2022 Jan 09 9:22 PM - edited 2024 Feb 04 2:49 AM
Hi All,
403 Forbidden error in CAP app when accessing from BTP either from HTML5 Application section or from Portal site in BTP. The application is working fine if testing locally from BAS tool using mock user .
The CAP service is accessing SAP HANA Cloud DB based on department attribute configuration. It’s displaying data when testing locally based on Department attribute but 403 error when accessing from SAP BTP after deployment. The required reader role is assigned to user.
Please suggest.
xs-security.json
{
"xsappname": "demoapp",
"tenant-mode": "dedicated",
"description": "authorization check",
"scopes": [
{
"name": "$XSAPPNAME.Reader",
"description": "Reader"
}
],
"attributes": [
{
"name": "Department",
"description": "Department",
"valueType": "s",
"valueRequired": false
}
],
"role-templates": [
{
"name": "Reader",
"description": "Reader",
"scope-references": [
"$XSAPPNAME.Reader"
],
"attribute-references": [
"Department"
]
}
{
"name": "Token_Exchange",
"description": "UAA",
"scope-references": [
"uaa.user"
]
}
],
"oauth2-configuration": {
"token-validity": 3600
}
}
xs-app.json
{
"welcomeFile": "/index.html",
"authenticationMethod": "route",
"routes": [
{
"source": "^/abc/(.*)$",
"csrfProtection": false,
"authenticationType": "xsuaa",
"scope": "$XSAPPNAME.Reader",
"destination": "demoapp-srv"
},
{
"source": "^/resources/(.*)$",
"target": "/resources/$1",
"authenticationType": "none",
"destination": "ui5"
},
{
"source": "^/test-resources/(.*)$",
"target": "/test-resources/$1",
"authenticationType": "none",
"destination": "ui5"
},
{
"source": "^(.*)$",
"target": "$1",
"service": "html5-apps-repo-rt",
"authenticationType": "xsuaa"
}
]
}
service.cds
using {test_order} from '../db/test';
service testService @(requires: 'authenticated-user') {
entity testentity @(restrict : [
{
grant : 'READ',
to : 'Reader',
where : 'department = $user.Department'
}
]) as projection on test_order.testentity;
};
Regards.
Punit
Request clarification before answering.
Compare the URLs of the GET and POST requests by debugging in the browser during the call. The POST URL will be missing some parts that the GET URL contains. You can hardcode the missing part in your program for the POST call. This should resolve the issue.
Debug and find the missing part of url:
ADD the missing part to your POST URL in code:
Calvin.
SAP Technical Lead.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
hi,
Was there any solution for the above query? I am getting the same issue.
I am trying to access the scim/User service. It worked perfectly fine in the BAS, but once deployed to cloud,it is giving 403 error.
Thanks in advance!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi supri53,
did you assign the Oath Token Exchange role as well (Token_Exchange)?
I got the same error because I only had assigned the generated roles, but in addition you have to assign the token exchange as well.
Then restart BTP, clear cache and try again.
BR
Rufat
Hi , I am also facing the same issue . I have created and deployed an application From BAS to Cloud Foundry Space as a HTML 5 Application. The data from the Cloud Connector Destination is fetched from the BAS when i use the CURL command . Also, The preview of the application is displayed correctly . But when i deploy it to Cloud i am not able to get the data from the On Premises system using Cloud Connector. when I debugged the call in Google Chrome , I am getting a 403 Forbidden error and the reference Policy as Strict-Origin-Cross-Origin
Any help in resolving this issue would be appriciated
I would suggest you give that example a try: central-launchpad-cap/tree/add-authentication and learn from it.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
53 | |
6 | |
6 | |
5 | |
5 | |
5 | |
4 | |
3 | |
3 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.