From b2fa5ad609fb2efbd072bbe8245d2af33f39cf36 Mon Sep 17 00:00:00 2001 From: Manuel Fink Date: Thu, 2 Jul 2026 15:24:32 +0200 Subject: [PATCH 1/4] comment-in AMS route security lines for SB compatibility testing --- .../samples/config/SecurityConfiguration.java | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java b/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java index 6505780..19d488f 100644 --- a/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java +++ b/ams-spring-boot-shopping/src/main/java/com/sap/cloud/security/ams/samples/config/SecurityConfiguration.java @@ -11,6 +11,7 @@ import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.web.SecurityFilterChain; +import static com.sap.cloud.security.ams.samples.config.Privileges.*; import static org.springframework.http.HttpMethod.*; /** @@ -29,7 +30,7 @@ @Configuration @EnableWebSecurity @EnableMethodSecurity -@PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = { "" }) +@PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = {""}) public class SecurityConfiguration { @Bean @@ -41,17 +42,19 @@ public SecurityFilterChain filterChain(HttpSecurity http, AmsRouteSecurity via) // Authenticated endpoints without authorization checks authz.requestMatchers(GET, "/privileges").authenticated(); - // Endpoints protected with AMS method-level security + // CHOOSE ONE idiom below (route-level authorization + service-level filtering vs. full service-level authorization + + // Idiom 1 (Full service-level authorization): these endpoints are protected with AMS method-level security authz.requestMatchers(GET, "/products").authenticated(); authz.requestMatchers(GET, "/orders").authenticated(); authz.requestMatchers(POST, "/orders").authenticated(); authz.requestMatchers(DELETE, "/orders/**").authenticated(); - // Showcases alternative endpoint protection via AMS route-level security - // authz.requestMatchers(GET, "/products").access(via.checkPrivilege(READ_PRODUCTS)); - // authz.requestMatchers(GET, "/orders").access(via.precheckPrivilege(READ_ORDERS)); - // authz.requestMatchers(POST, "/orders").access(via.precheckPrivilege(CREATE_ORDERS)); - // authz.requestMatchers(DELETE, "/orders/**").access(via.checkPrivilege(DELETE_ORDERS)); + // Idiom 2 (route-level authorization + service-level filtering) Showcases alternative endpoint protection via AMS route-level security (+ service-level filtering) + authz.requestMatchers(GET, "/products").access(via.checkPrivilege(READ_PRODUCTS)); + authz.requestMatchers(GET, "/orders").access(via.precheckPrivilege(READ_ORDERS)); + authz.requestMatchers(POST, "/orders").access(via.precheckPrivilege(CREATE_ORDERS)); + authz.requestMatchers(DELETE, "/orders/**").access(via.checkPrivilege(DELETE_ORDERS)); // Deny all other requests authz.anyRequest().denyAll(); From 29b69f5f8dde6f9b394768e6334a1d92acb67a3f Mon Sep 17 00:00:00 2001 From: Manuel Fink Date: Mon, 6 Jul 2026 14:53:36 +0200 Subject: [PATCH 2/4] remove test scope from spring-boot-starter-ams-test --- ams-cap-bookshop/srv/pom.xml | 1 - 1 file changed, 1 deletion(-) diff --git a/ams-cap-bookshop/srv/pom.xml b/ams-cap-bookshop/srv/pom.xml index 27bc419..5367397 100644 --- a/ams-cap-bookshop/srv/pom.xml +++ b/ams-cap-bookshop/srv/pom.xml @@ -76,7 +76,6 @@ com.sap.cloud.security.ams spring-boot-starter-cap-ams-test - test From c944f580978f12eaf7c8f8dca2bf324f696c258e Mon Sep 17 00:00:00 2001 From: Manuel Fink Date: Mon, 6 Jul 2026 14:54:08 +0200 Subject: [PATCH 3/4] use AMS version 4.3.0 --- ams-cap-bookshop/pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ams-cap-bookshop/pom.xml b/ams-cap-bookshop/pom.xml index eaa526c..9b63cbe 100644 --- a/ams-cap-bookshop/pom.xml +++ b/ams-cap-bookshop/pom.xml @@ -21,7 +21,7 @@ https://nodejs.org/dist/ UTF-8 - 4.2.1 + 4.3.0 1.4.0 4.0.7 From 3fd911129960f97f30ed39d8f4e7d334adc84264 Mon Sep 17 00:00:00 2001 From: Manuel Fink Date: Mon, 6 Jul 2026 15:32:19 +0200 Subject: [PATCH 4/4] use sap.ams.test.enabled: true --- ams-cap-bookshop/srv/src/test/resources/application-test.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/ams-cap-bookshop/srv/src/test/resources/application-test.yml b/ams-cap-bookshop/srv/src/test/resources/application-test.yml index 9e031dc..cdbff26 100644 --- a/ams-cap-bookshop/srv/src/test/resources/application-test.yml +++ b/ams-cap-bookshop/srv/src/test/resources/application-test.yml @@ -3,6 +3,7 @@ spring: sql: init: platform: h2 +sap.ams.test.enabled: true logging.level: com.sap.cds.security.authorization: TRACE com.sap.cloud.security.ams: TRACE