cancel
Showing results for 
Search instead for 
Did you mean: 

cloud foundry user with mapped role still see 401

S0003991129
Explorer
0 Kudos

I'm tried to follow a tutorial below:

https://developers.sap.com/tutorials/s4sdk-secure-cloudfoundry.htmlbut I'm stacked a 401 after a good configuration of the role Display.


I follow all the step for my TOMEE project from xs-security.json:
{<br>  "xsappname": "javaapp",<br>  "tenant-mode": "dedicated",<br>  "scopes": [<br>    {<br>      "name": "$XSAPPNAME.Display",<br>      "description": "display"<br>    }<br>  ],<br>  "role-templates": [<br>    {<br>      "name": "Viewer",<br>      "description": "Required to view things in your solution",<br>      "scope-references"     : [<br>        "$XSAPPNAME.Display"<br>      ]<br>    }<br>  ],<br>  "oauth2-configuration": {<br>    "redirect-uris": ["https://*.<a href="http://cfapps.eu10-004.hana.ondemand.com/**" target="_blank">cfapps.eu10-004.hana.ondemand.com/**</a>"]<br>  }<br>}

The web.xml:
<?xml version="1.0" encoding="UTF-8"?><br><web-app<br>        xmlns="<a href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a>"<br>        xmlns:xsi="<a href="http://www.w3.org/2001/XMLSchema-instance" target="_blank">http://www.w3.org/2001/XMLSchema-instance</a>"<br>        xsi:schemaLocation="<a href="http://java.sun.com/xml/ns/javaee" target="_blank">http://java.sun.com/xml/ns/javaee</a> <a href="http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" target="_blank">http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd</a>"<br>        version="3.0"><br><br>    <session-config><br>        <session-timeout>20</session-timeout><br>    </session-config><br><br><br>        <login-config><br>            <auth-method>XSUAA</auth-method><br>        </login-config><br><br><br>          <security-constraint><br>              <web-resource-collection><br>                  <web-resource-name>Baseline Security</web-resource-name><br>                  <url-pattern>/*</url-pattern><br>              </web-resource-collection><br>              <auth-constraint><br>                  <role-name>*</role-name><br>              </auth-constraint><br>          </security-constraint><br><br><br>          <security-role><br>              <role-name>Display</role-name><br>          </security-role><br><br><br>    <filter><br>        <filter-name>RestCsrfPreventionFilter</filter-name><br>        <filter-class>org.apache.catalina.filters.RestCsrfPreventionFilter</filter-class><br>    </filter><br>    <filter-mapping><br>        <filter-name>RestCsrfPreventionFilter</filter-name><br>        <url-pattern>/*</url-pattern><br>    </filter-mapping><br></web-app><br>

The protection allows and not of the endpoint:
@WebServlet("/businesspartners")<br>@ServletSecurity(@HttpConstraint(rolesAllowed = { "Display" }))<br>public class BusinessPartnerServlet extends HttpServlet<br>{

@WebServlet("/hello")<br>public class HelloWorldServlet extends HttpServlet<br>{<br>    private static final long serialVersionUID = 1L;<br>    private static final Logger logger = LoggerFactory.<em>getLogger</em>(HelloWorldServlet.class);<br>
And the correct configuration of the role to a collection role from sap btp platform:


Why I see for both endpoint 401 ?

Accepted Solutions (0)

Answers (1)

Answers (1)

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
0 Kudos
S0003991129
Explorer
0 Kudos

Thank you very much for the indication, but unfortunately it is really difficult to trace the error. The guide is well done but I can't find the problem in my application...

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
0 Kudos

I'm sorry, I'm not familiar with s4sdk, nor webxml.
Your screenshot doesn't show, but I assume that you've also assigned your user to the same role collection, right?

But anyways, the error code 401 indicates that it is not a problem of role assignment.
If the error is correct, then your user / pwd is not known to the identity provider.
I see you're accessing the app through approuter, right?
And approuter is bound to the same instance of XSUAA, like the java-app?

S0003991129
Explorer
0 Kudos

Your screenshot doesn't show, but I assume that you've also assigned your user to the same role collection, right? [YES]

I see you're accessing the app through approuter, right? [YES]
And approuter is bound to the same instance of XSUAA, like the java-app? [YES]

Consider that the authentication works fine.

If the error is correct, then your user / pwd is not known to the identity provider. [HOW CAN I CHECK ?]

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
0 Kudos

you can check the users in the BTP cockpit at Security->users
Is there an IAS connected to your subaccount?
If yes, then your user-login to the cockpit is different than the user-login to an application

S0003991129
Explorer
0 Kudos

Could you send me an updated links, in which both authentication and xsuaa authorization for a spring application are well explained? Thanks in advance

CarlosRoggan
Product and Topic Expert
Product and Topic Expert
0 Kudos

Unfortunately, I don't have further tutorials in java.
Maybe you find anything useful in the github pointed here:https://help.sap.com/docs/btp/sap-business-technology-platform/tutorials-for-sap-authorization-and-t...