Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

SCP: How to use ODATA services without basic authentication?

Go to solution
former_member475246
Participant

on ‎2021 Feb 10 4:11 AM

4,450

Hello experts,

I have created a JAVA application that generates my ODATA service. The application is linked to a scheme that I have created. I have also added roles to access it.

From this url generated from my ODATA, I have created a destination to be consumed in a sapui5 application. Here I put the basic authentication property.

I have deployed the SAPUI5 project calling the target and everything has worked correctly. Now what is the problem? The problem is that if you put the url of the sapui5 project and add the path that refers to the destination, you can access it without having to authenticate to ODATA. I have tested it clearing the cache and in the browser incognito mode and it can be accessed without the need for authentication.

<url of the sapui5 application>/<destination route>/$metadata

Here is the configuration of my destination in my Sapui5 project and how I call it.

I want to prevent this from happening, I want only the queries and procedures to be made within the views and controllers of the SAPUI5 project. That is why I would like to know if there is any form of authentication more private and limited to only linked projects.

Is there any other safer way to use ODATA services?

Thank you

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies

Accepted Solutions (1)

Accepted Solutions (1)

sergei-u-niq
Active Contributor
‎2021 Feb 10 8:32 AM

There is no (reliable) way to differentiate, if the APP accessed a certain URL or a HUMAN has entered the URL in the browser or if a SCRIPT has called that URL.

The only reliable way is to protect the service and only let authenticated requests through. From your description, it is not absolutely clear: maybe the user has already authenticated themselves when they called the app.

From what I can see in the screenshots, you use Neo Java and Neo HTML5 apps. If you add something like that to your neo-app.json:

    "securityConstraints": [
        {
            "permission": "ApplicationPermission",
            "description": "Permission to access the Application",
            "protectedPaths": [
                "/"
            ]
        },
        {
            "permission": "ApplicationDescriptorPermission",
            "description": "Permission to access the application descriptor file",
            "protectedPaths": [
                "/neo-app.json"
            ]
        }
    ]

then the HTML5 runtime will ensure that only authenticated access (with the listed role) will be granted on the app. including access to destination (sub-paths) that are accessible through the app.

In your destination, you should choose App-To-App-SSO

Show replies
Show replies
former_member475246
Participant
‎2021 Feb 10 6:17 PM
0 Likes

I just added more detail to the question. I have tried clearing the cache and in incognito mode and I can access the odata without any authentication with the path I have indicated without any problem. It seems to me that this is due to the basic authentication property of my destination, since when I invoke it in my sapui5 project, the credentials are already entered through it. Thanks for answering.

sergei-u-niq
Active Contributor
‎2021 Feb 10 6:30 PM

First, if you use basic auth in your destination, every frontend user accesses that destination with the specified destination user. depending on your scenario, this may be OK or may be not.

IF you allow anonymous access to frontend, then even anonymous user will be able to access the backend with permissions of the destination user.

So, you need to secure your html5 app (securityConstraints in neo-app.json)

  • this way, only authenticated users can access the frontend of the app in the first place, and only with the required role
  • this way, only authenticated users that have the required role, can access the destination endpoint offered by the app.
  • still, everyone, who can access the frontend of the app, can also access the destinaiton endpoint (which uses same technical user for everyone)
  • this way, you can also set up your destination, that user context is passed to the odata service (App2AppSso, in case you need it)
sergei-u-niq
Active Contributor
‎2021 Feb 10 6:36 PM

PS: please have a look at authentication and authorization pages for NEO html 5 apps: https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/de16793b391a4bcfae6096f3443...

Also general security considerations described here: https://help.sap.com/viewer/ea72206b834e4ace9cd834feed6c0e09/Cloud/en-US/55f7c9da48084bb0bb8eddf5695...

former_member475246
Participant
‎2021 Feb 10 7:06 PM
0 Likes

This is the scenario, the deployed url of sapui5 is used by several users and they found that way to access ODATA. Inside they can do all the CRUD. What I require is that those users can only register or read through the Sapui5 project interface and that the url they found to access the odata without credentials is blocked or that it asks for your credentials.

Thank you for your answer and for the information given.

sergei-u-niq
Active Contributor
‎2021 Feb 10 7:10 PM
0 Likes

Could you post authenticationMethod and securityConstraints from your neo-app.json?

former_member475246
Participant
‎2021 Feb 10 7:22 PM
0 Likes

Sure, here you have it

{
  "welcomeFile": "/webapp/index.html",
  "authenticationMethod": "none",
  "logoutPage": "/logout.html",
  "routes": [
    {
      "path": "/resources",
      "target": {
        "type": "service",
        "name": "sapui5",
        "entryPath": "/resources"
      },
      "description": "SAPUI5 Resources"
    },
    {
      "path": "/test-resources",
      "target": {
        "type": "service",
        "name": "sapui5",
        "entryPath": "/test-resources"
      },
      "description": "SAPUI5 Resources"
    },
    {
      "path": "/services/userapi",
      "target": {
        "type": "service",
        "name": "userapi"
      }
    },
    {
      "path": "/webapp/resources",
      "target": {
        "type": "service",
        "name": "sapui5",
        "entryPath": "/resources"
      },
      "description": "SAPUI5 Resources"
    },
    {
      "path": "/webService",
      "target": {
        "type": "destination",
        "name": "web_service_ruc",
        "entryPath": "/"
      },
      "description": "Obtener RUC Empresa"
    },
    {
      "path": "/webapp/test-resources",
      "target": {
        "type": "service",
        "name": "sapui5",
        "entryPath": "/test-resources"
      },
      "description": "SAPUI5 Test Resources"
    },
    {
      "path": "/odataent/odata2.svc",
      "target": {
        "type": "destination",
        "name": "ODATA_ENTREGAS_RENDIR_CLONING"
      },
      "description": "Entregas a Rendir Odata Model"
    }
  ],
  "sendWelcomeFileRedirect": true
}
sergei-u-niq
Active Contributor
‎2021 Feb 10 7:43 PM

There you go: authentication method is none. Change that to “saml” (see first link in my last comment)

Answers (1)

Answers (1)

gregorw
SAP Mentor
SAP Mentor
‎2021 Feb 10 6:48 AM

If you implement your service using CAP Service SDK for Java you get great guidance how to secure your application. I think you should lear about SAP Approuter and JWT.

Show replies
Show replies
Ask a Question