Perform your own safety checks

In general, all security checks should be done in ABAP, not in the HTML files (JavaScript), since these can be disabled by local debuggers.

In the logon method called by the S10 Framework, you can include any security checks of your own, which are performed right at the start of the application.

For production applications, you may check the startup URL, which then includes checking for the https protocol. The use of local HTML files in local development is then no longer possible.

All SAP authorizations can be checked by calling the ABAP statement "Authority-Check".


* logon user
  method logon.

* check URL
    if s10session->clienturl ne 
      s10errormessage( 'Access denied, wrong URL' ).

* check authorization for transaction VA01
    authority-check object 'S_TCODE'  id 'TCD' field 'VA01'.

    if sy-subrc ne 0.
      s10errormessage('SAP authorization for transaction VA01 required').

S10 Framework