cancel
Showing results for 
Search instead for 
Did you mean: 

403 Forbidden error in CAP app when accessing from BTP

former_member8532
Participant
0 Kudos

Hi All,

403 Forbidden error in CAP app when accessing from BTP either from HTML5 Application section or from Portal site in BTP. The application is working fine if testing locally from BAS tool using mock user .

The CAP service is accessing SAP HANA Cloud DB based on department attribute configuration. It’s displaying data when testing locally based on Department attribute but 403 error when accessing from SAP BTP after deployment. The required reader role is assigned to user.

Please suggest.

xs-security.json

{
    "xsappname": "demoapp",
    "tenant-mode": "dedicated",
    "description": "authorization check",
    "scopes": [
        {
            "name": "$XSAPPNAME.Reader",
            "description": "Reader"
        }
    ],
    "attributes": [
        {
            "name": "Department",
            "description": "Department",
            "valueType": "s",
            "valueRequired": false
        }
    ],
    "role-templates": [
        {
            "name": "Reader",
            "description": "Reader",
            "scope-references": [
                "$XSAPPNAME.Reader"
            ],
            "attribute-references": [
                "Department"
            ]
        }
        {
            "name": "Token_Exchange",
            "description": "UAA",
            "scope-references": [
                "uaa.user"
            ]
        }
    ],
    "oauth2-configuration": {
        "token-validity": 3600
    }
}

xs-app.json

{
  "welcomeFile": "/index.html",
  "authenticationMethod": "route",
  "routes": [
    {
        "source": "^/abc/(.*)$",
        "csrfProtection": false,
        "authenticationType": "xsuaa",
        "scope": "$XSAPPNAME.Reader",
        "destination": "demoapp-srv"
    },
    {
      "source": "^/resources/(.*)$",
      "target": "/resources/$1",
      "authenticationType": "none",
      "destination": "ui5"
    },
    {
      "source": "^/test-resources/(.*)$",
      "target": "/test-resources/$1",
      "authenticationType": "none",
      "destination": "ui5"
    },
    {
      "source": "^(.*)$",
      "target": "$1",
      "service": "html5-apps-repo-rt",
      "authenticationType": "xsuaa"
    }
  ]
}

service.cds

using {test_order} from '../db/test';

service testService @(requires: 'authenticated-user') {
    entity testentity @(restrict : [
        {
            grant : 'READ',
            to    : 'Reader',
            where : 'department = $user.Department'
        }
    ]) as projection on test_order.testentity;
};

Regards.

Punit

gregorw
Active Contributor
0 Kudos

How is the destination from your approuter to the CAP backend configured in the mta.yaml?

former_member8532
Participant
0 Kudos

Hi Gregor,

Below is the MTA.yaml section.

modules:

- name: demoapp-srv
  type: nodejs
  path: gen/srv
  requires:
  - name: demoapp-uaa
  - name: demoapp-db
  provides:
  - name: srv-api
    properties:
      srv-url: ${default-url}
  parameters:
    buildpack: nodejs_buildpack
    disk-quota: 1024M
    memory: 512M
	
 resources:
 - name: demoapp-uaa
  type: org.cloudfoundry.managed-service
  parameters:
    path: ./xs-security.json
    service: xsuaa
    service-plan: application
- name: demoapp-db
  type: com.sap.xs.hdi-container
  parameters:
    service: hana
    service-plan: hdi-shared
  properties:
    hdi-service-name: ${service-name}
gregorw
Active Contributor
0 Kudos

You did not provide the approuter module.

former_member8532
Participant
0 Kudos

Hi Gregor,

We are using managed app router. We have only below modules. There is no module of type approuter.node.js. We have db-deployer, srv, html5, fiori, ui-deployer, dest-content, app of type html5 module.

Please suggest.

Regards.

Punit

0 Kudos

Hi Punit,

could you please share the request-URL and the error message from the response ? The test user is definitly authenticated, but it seems the 'Reader' scope is missing.

Regards,

Matthias

former_member8532
Participant
0 Kudos

Hi Matthias,

Below is the request URL and response is forbidden. We have assigned the role collection with reader scope.

https://*******.launchpad.cfapps.****.hana.ondemand.com/"aplhanumeric"."capprojectname"-service."app... name"/$metadata?sap-language=EN

Regards.

Punit

0 Kudos

Hi Punit,

the runtime doesn't do an authorization check on $metadata endpoints. It also would return a meaningful error message text. I assume AppRouter is rejecting the request. Can you check the AppRouter logs as well? Does your URL fit to route with source "^/abc/(.*)$"?

Regards

Matthias

smorenod
Explorer
0 Kudos

Hi punit.pawar I have the same problem, could you solve it?

rgadirov
Participant
0 Kudos

Hi punit.pawar, hi gregor.wolf ,

I have exactly the same issue with the managed app router and central launchpad. I didn´t have this issue before. I put the requires annotation for the catalog service and afterwards I annotated with grants to specific roles (admin, employee etc.) like in your examples. And somehow the roles that I assigned are not being recognized. But the roles have been generated on BTP. With the local app router, I didn´t have this problem back then.

@requires : 'authenticated-user'
@punit.pawar Maybe you already found a solution.
BR & Thank you!
Rufat

Accepted Solutions (0)

Answers (2)

Answers (2)

former_member758604
Discoverer
0 Kudos

hi,

Was there any solution for the above query? I am getting the same issue.

I am trying to access the scim/User service. It worked perfectly fine in the BAS, but once deployed to cloud,it is giving 403 error.

Thanks in advance!

rgadirov
Participant
0 Kudos

Hi supri53,

did you assign the Oath Token Exchange role as well (Token_Exchange)?

I got the same error because I only had assigned the generated roles, but in addition you have to assign the token exchange as well.

Then restart BTP, clear cache and try again.

BR
Rufat

SG
Explorer
0 Kudos

Hi , I am also facing the same issue . I have created and deployed an application From BAS to Cloud Foundry Space as a HTML 5 Application. The data from the Cloud Connector Destination is fetched from the BAS when i use the CURL command . Also, The preview of the application is displayed correctly . But when i deploy it to Cloud i am not able to get the data from the On Premises system using Cloud Connector. when I debugged the call in Google Chrome , I am getting a 403 Forbidden error and the reference Policy as Strict-Origin-Cross-Origin

SG_1-1709765446002.png

Any help in resolving this issue would be appriciated 

gregorw
Active Contributor
0 Kudos

I would suggest you give that example a try: central-launchpad-cap/tree/add-authentication and learn from it.