cancel
Showing results for 
Search instead for 
Did you mean: 

403 Forbidden error in CAP app when accessing from BTP

former_member8532
Participant
0 Kudos
6,579

Hi All,

403 Forbidden error in CAP app when accessing from BTP either from HTML5 Application section or from Portal site in BTP. The application is working fine if testing locally from BAS tool using mock user .

The CAP service is accessing SAP HANA Cloud DB based on department attribute configuration. It’s displaying data when testing locally based on Department attribute but 403 error when accessing from SAP BTP after deployment. The required reader role is assigned to user.

Please suggest.

xs-security.json

{
    "xsappname": "demoapp",
    "tenant-mode": "dedicated",
    "description": "authorization check",
    "scopes": [
        {
            "name": "$XSAPPNAME.Reader",
            "description": "Reader"
        }
    ],
    "attributes": [
        {
            "name": "Department",
            "description": "Department",
            "valueType": "s",
            "valueRequired": false
        }
    ],
    "role-templates": [
        {
            "name": "Reader",
            "description": "Reader",
            "scope-references": [
                "$XSAPPNAME.Reader"
            ],
            "attribute-references": [
                "Department"
            ]
        }
        {
            "name": "Token_Exchange",
            "description": "UAA",
            "scope-references": [
                "uaa.user"
            ]
        }
    ],
    "oauth2-configuration": {
        "token-validity": 3600
    }
}

xs-app.json

{
  "welcomeFile": "/index.html",
  "authenticationMethod": "route",
  "routes": [
    {
        "source": "^/abc/(.*)$",
        "csrfProtection": false,
        "authenticationType": "xsuaa",
        "scope": "$XSAPPNAME.Reader",
        "destination": "demoapp-srv"
    },
    {
      "source": "^/resources/(.*)$",
      "target": "/resources/$1",
      "authenticationType": "none",
      "destination": "ui5"
    },
    {
      "source": "^/test-resources/(.*)$",
      "target": "/test-resources/$1",
      "authenticationType": "none",
      "destination": "ui5"
    },
    {
      "source": "^(.*)$",
      "target": "$1",
      "service": "html5-apps-repo-rt",
      "authenticationType": "xsuaa"
    }
  ]
}

service.cds

using {test_order} from '../db/test';

service testService @(requires: 'authenticated-user') {
    entity testentity @(restrict : [
        {
            grant : 'READ',
            to    : 'Reader',
            where : 'department = $user.Department'
        }
    ]) as projection on test_order.testentity;
};

Regards.

Punit

Accepted Solutions (0)

Answers (3)

Answers (3)

MPaulCalvin
Newcomer
0 Kudos

Compare the URLs of the GET and POST requests by debugging in the browser during the call. The POST URL will be missing some parts that the GET URL contains. You can hardcode the missing part in your program for the POST call. This should resolve the issue.  

Debug and find the missing part of url:

MPaulCalvin_0-1725987790080.png

 

ADD the missing part to your POST URL in code:

MPaulCalvin_1-1725554603911.png

 

 

Calvin.

SAP Technical Lead.

 

former_member758604
Discoverer
0 Kudos

hi,

Was there any solution for the above query? I am getting the same issue.

I am trying to access the scim/User service. It worked perfectly fine in the BAS, but once deployed to cloud,it is giving 403 error.

Thanks in advance!

rgadirov
Participant
0 Kudos

Hi supri53,

did you assign the Oath Token Exchange role as well (Token_Exchange)?

I got the same error because I only had assigned the generated roles, but in addition you have to assign the token exchange as well.

Then restart BTP, clear cache and try again.

BR
Rufat

SG
Explorer
0 Kudos

Hi , I am also facing the same issue . I have created and deployed an application From BAS to Cloud Foundry Space as a HTML 5 Application. The data from the Cloud Connector Destination is fetched from the BAS when i use the CURL command . Also, The preview of the application is displayed correctly . But when i deploy it to Cloud i am not able to get the data from the On Premises system using Cloud Connector. when I debugged the call in Google Chrome , I am getting a 403 Forbidden error and the reference Policy as Strict-Origin-Cross-Origin

SG_1-1709765446002.png

Any help in resolving this issue would be appriciated 

gregorw
Active Contributor
0 Kudos

I would suggest you give that example a try: central-launchpad-cap/tree/add-authentication and learn from it.