Download - Disabling InvokerServlet

1

Disabling the Invoker Servlet

Feature Globally

Applies to:

SAP NetWeaver, releases: 2004, 7.0, 7.1, 7.2, 7.3

Application Server Java (AS Java)

Summary

This document contains information about the Invoker Servlet feature, which has to be disabled by default. The information is relevant for you if you use the Invoker Servlet.

Created on:

26 October, 2010

Disabling the Invoker Servlet Feature Globally

2010 SAP AG 2

Table of Contents

Applies to: ........................................................................................................................................................... 1

Summary............................................................................................................................................................. 1

Table of Contents ............................................................................................................................................... 2

Introduction ......................................................................................................................................................... 3

Identifying Invoker Servlet Usage ....................................................................................................................... 3 For SAP NetWeaver 2004 and 7.0 ............................................................................................................................... 3

For SAP NetWeaver 7.1 to 7.3 ..................................................................................................................................... 8

Disabling Invoker Servlet Globally .................................................................................................................... 10 For SAP NetWeaver 2004 and 7.0 ............................................................................................................................. 10

For SAP NetWeaver 7.1 to 7.3 ................................................................................................................................... 11

Adoption of Existing Applications Which Use the Invoker Servlet Feature ...................................................... 14

Disabling Invoker Servlet Locally for an Application ......................................................................................... 17

Related Content ................................................................................................................................................ 18

Copyright........................................................................................................................................................... 18


2010 SAP AG 3

Introduction

The Invoker Servlet feature enables HTTP clients to invoke arbitrary servlets even if not defined in the

web.xml file of the application. For security reasons, the Invoker Servlet has to be disabled by default to

avoid malicious invocation of application servlets.

First, you have to identify whether you use the Invoker Servlet feature in your application, and if yes, disable

it globally as described in the sections below.

If the Invoker Servlet is disabled centrally by default (as in versions 7.2 and 7.3), you need to modify your

application so that there are no functional implications for it. Your application should not rely on the Invoker

Servlet feature, but use local servlets (defined in its own web.xml file) only. In general, the change can be

made entirely in the web.xml file of the application without any code changes.

Remember to adjust your security constraints (or programmatic security) according to the servlet mapping

changes that you have made. They should follow the security scheme of your application - for example, if

you expect only admin users to be able to invoke the servlet, make sure that all servlet mappings of this

servlet are protected and require an admin role.

Identifying Invoker Servlet Usage

The procedure describes how to identify if the Invoker Servlet is used for common scenarios. If the Invoker Servlet is used, then you need to apply the correction for the corresponding application before disabling the Invoker Servlet globally.

Note that the below described log scan does not provide full guarantee. Instead, we recommend that you perform code scan on the application and identify usage of servlets with the prefix "/servlet/".

For SAP NetWeaver 2004 and 7.0

You can identify invoker servlet usage by means of SAP NetWeaver Administrator or Visual Admin.

Using SAP NetWeaver Administrator

1. Start SAP NetWeaver Administrator. 2. Go to System Management -> Configuration -> Log Configuration. 3. Select Tracing Locations from the dropdown menu. 4. Expand the tree and navigate to the Invoker Servlet: ROOT Location -> com -> sap -> engine ->

services -> servlets_jsp -> server -> servlet -> InvokerServlet 5. Change the severity from ERROR to WARNING.


2010 SAP AG 4

6. Choose Save Configuration. 7. Go to Analysis -> Debug -> Logs and Traces 8. Select Show Custom View and Create New View from the dropdown menus. The value of the

dropdown item will change to New View 1. 9. In the Filter by Content, select the filter

Location: com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet

10. Choose Apply Filters.


2010 SAP AG 5

11. If there are log records displayed, then the Invoker Servlet is used in the requests during the specified period.

Using the Visual Administrator

1. Start the Visual Administrator.

2. In Cluster, choose any server node from the tree.

3. Under the Services node, select the Log Configurator service.

4. Choose the Locations tab on the right.

5. Expand the tree and navigate to the Invoker Servlet: ROOT Location -> com -> sap -> engine ->

services -> servlets_jsp -> server -> servlet -> InvokerServlet

6. Change the severity from ERROR to WARNING.

7. Choose Save and select the option Apply to all server nodes.

8. Monitor the system during its normal usage for a certain period of time.


2010 SAP AG 6

9. Load the generated default traces in the Standalone Log Viewer.

10. Apply filter

Text: com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet

In column: Location

11. Choose Include in Current Log.


2010 SAP AG 7

12. If there are entries left in the Log Message View, then the Invoker Servlet is used in the requests

during the specified period.


2010 SAP AG 8

13. In case of a cluster with more than one server nodes, you will need to merge the default traces and

run the search or filter on the merged set of trace entries.

14. The trace message by default contains:

a. Class name of the servlet which is being invoked

b. Alias of the web application in which servlets are being invoked

c. Name of the application in which servlets are being invoked

d. Reference to Note 1445998

If the severity of location com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet is set to DEBUG, a stack trace of the invocation is also printed.

For SAP NetWeaver 7.1 to 7.3

1. In SAP NetWeaver Administrator, open Log Configuration. 2. In the Show menu, select Tracing Locations. 3. Navigate to the following location:

com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet 4. Change the severity of this location from ERROR to WARNING and choose Save Configuration.


2010 SAP AG 9

5. Monitor the system during its normal usage for a certain period of time.

6. Load the generated default traces in the Log Viewer in SAP NetWeaver Administrator.

7. Apply filter

Text: com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet

In column: Location


2010 SAP AG 10

8. If there are entries left in the Log Message View, then the Invoker Servlet is used in the requests

during the specified period.

9. The trace message by default contains:

a. Class name of the servlet which is being invoked

b. Alias of the web application in which servlets are being invoked

c. Name of the application in which servlets are being invoked

d. Reference to Note 1445998

Disabling Invoker Servlet Globally

For SAP NetWeaver 2004 and 7.0

You have to disable the Invoker Servlet feature by default for all Web applications centrally in the Web Container. After verifying it is no longer used by applications, follow this procedure:

1. Make sure the version of the J2EE Engine is updated to the recommended by Note 1445998.

2. Start the Config Tool.

3. In the Cluster-data tree on the left, select Global Server Configuration.

4. In the Services node, navigate to servlet_jsp

5. In the Global properties list on the right, select the EnableInvokerServletGlobally key.

6. In the Value edit field below, specify value false.

7. Choose Set.

8. From the menu, choose File ->Apply and confirm the dialogs (resetting any local values for this

property if present).


2010 SAP AG 11

9. For the changes to take effect, restart the server.

Alternatively, the value of the property can be changed at runtime for a specific server node using the Visual Administrator (or SAP NetWeaver Administrator in 7.0x) without the need to restart the server.

For SAP NetWeaver 7.1 to 7.3

1. In SAP NetWeaver Administrator, open Java System Properties. 2. Select the Services tab. 3. Type Web Container in the Name filter and select Web Container service. 4. Choose Show Advanced Properties in the upper left corner.


2010 SAP AG 12

5. Select the property EnableInvokerServletGlobally. 6. If its Default Calculated Value is false then Invoker Servlet is already disabled (done in versions

7.20 and 7.30). If Default Calculated Value is true, choose Modify.


2010 SAP AG 13

7. Type the value false.

8. Choose Save.


2010 SAP AG 14

Adoption of Existing Applications Which Use the Invoker Servlet Feature

If you disable the Invoker Servlet and there are still applications or scenarios which rely on its availability,

then these requests will fail. To avoid this, you as a customer need to first identify whether the Invoker Servlet is used and if it is used, request from the application provider a corrected version of the application using the feature. In general, an application should not rely on the Invoker Servlet feature but should instead use only servlets which are defined in the web.xml.

The application provider can use several strategies to adapt the delivery:

Option 1: Fix the application to use only servlets defined in the web.xml.

Option 1.A: Change the /servlet prefix in the code and use mapping in web.xml.

Do not use "/servlet/" prefix in the application scenarios.

This change needs to be made in all places (in application code) where URLs are generated and these URLs

are of type //servlet/.

The references of type "//servlet/" need to be replaced with references

to normal servlet mappings defined in the web.xml file.

Remember to adjust the security constraints (or programmatic security) according to the servlet mapping

changes that will be made. The security constraints should follow the security scheme of the application (for

example if you expect only administrator users to be able to invoke the servlet, make sure that all servlet


2010 SAP AG 15

mappings of this servlet are protected requiring admin role similar to the snippet below:

In the web.xml:

SecurityConstraint

My Application Protected Area

/*

MyAdministrativeRole

In the web-j2ee-engine.xml:

MyAdministrativeRole

administrators

Option 1.B: Generate servlet mapping in web.xml for safe servlets.

If the servlets which are being accessed through the invoker servlet do not impose security risk and can be accessed safely, then for these servlets you can define appropriate servlet mapping tags in your web.xml file

This change needs to be made in the web.xml file of the application only (no code changes required) and the application needs to be redeployed. In this way the code in the application will continue using the "//servlet/", but the requests will not go through the Invoker Servlet and it can still be disabled.

For all URLs of type "//servlet/" or "/servlet/


2010 SAP AG 16

Important: Remember to adjust the security-constraints (or programatic security) according to the servlet mapping changes that will be done. The security constraints should follow the security scheme of the application.

Workarounds:

Option 2. Enabling Invoker Servlet usage locally per application

We do not recommend enabling of Invoker Servlet locally in an application. If you decide to do so for any reason, you need to acknowledge and accept the risks and implications that may arise as a consequence of having the Invoker Servlet enabled.

This option is only appropriate for test cases and test applications, deployed on a development or test systems, where having a security issue is not critical.

You can disable the Invoker Servlet globally by setting the property EnableInvokerServletGlobally to false, but you can also override this setting locally in an application if for whatever reasons (testing, demo) you need a specific application to continue using the Invoker Servlet without knowing the full set of servlets which are being used at runtime (and hence you cannot declare them in the web.xml).

To do this you need to copy the following two fragments to the web.xml

invoker

com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet

InvokeByClassName

true

InvokerServletLocallyEnabled

true

invoker

/servlet/*


2010 SAP AG 17

Disabling Invoker Servlet Locally for an Application

This strategy is suitable when you want to secure a specific application for which you know that the Invoker Servlet is not supposed to be used, but there are other applications deployed on the system which prevent you from disabling the Invoker Servlet globally. Thus you want to protect a more critical application (which is correctly written and does not rely on the Invoker Servlet).

This is a temporary workaround until the other applications (relying on the Invoker Servlet) are adopted and you can disable the Invoker Servlet globally for all applications.

In order to disable the Invoker Servlet locally for an application, you need to copy the following two fragments to the web.xml file:

invoker

com.sap.engine.services.servlets_jsp.server.servlet.InvokerServlet

InvokerServletLocallyEnabled

false

invoker

/servlet/*


2010 SAP AG 18

Related Content

SAP Note 1445998

Copyright

Copyright 2010 SAP AG. All rights reserved.

No part of this publication may be reproduced or transmitted in any form or for any purpose without the express permission of SAP AG. The information contained herein may be changed without prior notice.

Some software products marketed by SAP AG and its distributors contain proprietary software components of other software vendors.

Microsoft, Windows, Excel, Outlook, and PowerPoint are registered trademarks of Microsoft Corporation.

IBM, DB2, DB2 Universal Database, System i, System i5, System p, System p5, System x, System z, System z10, System z9, z10, z9, iSeries, pSeries, xSeries, zSeries, eServer, z/VM, z/OS, i5/OS, S/390, OS/390, OS/400, AS/400, S/390 Parallel Enterprise Server, PowerVM, Power Architecture, POWER6+, POWER6, POWER5+, POWER5, POWER, OpenPower, PowerPC, BatchPipes, BladeCenter, System Storage, GPFS, HACMP, RETAIN, DB2 Connect, RACF, Redbooks, OS/2, Parallel Sysplex, MVS/ESA, AIX, Intelligent Miner, WebSphere, Netfinity, Tivoli and Informix are trademarks or registered trademarks of IBM Corporation.

Linux is the registered trademark of Linus Torvalds in the U.S. and other countries.

Adobe, the Adobe logo, Acrobat, PostScript, and Reader are either trademarks or registered trademarks of Adobe Systems Incorporated in the United States and/or other countries.

Oracle is a registered trademark of Oracle Corporation.

UNIX, X/Open, OSF/1, and Motif are registered trademarks of the Open Group.

Citrix, ICA, Program Neighborhood, MetaFrame, WinFrame, VideoFrame, and MultiWin are trademarks or registered trademarks of Citrix Systems, Inc.

HTML, XML, XHTML and W3C are trademarks or registered trademarks of W3C, World Wide Web Consortium, Massachusetts Institute of Technology.

Java is a registered trademark of Sun Microsystems, Inc.

JavaScript is a registered trademark of Sun Microsystems, Inc., used under license for technology invented and implemented by Netscape.

SAP, R/3, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of SAP AG in Germany and other countries.

Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius, and other Business Objects products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Business Objects S.A. in the United States and in other countries. Business Objects is an SAP company.

All other product and service names mentioned are the trademarks of their respective companies. Data contained in this document serves informational purposes only. National product specifications may vary.

These materials are subject to change without notice. These materials are provided by SAP AG and its affiliated companies ("SAP Group") for informational purposes only, without representation or warranty of any kind, and SAP Group shall not be liable for errors or omissions with respect to the materials. The only warranties for SAP Group products and services are those that are set forth in the express warranty statements accompanying such products and services, if any. Nothing herein should be construed as constituting an additional warranty.