CAP /spring authentication with authorisation

former_member596986 · ‎07-02-2021

I want my application users to be authenticated as well as authorised. The authentication works fine. but i want only users from a group (PMG_USER) to be allowed.

i want user abc@sap.com to access api only if he is in PMG_USER group

However, If I keep the restriction only limited to authenticated user, then it works fine. So somehow, custom user role permissions are not given access no matter what I try.

The problem is that even though the User has the authority ‘display’ assigned to them, they are not being allowed to access the /client api and instead gives a 403 Forbidden as below.

Here is the code:

xs-security.json

{
    "xsappname": "pmgservice",
    "tenant-mode": "dedicated",
    "description": "Security profile of called application",
    "scopes": [
        {
            "name": "$XSAPPNAME.Display",
            "description": "display"
        }
    ],
    "role-templates": [
        {
            "name": "Viewer",
            "description": "To view items",
            "scope-references": [
                "$XSAPPNAME.Display"
            ]
        }
    ],
    "oauth2-configuration": {
        "redirect-uris": [
            "https://*.applicationstudio.cloud.sap/**"
            "https://*.eu10.hana.ondemand.com/**"
        ]
    }    
}

WebSecurityConfigAdapter.java

 @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.cors().and() 
                .authorizeRequests()
                .antMatchers("/*").authenticated()
                .antMatchers("/*").hasAnyAuthority("Display")
                .anyRequest().denyAll()
                .and()
                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS) // session is created by approuter
                .and().csrf().disable()
                .oauth2ResourceServer()
                .jwt()
                .jwtAuthenticationConverter(getJwtAuthenticationConverter())
                ;
                
    }

Cds file exposing a service

@path : 'pmg.svc'
@cds.query.limit.default: 20
@cds.query.limit.max: 100
service PMGService {
    entity client as projection on pmg.client;
}

Cockpit Role Collections : Viewer Role has Display authority and the user is mapped to this Role.

marcbecker · ‎07-02-2021

Please consider using CAPs declarative role-based authorization, as described here: https://cap.cloud.sap/docs/java/security#role-based-auth and here: https://cap.cloud.sap/docs/guides/authorization#requires

In Java this will free you from defining your own Spring Security Config, as CAP Java is able to auto-configure everything for you based on the CDS model.

For more details refer to the full CAP Java Security guide: https://cap.cloud.sap/docs/java/

If you still decide to use your own custom security configuration you can take a look here, maybe this helps: https://cap.cloud.sap/docs/java/security#custom-spring-security-config

CAP /spring authentication with authorisation

Accepted Solutions (0)

Answers (1)

Answers (1)

Re: Usage Procedure Logging SAP Tables

Usage Procedure Logging SAP Tables

Re: fuzzy search with multiple name fields

Re: SAP MDK: Attachment delete button not working ...

Re: SAP Datasphere connection to SAP ARIBA (SAP RI...