on 07-02-2021 11:27 AM
I want my application users to be authenticated as well as authorised. The authentication works fine. but i want only users from a group (PMG_USER) to be allowed.
i want user abc@sap.com to access api only if he is in PMG_USER group
However, If I keep the restriction only limited to authenticated user, then it works fine. So somehow, custom user role permissions are not given access no matter what I try.
The problem is that even though the User has the authority ‘display’ assigned to them, they are not being allowed to access the /client api and instead gives a 403 Forbidden as below.
xs-security.json
{
"xsappname": "pmgservice",
"tenant-mode": "dedicated",
"description": "Security profile of called application",
"scopes": [
{
"name": "$XSAPPNAME.Display",
"description": "display"
}
],
"role-templates": [
{
"name": "Viewer",
"description": "To view items",
"scope-references": [
"$XSAPPNAME.Display"
]
}
],
"oauth2-configuration": {
"redirect-uris": [
"https://*.applicationstudio.cloud.sap/**"
"https://*.eu10.hana.ondemand.com/**"
]
}
}
WebSecurityConfigAdapter.java
@Override
protected void configure(HttpSecurity http) throws Exception {
http.cors().and()
.authorizeRequests()
.antMatchers("/*").authenticated()
.antMatchers("/*").hasAnyAuthority("Display")
.anyRequest().denyAll()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS) // session is created by approuter
.and().csrf().disable()
.oauth2ResourceServer()
.jwt()
.jwtAuthenticationConverter(getJwtAuthenticationConverter())
;
}
Cds file exposing a service
@path : 'pmg.svc'
@cds.query.limit.default: 20
@cds.query.limit.max: 100
service PMGService {
entity client as projection on pmg.client;
}
Cockpit Role Collections : Viewer Role has Display authority and the user is mapped to this Role.
Please consider using CAPs declarative role-based authorization, as described here: https://cap.cloud.sap/docs/java/security#role-based-auth and here: https://cap.cloud.sap/docs/guides/authorization#requires
In Java this will free you from defining your own Spring Security Config, as CAP Java is able to auto-configure everything for you based on the CDS model.
For more details refer to the full CAP Java Security guide: https://cap.cloud.sap/docs/java/
If you still decide to use your own custom security configuration you can take a look here, maybe this helps: https://cap.cloud.sap/docs/java/security#custom-spring-security-config
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
7 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.