Skip to Content
0
Jan 09 at 09:22 PM

403 Forbidden error in CAP app when accessing from BTP

558 Views Last edit Jan 09 at 09:24 PM 4 rev

Hi All,

403 Forbidden error in CAP app when accessing from BTP either from HTML5 Application section or from Portal site in BTP. The application is working fine if testing locally from BAS tool using mock user .

The CAP service is accessing SAP HANA Cloud DB based on department attribute configuration. It’s displaying data when testing locally based on Department attribute but 403 error when accessing from SAP BTP after deployment. The required reader role is assigned to user.

Please suggest.

xs-security.json

{
    "xsappname": "demoapp",
    "tenant-mode": "dedicated",
    "description": "authorization check",
    "scopes": [
        {
            "name": "$XSAPPNAME.Reader",
            "description": "Reader"
        }
    ],
    "attributes": [
        {
            "name": "Department",
            "description": "Department",
            "valueType": "s",
            "valueRequired": false
        }
    ],
    "role-templates": [
        {
            "name": "Reader",
            "description": "Reader",
            "scope-references": [
                "$XSAPPNAME.Reader"
            ],
            "attribute-references": [
                "Department"
            ]
        }
        {
            "name": "Token_Exchange",
            "description": "UAA",
            "scope-references": [
                "uaa.user"
            ]
        }
    ],
    "oauth2-configuration": {
        "token-validity": 3600
    }
}

xs-app.json

{
  "welcomeFile": "/index.html",
  "authenticationMethod": "route",
  "routes": [
    {
        "source": "^/abc/(.*)$",
        "csrfProtection": false,
        "authenticationType": "xsuaa",
        "scope": "$XSAPPNAME.Reader",
        "destination": "demoapp-srv"
    },
    {
      "source": "^/resources/(.*)$",
      "target": "/resources/$1",
      "authenticationType": "none",
      "destination": "ui5"
    },
    {
      "source": "^/test-resources/(.*)$",
      "target": "/test-resources/$1",
      "authenticationType": "none",
      "destination": "ui5"
    },
    {
      "source": "^(.*)$",
      "target": "$1",
      "service": "html5-apps-repo-rt",
      "authenticationType": "xsuaa"
    }
  ]
}

service.cds

using {test_order} from '../db/test';

service testService @(requires: 'authenticated-user') {
    entity testentity @(restrict : [
        {
            grant : 'READ',
            to    : 'Reader',
            where : 'department = $user.Department'
        }
    ]) as projection on test_order.testentity;
};

Regards.

Punit