Skip to Content
0
Jul 02 at 10:27 AM

CAP /spring authentication with authorisation

110 Views

I want my application users to be authenticated as well as authorised. The authentication works fine. but i want only users from a group (PMG_USER) to be allowed.

i want user abc@sap.com to access api only if he is in PMG_USER group

However, If I keep the restriction only limited to authenticated user, then it works fine. So somehow, custom user role permissions are not given access no matter what I try.

The problem is that even though the User has the authority ‘display’ assigned to them, they are not being allowed to access the /client api and instead gives a 403 Forbidden as below.

  • Here is the code:

xs-security.json

{
    "xsappname": "pmgservice",
    "tenant-mode": "dedicated",
    "description": "Security profile of called application",
    "scopes": [
        {
            "name": "$XSAPPNAME.Display",
            "description": "display"
        }
    ],
    "role-templates": [
        {
            "name": "Viewer",
            "description": "To view items",
            "scope-references": [
                "$XSAPPNAME.Display"
            ]
        }
    ],
    "oauth2-configuration": {
        "redirect-uris": [
            "https://*.applicationstudio.cloud.sap/**"
            "https://*.eu10.hana.ondemand.com/**"
        ]
    }    
}

WebSecurityConfigAdapter.java

 @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and() 
                .authorizeRequests()
                .antMatchers("/*").authenticated()
                .antMatchers("/*").hasAnyAuthority("Display")
                .anyRequest().denyAll()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS) // session is created by approuter
                .and().csrf().disable()
                .oauth2ResourceServer()
                .jwt()
                .jwtAuthenticationConverter(getJwtAuthenticationConverter())
                ;
                
    }

Cds file exposing a service

@path : 'pmg.svc'
@cds.query.limit.default: 20
@cds.query.limit.max: 100
service PMGService {
    entity client as projection on pmg.client;
}

Cockpit Role Collections : Viewer Role has Display authority and the user is mapped to this Role.

Attachments

ew.png (50.4 kB)
22.png (15.2 kB)