Skip to Content

Problem with Security Constraints / protected paths for HTML5 application in SAP CP

Jan 18 at 04:59 PM


avatar image

Hi community,

I want to block access to parts of my HTML5 application to certain users using SAP Cloud Platforms "Application Permissions" concept.

For that, I included the following into my neo-app.json

"securityConstraints": [{
		"permission": "myPermission",
		"description": "description",
		"protectedPaths": [

And indeed, it blocks access to "/webapp/index.html/protected/", but "/webapp/index.html#/protected/" (which is automatically used by the UI) and "/webapp/index.html?hc_reset#/protected/" remain unprotected.

I have tried using wildcards and escaping #, but that didn't work.

How can I fix that?

Thank you very much for responding!

10 |10000 characters needed characters left characters exceeded
* Please Login or Register to Answer, Follow or Comment.

2 Answers

Best Answer
Ulrich Rabenstein
Jan 19 at 08:45 AM

I found a (somewhat hacky) workaround. Instead of protecting the path of the specific subpage (as in my question), I am not protecting directly the view and the controller of that page.

"protectedPaths": [

Now, before navigating to that page, I can check the permission by an HTTP request to either of the resources. If the answer is 403 (forbidden), I do not navigate, if it is 200 (ok), I do.

That's probably not the way, it was supposed to be used, but it works at least.

10 |10000 characters needed characters left characters exceeded
Richard Zhao
Jan 19 at 06:27 AM

Hello, Ulrich. Could you try to use /* to indicate the URL you want to protect and use excludedPath to indicate URL you want to ignore. thanks.

"securityConstraints": [
            "permission": "Administrator",
            "description": "Access User Data",
            "protectedPaths": [
            "excludedPaths": [
Show 1 Share
10 |10000 characters needed characters left characters exceeded

Hello Richard, thanks for your time to reply. Unfortunately, I still didn't manage to solve the problem with your answer.