Skip to Content
Jul 02 at 10:27 AM

CAP /spring authentication with authorisation


I want my application users to be authenticated as well as authorised. The authentication works fine. but i want only users from a group (PMG_USER) to be allowed.

i want user to access api only if he is in PMG_USER group

However, If I keep the restriction only limited to authenticated user, then it works fine. So somehow, custom user role permissions are not given access no matter what I try.

The problem is that even though the User has the authority ‘display’ assigned to them, they are not being allowed to access the /client api and instead gives a 403 Forbidden as below.

  • Here is the code:


    "xsappname": "pmgservice",
    "tenant-mode": "dedicated",
    "description": "Security profile of called application",
    "scopes": [
            "name": "$XSAPPNAME.Display",
            "description": "display"
    "role-templates": [
            "name": "Viewer",
            "description": "To view items",
            "scope-references": [
    "oauth2-configuration": {
        "redirect-uris": [

    protected void configure(HttpSecurity http) throws Exception {
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS) // session is created by approuter

Cds file exposing a service

@path : 'pmg.svc'
@cds.query.limit.default: 20
@cds.query.limit.max: 100
service PMGService {
    entity client as projection on pmg.client;

Cockpit Role Collections : Viewer Role has Display authority and the user is mapped to this Role.


ew.png (50.4 kB)
22.png (15.2 kB)