Skip to Content
0
Jun 23, 2020 at 10:21 AM

Linking between Approuter - mta.yaml - xs-security.json

1511 Views

Hi guys,

in my app I'm using several services, an approuter as well as the xsuaa authentication method (SAP ID Authentication service). The services are restricted, one requires a developer role and the other requires an authenticated-user.
If I start the approuter locally and start the app in a private window I'm getting forwarded to the SAP ID logon page. After I log-in with my user I'm able to use the app (since I applied the developer role to my user and with the successful logon I'm also an authenticated-user).
However, if I deploy the app to the SCP and start the approuter, I'm still getting forwarded to the SAP ID logon page. And after a successful login I'm getting forwarded to my app start page. The odd part is that I'm not able to use the app. When I checked the inspector I see that I receive an 403 - Forbidden Error when I try to access the services.

My assumption is that some linking between the mta.yaml, the xs-security.json and the approuter went wrong. Since I'm able to logon but the developer role doesn't seem to be recognized.

I'm thankful for any hints! Moreover, in the xs-security.json (at the beginning) and in the mta.yaml file (at the very end) I wrote questions (marked with an '-').

Cheers,
Thorsten

The approuter:

{
    "welcomeFile": "/app/",
    "authenticationMethod": "route",
    "routes": [
      {
        "source": "^/app/(.*)$",
        "target": "$1",
        "localDir": "./"
      },
      {
        "source": "^/getPerson/(.*)$",
        "target": "$1",
        "destination": "srv-binding"
      },
      {
        "source": "^(.*)$",
        "target": "$1",
        "destination": "srv-binding",
        "scope": [
          "$XSAPPNAME.developer"
        ]
      }
    ]
}
The approuters' package.json
{
  "name": "plt-app-approuter",
  "dependencies": {
    "@sap/approuter": "^7.1.2",
    "@sap/xsenv": "^2.2.0",
    "@sap/xssec": "^2.2.5"
  },
  "scripts": {
    "start": "node --inspect node_modules/@sap/approuter/approuter.js"
  }

The xs-security.json

{
  "xsappname": "plt-app",               -should it point to the approuter name 'plt-app-approuter'?
  "tenant-mode": "dedicated",           -is it describing how the JWT Token gets forwarded?
  "scopes": [
    {
      "name": "$XSAPPNAME.developer",
      "description": "developer"
    }
  ],
  "attributes": [],
  "role-templates": [
    {
      "name": "plt_app_dev",
      "description": "generated",
      "scope-references": [
        "$XSAPPNAME.developer"
      ],
      "attribute-references": []
    }
  ],
  "role-collections":
  [
    {
      "name": "plt_app",
      "role-template-references": [
        "$XSAPPNAME.plt_app_dev"
      ]
    }
  ]
}

The mta.yaml

## Generated mta.yaml based on template version 0.2.0
## appName = plt-app
## language=nodejs; multiTenant=false
## approuter=
_schema-version: '3.1'
ID: plt-app
version: 1.0.5
description: "A simple CAP project."
parameters:
  enable-parallel-deployments: true
  
  
build-parameters:
  before-all:
   - builder: custom
     commands:
      - npm install
      - npx cds build

modules:
 # --------------------- SERVER MODULE ------------------------
 - name: plt-app-srv
 # ------------------------------------------------------------
   type: nodejs
   path: srv
   properties:
     EXIT: 1  # required by deploy.js task to terminate 
   requires:
    # Resources extracted from CAP configuration
    - name: plt-hdi-container
    - name: plt-app-uaa
   provides:
    - name: srv-binding      # required by consumers of CAP services (e.g. approuter)
      properties:
        srv-url: ${default-url}

 # -------------------- SIDECAR MODULE ------------------------
 - name: plt-app-db
 # ------------------------------------------------------------
   type: hdb
   path: db  
   parameters:
     app-name: plt-app-db  
   requires:
    # 'hana' and 'xsuaa' resources extracted from CAP configuration
    - name: plt-hdi-container
    - name: plt-app-uaa
 ############################################################

  ##############    APP   #########################
 - name: plt-app-approuter
   type: approuter.nodejs
   path: app
   parameters:
      memory: 256M
   build-parameters:
     requires:
       - name: plt-app-srv
   requires:
    - name: plt-app-uaa
    - name: srv-binding
      group: destinations
      properties:
         forwardAuthToken: true
         name: srv-binding
         url: ~{srv-url}

resources:
 # services extracted from CAP configuration
 # 'service-plan' can be configured via 'cds.requires.<name>.vcap.plan'
# ------------------------------------------------------------
 - name: plt-hdi-container
# ------------------------------------------------------------
   type: com.sap.xs.hdi-container #Beschreibt HANA DB
   parameters:
     service: hanatrial  # or 'hanatrial' on trial landscapes
     service-plan: hdi-shared
   properties:
     hdi-service-name: ${service-name}

# ------------------------------------------------------------
 - name: plt-app-uaa
   type: org.cloudfoundry.managed-service
   parameters:
    ##### Path to xs-security.json to add roles and scopes   ####    
     path: ./gen/xs-security.json
     service: xsuaa
     service-plan: application  
     config:
       xsappname: plt-app-${space}         -is it preferred over the xsappname in the xs-security.json
       tenant-mode: dedicated