We want to build a new app based on CAP Java. Currently we try to implement the CAP exits for on-/offboarding and offer a CDS entity for users with a specific scope.

When we deploy the app to a sandbox and do an onboarding and request the data of the CDS entity everything works fine (if fails if no/wrong scope is given with the expected http response and returns data with correct scope).

But when we implement integration tests as Spring Boot Test to check the security config, they end up with incorrect results:

• If we don't pass any Jwt token to the onboarding endpoint, we get a 403 (Forbidden) but not a 401 (Unauthorized)
• If we pass an incorrect Jwt token to the read endpoint of the CDS entity, we get a 401 (Unauthorized) but not a 403 (Forbidden)

Especially the last case works correctly in the real deployment.

When trying to debug the second case (reading data of the CDS entity) I have seen that some kind of test user "anonymous" is automatically used by CAP and the Jwt token seems to be ignored. Does anyone know what we need to do so that the Jwt token is considered instead?

Unfortunately I have no clue which information would be helpful for the analysis 😞

• We use Java 17
• CDS Services 3.6.0
• SAP Cloud SDK 5.15.0
• SAP Cloud Security 3.5.7
• org.springframework.web.reactive.function.client.WebClient
• com.sap.cloud.security.test.JwtGenerator
• and have configured sap.security.services.xsuaa in the test application.yaml

The respective branch in our git repo can be found here: https://github.wdf.sap.corp/GRC-CH/FinancialComplianceLaunchpad/tree/on_off_boarding

The test case is https://github.wdf.sap.corp/GRC-CH/FinancialComplianceLaunchpad/blob/on_off_boarding/srv/src/test/ja...