Hi guys,
in my app I'm using several services, an approuter as well as the xsuaa authentication method (SAP ID Authentication service). The services are restricted, one requires a developer role and the other requires an authenticated-user.
If I start the approuter locally and start the app in a private window I'm getting forwarded to the SAP ID logon page. After I log-in with my user I'm able to use the app (since I applied the developer role to my user and with the successful logon I'm also an authenticated-user).
However, if I deploy the app to the SCP and start the approuter, I'm still getting forwarded to the SAP ID logon page. And after a successful login I'm getting forwarded to my app start page. The odd part is that I'm not able to use the app. When I checked the inspector I see that I receive an 403 - Forbidden Error when I try to access the services.
My assumption is that some linking between the mta.yaml, the xs-security.json and the approuter went wrong. Since I'm able to logon but the developer role doesn't seem to be recognized.
I'm thankful for any hints! Moreover, in the xs-security.json (at the beginning) and in the mta.yaml file (at the very end) I wrote questions (marked with an '-').
Cheers,
Thorsten
The approuter:
{
"welcomeFile": "/app/",
"authenticationMethod": "route",
"routes": [
{
"source": "^/app/(.*)$",
"target": "$1",
"localDir": "./"
},
{
"source": "^/getPerson/(.*)$",
"target": "$1",
"destination": "srv-binding"
},
{
"source": "^(.*)$",
"target": "$1",
"destination": "srv-binding",
"scope": [
"$XSAPPNAME.developer"
]
}
]
}
The approuters' package.json
{
"name": "plt-app-approuter",
"dependencies": {
"@sap/approuter": "^7.1.2",
"@sap/xsenv": "^2.2.0",
"@sap/xssec": "^2.2.5"
},
"scripts": {
"start": "node --inspect node_modules/@sap/approuter/approuter.js"
}
The xs-security.json
{
"xsappname": "plt-app", -should it point to the approuter name 'plt-app-approuter'?
"tenant-mode": "dedicated", -is it describing how the JWT Token gets forwarded?
"scopes": [
{
"name": "$XSAPPNAME.developer",
"description": "developer"
}
],
"attributes": [],
"role-templates": [
{
"name": "plt_app_dev",
"description": "generated",
"scope-references": [
"$XSAPPNAME.developer"
],
"attribute-references": []
}
],
"role-collections":
[
{
"name": "plt_app",
"role-template-references": [
"$XSAPPNAME.plt_app_dev"
]
}
]
}
The mta.yaml
## Generated mta.yaml based on template version 0.2.0
## appName = plt-app
## language=nodejs; multiTenant=false
## approuter=
_schema-version: '3.1'
ID: plt-app
version: 1.0.5
description: "A simple CAP project."
parameters:
enable-parallel-deployments: true
build-parameters:
before-all:
- builder: custom
commands:
- npm install
- npx cds build
modules:
# --------------------- SERVER MODULE ------------------------
- name: plt-app-srv
# ------------------------------------------------------------
type: nodejs
path: srv
properties:
EXIT: 1 # required by deploy.js task to terminate
requires:
# Resources extracted from CAP configuration
- name: plt-hdi-container
- name: plt-app-uaa
provides:
- name: srv-binding # required by consumers of CAP services (e.g. approuter)
properties:
srv-url: ${default-url}
# -------------------- SIDECAR MODULE ------------------------
- name: plt-app-db
# ------------------------------------------------------------
type: hdb
path: db
parameters:
app-name: plt-app-db
requires:
# 'hana' and 'xsuaa' resources extracted from CAP configuration
- name: plt-hdi-container
- name: plt-app-uaa
############################################################
############## APP #########################
- name: plt-app-approuter
type: approuter.nodejs
path: app
parameters:
memory: 256M
build-parameters:
requires:
- name: plt-app-srv
requires:
- name: plt-app-uaa
- name: srv-binding
group: destinations
properties:
forwardAuthToken: true
name: srv-binding
url: ~{srv-url}
resources:
# services extracted from CAP configuration
# 'service-plan' can be configured via 'cds.requires.<name>.vcap.plan'
# ------------------------------------------------------------
- name: plt-hdi-container
# ------------------------------------------------------------
type: com.sap.xs.hdi-container #Beschreibt HANA DB
parameters:
service: hanatrial # or 'hanatrial' on trial landscapes
service-plan: hdi-shared
properties:
hdi-service-name: ${service-name}
# ------------------------------------------------------------
- name: plt-app-uaa
type: org.cloudfoundry.managed-service
parameters:
##### Path to xs-security.json to add roles and scopes ####
path: ./gen/xs-security.json
service: xsuaa
service-plan: application
config:
xsappname: plt-app-${space} -is it preferred over the xsappname in the xs-security.json
tenant-mode: dedicated