cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Getting Error 403 Forbidden even after providing the valid JWT

Ranjith
Participant

on ‎2020 Jun 05 6:17 PM

0 Kudos
2,080

Hi all,

I have create a simple oData service using the SAP CAP. I deployed it in HCP (trail). I am using Postman to check the service response. Even after adding the valid JWT token the service is throwing 403 Forbidden error. I have assigned all the necessary rolecollections (manager role) to my ID in the HCP. Please find the attached screenshots and code of my project.

Postman getting token Access:

d.png

Admin.cds

using { sap.capire.bank_details as my } from '../db/test';

service MyService @(requires: ['authenticated-user']){

    entity products @(restrict: [ { grant: ['*'], to: 'Manager'}])
    as projection on my.Products;
}

XS-security.json

{
  "xsappname": "test_project",
  "tenant-mode": "dedicated",
  "scopes": [
    {
      "name": "$XSAPPNAME.Manager",
      "description": "Manager"
    }
  ],
  "attributes": [],
  "role-templates": [
    {
      "name": "Manager",
      "description": "generated",
      "scope-references": [
        "$XSAPPNAME.Manager"
      ],
      "attribute-references": []
    }
  ]
}

mta.yaml

## Generated mta.yaml based on template version 0.2.0
## appName = test_project
## language=nodejs; multiTenant=false
## approuter=
_schema-version: '3.1'
ID: test_project
version: 1.0.0
description: "A simple CAP project."
parameters:
  enable-parallel-deployments: true  
build-parameters:
  before-all:
   - builder: custom
     commands:
      - npm install
      - npx cds build\/all

modules:
 # --------------------- SERVER MODULE ------------------------
 - name: test_project-srv
 # ------------------------------------------------------------
   type: nodejs
   path: gen/srv
   properties:
     EXIT: 1  # required by deploy.js task to terminate 
   requires:
    # Resources extracted from CAP configuration
    - name: test_project-db
    - name: test_project-uaa
   provides:
    - name: srv-binding      # required by consumers of CAP services (e.g. approuter)
      properties:
        srv-url: ${default-url}

 # -------------------- SIDECAR MODULE ------------------------
 - name: db
 # ------------------------------------------------------------
   type: hdb
   path: gen/db  
   parameters:
     app-name: test_project-db  
   requires:
    # 'hana' and 'xsuaa' resources extracted from CAP configuration
    - name: test_project-db
    - name: test_project-uaa

 - name: test_project-appadmin
   type: nodejs
   path: app
   build-parameters:
     ignore: ["node_modules/"]    
   parameters:
      disk-quota: 256M
      memory: 256M
   requires:
      - name: test_project-uaa
      - name: srv-binding
        group: destinations
        properties:
          forwardAuthToken: true
          strictSSL: false
          name: srv-binding
          url: ~{srv-url}

resources:
 # services extracted from CAP configuration
 # 'service-plan' can be configured via 'cds.requires.<name>.vcap.plan'
# ------------------------------------------------------------
 - name: test_project-db
# ------------------------------------------------------------
   type: com.sap.xs.hdi-container
   parameters:
     service: hanatrial  # or 'hanatrial' on trial landscapes
     service-plan: hdi-shared
   properties:
     hdi-service-name: ${service-name}

 - name:  test_project-uaa
   type:  org.cloudfoundry.managed-service
   parameters:
    path: ./xs-security.json
    service: xsuaa    
    service-plan: application
    service-keys: 
        - name: school-xsuaa-key  
    config:
      xsappname: test_project-${space}
      tenant-mode: dedicated

xs-app.json (inside App folder)

{
    "authenticationMethod":"route",
    "routes": [
        {
            "source": "^/(.*)$",
            "target": "$1",
            "authenticationType": "xsuaa",
            "destination": "srv-binding",           
            "csrfProtection": false
            
        }
    ]
}

package.json

{
    "name": "test_project",
    "version": "1.0.0",
    "description": "A simple CAP project.",
    "repository": "<Add your repository here>",
    "license": "UNLICENSED",
    "private": true,
    "dependencies": {
        "@sap/cds": "^3",
        "@sap/hana-client": "^2.4.177",
        "@sap/xsenv": "^2.2.0",
        "@sap/xssec": "^3.0.3",
        "express": "^4",
        "passport": "^0.4.1"
    },
    "scripts": {
        "start": "npx cds run"
    },
    "cds": {
        "requires": {
            "db": {
                "kind": "hana"
            }
        },
        "uaa": {
            "kind": "xsuaa"
        }
    }
}

package.json(inside App folder)

{
  "name": "appadmin",
  "version": "0.0.1",
  "description": "",
  "devDependencies": {
    "@sap/grunt-sapui5-bestpractice-build": "1.4.2"
  },
  "dependencies": {
    "@sap/approuter": "7.1.1"
  },
  "engines": {
    "node": "^10"
  },
  "scripts": {
    "start": "node node_modules/@sap/approuter/approuter.js"
  }
}

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
gregorw
SAP Mentor
SAP Mentor
‎2020 Jun 05 8:04 PM
0 Kudos

What endpoint to you access using postman? The approuter or the srv? What instructions have you followed to get the JWT?

Ranjith
Participant
‎2020 Jun 08 6:44 AM
0 Kudos

Hi gregorw,

I have tried to access SRV endpoint using postman. While accessing the approuter i am getting the "200" success response.

I have followed this URL to get my JWT.

I'm getting the below attached response while accessing the approuter.

@gregorw Please let me know if i have configured anything wrong in destination of the approuter.

gregorw
SAP Mentor
SAP Mentor
‎2020 Jun 08 9:40 AM
0 Kudos

Please try if you get it working with my sample project bookshop-demo

Ranjith
Participant
‎2020 Jun 10 9:49 AM
0 Kudos

Sorry for the delay in response @gregorw. It is working without any problem. But still facing the same probelm for my app.

View Entire Topic
vansyckel
Advisor
Advisor
‎2020 Jun 08 11:52 AM

Hi all,

Please use @sap/xssec@^2 as version 3 brought some changes that we need to adapt to.

Best,
Sebastian

Show replies
Show replies
Ranjith
Participant
‎2020 Jun 11 8:47 AM
0 Kudos

Thanks for your suggestion @vansyckel. I replaced that, but still facing the same problem.

aicro_ai
Associate
Associate
‎2020 Jun 19 5:56 AM

Hi Ranjithkumar Ayyavu,

Any update for this problem? I've also met this problem.

However, I've made things a little easier. I do not involve approuter, but directly made srv bound to a XSUAA service. Now, I've successfully get the JWT token, but when forward it to srv, it still complains 403 Forbidden.

Thanks,

Aicro

roylerner3
Explorer
‎2021 Apr 20 10:48 AM
0 Kudos

Hi,

Im experiencing the same issue, followed the documentation and exactly as you did,

Im able to authentication against the server, and the server gets 403 when hitting the db

have you found a solution ?

Thanks

Ask a Question