cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Application Permissions are not working after adding securityConstraints in Neo-app.json

former_member150971
Explorer

on ‎2021 Apr 06 6:22 AM

0 Kudos
446

Hi,

I wanted to restrict the user based on the "Application Permissions" section in HTML5 application. I have added securityConstraints in Neo-app.json file with a few protected paths and assigned a role to that permission. When users log in and if they don't have the role which is assigned to that permissions then it should restrict the user for a particular section of the application mentioned in the protected path which is not happening. If I check the HTTP status of the protected file it gives me status as 200.

Also wanted to know if securityConstraints works in the latest framework of SAPUI5 application.

Reference:

https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/a139548b21954e319a2a351e993...

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (0)

Answers (1)

Answers (1)

sergei-u-niq
Active Contributor
‎2021 Apr 06 7:21 AM
0 Kudos

The file neo-app.json is the application descriptor on the SAP BTP neo plattform, and has nothing to do with sapui5.
And yes, it works (last time used for security constraints - couple of days ago).

Show replies
Show replies
former_member150971
Explorer
‎2021 Apr 06 8:52 AM
0 Kudos

Hello Sergei,

Thanks for the quick response.

Correct, I have added the security constraints in neo-app.json and assigned the role in application permission but when the user logs in with the role "Report Catalog User" it should restrict it for the protected path mentioned in neo-app.json which is not happening in my case. I check the HTTP status for those files using ajax call and I get the status as "200".

application-permissions.jpg

securityconstraints.jpg

sergei-u-niq
Active Contributor
‎2021 Apr 06 10:46 AM
0 Kudos

Everything except the two paths to the xml roles is restricted by "No User" role, which is mapped to "Everyone". So everyone can access all files served by the app.

Apart from that, please note that neo-app.json defines restrictions to certain PATHs, as HTTP-Level-Restrictions.

For example, restricting access to /path/to/Something.view.xml will block direct access to that path. But, most likely, the app will never load that file directly, as usually it is also contained in Component-preload.js, which usually contains the whole ui5 app in one file.

former_member150971
Explorer
‎2021 Apr 06 12:15 PM
0 Kudos

Hello Sergei,

I don't have Component-preload.js file in the project as I have deleted the below 3 files to use this security constraints concept, as prior to deleting the below files, the path was not protected as it is also contained in Component-preload.js .

Deleted 3 Files:

  • Package-lock.json
  • Package.json
  • Ui5.yaml
Ask a Question