-
Notifications
You must be signed in to change notification settings - Fork 1
Library version 4.4.0 #83
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -3,6 +3,7 @@ spring: | |
| sql: | ||
| init: | ||
| platform: h2 | ||
| sap.ams.test.enabled: true | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Necessary because the CAP sample now includes Since the CAP sample tests include mocked identity and xsuaa bindings on the class path, the new back-off mechanism in the test starter thinks we're in production, so we must enforce its auto-configuration with this property in the test profile. |
||
| logging.level: | ||
| com.sap.cds.security.authorization: TRACE | ||
| com.sap.cloud.security.ams: TRACE | ||
|
|
||
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -11,6 +11,7 @@ | |
| import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; | ||
| import org.springframework.security.web.SecurityFilterChain; | ||
|
|
||
| import static com.sap.cloud.security.ams.samples.config.Privileges.*; | ||
| import static org.springframework.http.HttpMethod.*; | ||
|
|
||
| /** | ||
|
|
@@ -29,7 +30,7 @@ | |
| @Configuration | ||
| @EnableWebSecurity | ||
| @EnableMethodSecurity | ||
| @PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = { "" }) | ||
| @PropertySource(factory = IdentityServicesPropertySourceFactory.class, ignoreResourceNotFound = true, value = {""}) | ||
| public class SecurityConfiguration { | ||
|
|
||
| @Bean | ||
|
|
@@ -41,17 +42,19 @@ public SecurityFilterChain filterChain(HttpSecurity http, AmsRouteSecurity via) | |
| // Authenticated endpoints without authorization checks | ||
| authz.requestMatchers(GET, "/privileges").authenticated(); | ||
|
|
||
| // Endpoints protected with AMS method-level security | ||
| // CHOOSE ONE idiom below (route-level authorization + service-level filtering vs. full service-level authorization | ||
|
|
||
| // Idiom 1 (Full service-level authorization): these endpoints are protected with AMS method-level security | ||
| authz.requestMatchers(GET, "/products").authenticated(); | ||
| authz.requestMatchers(GET, "/orders").authenticated(); | ||
| authz.requestMatchers(POST, "/orders").authenticated(); | ||
| authz.requestMatchers(DELETE, "/orders/**").authenticated(); | ||
|
|
||
| // Showcases alternative endpoint protection via AMS route-level security | ||
| // authz.requestMatchers(GET, "/products").access(via.checkPrivilege(READ_PRODUCTS)); | ||
| // authz.requestMatchers(GET, "/orders").access(via.precheckPrivilege(READ_ORDERS)); | ||
| // authz.requestMatchers(POST, "/orders").access(via.precheckPrivilege(CREATE_ORDERS)); | ||
| // authz.requestMatchers(DELETE, "/orders/**").access(via.checkPrivilege(DELETE_ORDERS)); | ||
| // Idiom 2 (route-level authorization + service-level filtering) Showcases alternative endpoint protection via AMS route-level security (+ service-level filtering) | ||
| authz.requestMatchers(GET, "/products").access(via.checkPrivilege(READ_PRODUCTS)); | ||
|
Contributor
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. these lines are now commented-in, so we can test with the samples both SB3 and SB4 support for the route check bean. |
||
| authz.requestMatchers(GET, "/orders").access(via.precheckPrivilege(READ_ORDERS)); | ||
| authz.requestMatchers(POST, "/orders").access(via.precheckPrivilege(CREATE_ORDERS)); | ||
| authz.requestMatchers(DELETE, "/orders/**").access(via.checkPrivilege(DELETE_ORDERS)); | ||
|
|
||
| // Deny all other requests | ||
| authz.anyRequest().denyAll(); | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed, so that the app can be started via
mvn spring-boot:runwith mock users as intended by CAP.