4.4.2 Create an Application Descriptor File
Each application that you want to develop and deploy on SAP HANA Extended Application Services (SAP HANA XS) must have an application-descriptor file. The application descriptor is the core file that you use to describe an application's framework within SAP HANA XS.
The package that contains the application-descriptor file becomes the root path of the resources exposed by the application you develop.
1. Create a root package for your application, for example, helloxsjs.
2. Create an application descriptor for your application and place it in the root package you created in the previous step.
The application descriptor is the core file that you use to describe an application's availability within SAP HANA Extended Application Services. The application-descriptor file has no contents and no name; it only has the file extension .xsapp..
Note: For backward compatibility, content is allowed in the .xsapp file but ignored.
3. Save and activate your changes and additions.
4.4.3 The Application-Access File
SAP HANA XS enables you to define access to each individual application package that you want to develop and deploy.
The application-access file enables you to specify who or what is authorized to access the content exposed by a SAP HANA XS application package and what content they are allowed to see. For example, you use the
application-access file to specify if authentication is to be used to check access to package content and whether if rules are in place for the exposure of target and source URLs.
The application-access file does not have a name; it only has the file extension
.xsaccess
. The content of the.xsaccess
file is formatted according to JSON rules and is associated with the package it belongs to as well as any subpackages lower in the package hierarchy. Multiple.xsaccess
files are allowed, but only at different levels in the package hierarchy. This enables you to specify different application-access rules for individual packages and subpackages in the package hierarchy.Note: You cannot place two
.xsaccess
files in the same package. Furthermore, the rules specified in a.xsaccess
file that is associated with a subpackage take precedence over any rules specified in a.xsaccess
file associated with any parent package higher up the package hierarchy.The application-access file performs the following operations:
● Data exposure
Use the exposed keyword to specify if package content is to be exposed to client requests via HTTP.
Note: Exposed package content can include design-time objects, for example, tables and views.
● Authentication rules
Use the authentication keyword to enable authorization for the requests in URLs either at the application level or for single packages in an application. The following authentication methods are supported:
○ SAP logon tickets
SAP logon tickets enable single sign-on across SAP boundaries; SAP logon tickets can also be used as authentication for access to third-party applications.
○ Form-based authentication
Redirect the logon request to a form to fill in, for example, on a Web page.
○ Basic (user name and password)
Log on with a recognized user name and password
The authentication methods can also be written as an array, for example, to allow applications to support multiple authentication methods. The order of the authentication methods in the array should proceed from strongest to weakest, for example:
1. SAP logon ticket 2. Form-based
3. Basic authentication
● Application authorization
Use the authorization keyword in the .xsaccess file to specify which authorization level is required by a user for access to a particular application package. The authorization levels you can choose from are defined in the .xsprivileges file, for example, "execute" for basic privileges, or "admin" for administrative privileges on the specified package.
● URL rewrite rules
Use the rewrite_rules keyword in the .xsaccess file to hide internal URL path details from external users, clients, and search engines. It is not possible to define global rewrite rules; the rules you define apply to the specified local application only. Rules are specified as a source-target pair where the source is written in the JavaScript regex syntax, and the target is a simple string where references to the groups found can be inserted using $groupnumber.
● Connection security
Use the force_ssl keyword in the .xsaccess file to enforce the use of secure HTTP (SSL/HTTPS) for client connections. Browser requests that do not use SSL/HTTPS are refused and the 403 Forbidden page is displayed. Note that if you set the force_ssl option, then you must ensure that the SAP Web Dispatcher is configured to accept and manage HTTPS requests. For more information about configuring the SAP Web Dispatcher to use HTTPS/SSL see the SAP HANA Administration Guide.
Note:
If the SAP Webdispatcher sends the header “x-sap-webdisp-ap” with the HTTPS port, the request is redirected to a HTTPS page, for example: http://..:80/test -> https://..:433/test.
Otherwise, a 403 error is displayed.
● Entity Tags
You can allow or prevent the generation of entity tags (etags) for static Web content using the enable_etags keyword in the .xsaccess file. Etags are used to improve caching performance, for example, so that the same data is not resent if no change has occurred since the last request.
● MIME Mapping
MIME means Multipurpose Internet Mail Extensions. You can use the mime_mapping keyword in the .xsaccess file to define the way in which to map certain file suffixes to required MIME types:
"mime_mapping": [ {"extension":"jpg", "mimetype":"image/jpeg"} ] The Application-Access (.xsaccess) File
The following example, shows the composition and structure of the SAP HANA XS application access (.xsaccess) file. In this file, data is available to client requests. The authentication methods specified are SAP logon ticket and then, as a fall-back option if the logon with the SAP logon ticket fails, a logon with a user name and password. Allowing a fall-back log-on mechanism is useful if the requesting client has problems handling the SAP logon ticket mechanism.
{ "exposed" : true, // Expose data via http "target": "/logic/entries.xsjs?year=$1&month=$2&day=
$3"
Application-Access File Keyword Options [page 53]
The application-access (.xsaccess) file enables you to specify whether or not to expose package content, which authentication method is used to grant access, and what content is visible.
4.4.4 Application-Access File Keyword Options
The application-access (.xsaccess) file enables you to specify whether or not to expose package content, which authentication method is used to grant access, and what content is visible.
The Application Access (.xsaccess) File
The following example shows all possible keyword combinations in the SAP HANA XS application-access (.xsaccess) file.
Note: In the form shown below, the .xsaccess file is not a working model; it is used to illustrate all possible options.
}
The exposed keyword enables you define if content in a package (and its subpackages) is to be made available by HTTP to client requests. Values are Boolean true or false. If no value is set for exposed, the default setting (false) applies.
authentication
{ "authentication" : [ {
"method": "LogonTicket", },
{
"method" : "Basic", },
{
"method": "Form", }
], }
The authentication keyword enables you to define the authentication method to use for Browser requests either at the application level or for single packages in an application. SAP HANA Extended Application Services support the following logon authentication mechanisms:
Note: You can specify multiple authentication methods in the application-access file.
● Basic authentication
Logon with a recognized database user name and password.
● SAP logon ticket
SAP logon tickets enable single sign-on across SAP boundaries; SAP logon tickets can be also be used as authentication for access to third-party applications.
● Form-based authentication
Redirect the logon request to a form to fill in, for example, a Web page.
If you use the authentication in the .xsaccess file, you must specify the authentication method to apply, for example, basic or SAP logon ticket. If you use the authentication keyword in the application-access file, but do not set an authentication method, your .xsaccess file is a valid JSON file but is not a semantically valid .xsaccess file and will return a parsing validation error . If you do not set the authentication keyword, your application applies the default basic authentication method (user name and password) to enable access to data.
Note: You can disable authentication checks with the null options, as follows:
{"authentication" : null}
.authorization
{ "authorization":
[
"sap.xse.test::Execute", "sap.xse.test::Admin"
] }
The authorization keyword in the .xsaccess file enables you to specify which authorization level is required for access to a particular application package, for example, execute or admin on the package sap.xse.text.
Note: The authorization levels you can choose from are defined in the .xsprivileges file for the package, for example, "execute" for basic privileges, or "admin" for administrative privileges on the specified package. If you use the authorization keyword in the .xsaccess file, for example, to require
“execute” privileges for a specific application package, you must create a .xsprivileges file for the same application package (or a parent package higher up the hierarchy, in which you define the “execute”
privilege level declared in the .xsaccess file.