Skip to Content

Problem with Security Constraints / protected paths for HTML5 application in SAP CP

Hi community,

I want to block access to parts of my HTML5 application to certain users using SAP Cloud Platforms "Application Permissions" concept.

For that, I included the following into my neo-app.json

"securityConstraints": [{
		"permission": "myPermission",
		"description": "description",
		"protectedPaths": [
			"/webapp/index.html?hc_reset#/protected/",
			"/webapp/index.html/protected/",
			"/webapp/index.html#/protected/"
		]
	}]

And indeed, it blocks access to "/webapp/index.html/protected/", but "/webapp/index.html#/protected/" (which is automatically used by the UI) and "/webapp/index.html?hc_reset#/protected/" remain unprotected.

I have tried using wildcards and escaping #, but that didn't work.

How can I fix that?

Thank you very much for responding!

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

2 Answers

  • Best Answer
    Jan 19 at 08:45 AM

    I found a (somewhat hacky) workaround. Instead of protecting the path of the specific subpage (as in my question), I am not protecting directly the view and the controller of that page.

    "protectedPaths": [
    			"/webapp/controller/page.controller.js",
    			"/webapp/view/page.view.xml"
    		],
    

    Now, before navigating to that page, I can check the permission by an HTTP request to either of the resources. If the answer is 403 (forbidden), I do not navigate, if it is 200 (ok), I do.

    That's probably not the way, it was supposed to be used, but it works at least.

    Add comment
    10|10000 characters needed characters exceeded

  • Jan 19 at 06:27 AM

    Hello, Ulrich. Could you try to use /* to indicate the URL you want to protect and use excludedPath to indicate URL you want to ignore. thanks.

    "securityConstraints": [
            {
                "permission": "Administrator",
                "description": "Access User Data",
                "protectedPaths": [
                    "/*"
                ],
                "excludedPaths": [
                    "/logout/**"
               ]
            }
        ]
    
    Add comment
    10|10000 characters needed characters exceeded