:

    a. Class name of the servlet which is being invoked

    b. Alias of the web application in which servlets are being invoked

    c. Name of the application in which servlets are being invoked

    d. Reference to Note 1445998

    If the severity of location com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet is set to DEBUG, a stack trace of the invocation is also printed.

    For SAP NetWeaver 7.1 to 7.3

    1. In SAP NetWeaver Administrator, open Log Configuration. 2. In the Show menu, select Tracing Locations. 3. Navigate to the following location:

    com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet 4. Change the severity of this location from ERROR to WARNING and choose Save Configuration.

  • Disabling the Invoker Servlet Feature Globally

    2010 SAP AG 9

    5. Monitor the system during its normal usage for a certain period of time.

    6. Load the generated default traces in the Log Viewer in SAP NetWeaver Administrator.

    7. Apply filter

    Text: com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet

    In column: Location

  • Disabling the Invoker Servlet Feature Globally

    2010 SAP AG 10

    8. If there are entries left in the Log Message View, then the Invoker Servlet is used in the requests

    during the specified period.

    9. The trace message by default contains:

    a. Class name of the servlet which is being invoked

    b. Alias of the web application in which servlets are being invoked

    c. Name of the application in which servlets are being invoked

    d. Reference to Note 1445998

    Disabling Invoker Servlet Globally

    For SAP NetWeaver 2004 and 7.0

    You have to disable the Invoker Servlet feature by default for all Web applications centrally in the Web Container. After verifying it is no longer used by applications, follow this procedure:

    1. Make sure the version of the J2EE Engine is updated to the recommended by Note 1445998.

    2. Start the Config Tool.

    3. In the Cluster-data tree on the left, select Global Server Configuration.

    4. In the Services node, navigate to servlet_jsp

    5. In the Global properties list on the right, select the EnableInvokerServletGlobally key.

    6. In the Value ed