Task 1: Enable Authentication Support
Steps
Enable Authentication Support.
To enable authentication support in CAP for SAP BTP, the xssec
and xsenv
modules need to be installed.
Open a new terminal in BAS (Terminal → New Terminal).
In the terminal, run the following command to install the hdb module and automatically add it as a dependency into the package.json
file of your project: npm i --save @sap/xssec @sap/xsenv
Task 2: Add Roles and Scopes
Steps
Add roles and scopes.
In the SAP BTP, Cloud Foundry environment, a single authorization is called scope
. For example, there could be a scope "Read" and a scope "Write" that allow users to read or write respectively a certain business object. Scopes cannot be assigned to users directly. They are packaged into roles. For example, the role "Editor" could have "Read" and "Write" scopes, while the role "Viewer" could have the "Read" scope only.
However, CAP recommends to use roles only and do a one-to-one mapping. See Lesson 1 of this Unit: Defining Restrictions and Roles in CDS we defined two roles.
If not already done, read this lesson.
Task 3: Set Up Application Security with XSUAA Security Configuration
Steps
Set Up Application Security with XSUAA Security Configuration.
First you need to configure the XSUAA service2. Create the file xs-security.json
in your RiskManagement
project by executing the following in a terminal in BAS:
cds compile srv --to xsuaa >xs-security.json
The generated file contains the configuration of the XSUAA. Behind the scenes, CAP has taken the authorization parts @(restrict ... )
from your service definition and created scopes and role templates from it.
For example, it found the roles RiskViewer
and RiskManager
in the srv/risk-service.cds
file:
entity Risks @(restrict : [
{
grant : ['READ'],
to : ['RiskViewer']
},
{
grant : ['*'],
to : ['RiskManager']
}
]) as projection on rm.Risks;
Copy codeThen it created scopes and roles for both in the xs-security.json
file in your project:
{
"xsappname": "risk-management",
"tenant-mode": "dedicated",
"scopes": [
{
"name": "$XSAPPNAME.RiskViewer",
"description": "RiskViewer"
},
{
"name": "$XSAPPNAME.RiskManager",
"description": "RiskManager"
}
],
"attributes": [],
"role-templates": [
{
"name": "RiskViewer",
"description": "generated",
"scope-references": ["$XSAPPNAME.RiskViewer"],
"attribute-references": []
},
{
"name": "RiskManager",
"description": "generated",
"scope-references": ["$XSAPPNAME.RiskManager"],
"attribute-references": []
}
]
}
Copy code
Task 4: Adjust Authorization and Trust Management Service (XSUAA) in MTA
Steps
Adjust Authorization and Trust Management Service (XSUAA) in MTA.
The next step is to adjust the configuration of the Authorization and Trust Management Service in the mta.yaml
to allow user login, authorization, and authentication checks.
In your mta.yaml
file, change the following:
_schema-version: '3.1'
...
resources:
...
# ------------------------------------------------------------
- name: risk-management-xsuaa
# ------------------------------------------------------------
type: org.cloudfoundry.managed-service
parameters:
service: xsuaa
service-plan: application
path: ./xs-security.json
//### BEGIN OF INSERT
config:
xsappname: 'risk-management-${space}'
role-collections:
- name: 'RiskManager-${space}'
description: Manage Risks
role-template-references:
- $XSAPPNAME.RiskManager
- name: 'RiskViewer-${space}'
description: View Risks
role-template-references:
- $XSAPPNAME.RiskViewer
//### END OF INSERT
Copy codeSave the file.
The configuration for XSUAA is read from the xs-security.json
file that was updated in the previous step.
However, in the config
element of the YAML file, values can be added and overwritten.
The value xsappname
gets overwritten with a Cloud Foundry space-dependent value ${space}
. The name has to be unique within an SAP BTP subaccount.
This allows multiple deployments of this application in different spaces of the same subaccount. This is useful when different members of a team want to try out the application and don't want to create a new subaccount for each team member.
For a productive application, the xsappname
should be explicitly set to the desired value.
Further, you can add role collections using the xs-security.json
file. Since role collections need to be unique in a subaccount like the xsappname
, you can add it here and use the ${space}
variable to make them unique like for the xsappname
.
Alternatively, role collections3 can be manually added in the SAP BTP cockpit.
Result
You added XSUAA security settings to your application. Now you need to add an application router (approuter) to route your application's requests from the web browser to either the service or the UI.