sap-tutorials
diff --git a/‎tutorials/hana-cloud-cap-add-authentication/assign_role.png‎
-11.8 KB b/‎tutorials/hana-cloud-cap-add-authentication/assign_role.png‎
-11.8 KB
diff --git a/‎tutorials/hana-cloud-cap-add-authentication/fiori_with_authentication.png‎
-24.3 KB b/‎tutorials/hana-cloud-cap-add-authentication/fiori_with_authentication.png‎
-24.3 KB
diff --git a/‎tutorials/hana-cloud-cap-add-authentication/hana-cloud-cap-add-authentication.md‎
Lines changed: 74 additions & 73 deletions b/‎tutorials/hana-cloud-cap-add-authentication/hana-cloud-cap-add-authentication.md‎
Lines changed: 74 additions & 73 deletions
diff --git a/‎tutorials/hana-cloud-cap-add-authentication/oauth2_config.png‎
9.2 KB b/‎tutorials/hana-cloud-cap-add-authentication/oauth2_config.png‎
9.2 KB
diff --git a/‎tutorials/hana-cloud-cap-add-authentication/run_app_router.png‎
-18.6 KB b/‎tutorials/hana-cloud-cap-add-authentication/run_app_router.png‎
-18.6 KB
diff --git a/‎tutorials/hana-cloud-cap-add-authentication/select_role.png‎
35.9 KB b/‎tutorials/hana-cloud-cap-add-authentication/select_role.png‎
35.9 KB
diff --git a/‎tutorials/hana-cloud-cap-add-authentication/updated_xs_security.png‎
53.8 KB b/‎tutorials/hana-cloud-cap-add-authentication/updated_xs_security.png‎
53.8 KB
diff --git a/‎tutorials/hana-cloud-cap-calc-view/entity_to_service.png‎
6.87 KB b/‎tutorials/hana-cloud-cap-calc-view/entity_to_service.png‎
6.87 KB
diff --git a/‎tutorials/hana-cloud-cap-calc-view/hana-cloud-cap-calc-view.md‎
Lines changed: 1 addition & 1 deletion b/‎tutorials/hana-cloud-cap-calc-view/hana-cloud-cap-calc-view.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tutorials/hana-cloud-cap-create-database-cds/hana-cloud-cap-create-database-cds.md‎
Lines changed: 3 additions & 3 deletions b/‎tutorials/hana-cloud-cap-create-database-cds/hana-cloud-cap-create-database-cds.md‎
Lines changed: 3 additions & 3 deletions
@@ -38,34 +38,72 @@ The UAA will provide user identity, as well as assigned roles and user attribute
 
     ![Basic xs-security.json](basic_xs_security.png)
 
-1. **We won't add application scopes in this tutorial**, but those can be added using the CDS syntax in your services.  If you do add scopes to the services you can generate a sample xs-security.json using the following command and merge that into the basics xs-security.json file generated by the Application Router wizard.
+1. To really test the impact of roles in our application, lets add some security to our services. Open the `interaction_srv.cds` from the `srv` folder. Adjust the code as follows to make `Interactions_Header` service only available to authenticated users and `Interactions_Items` only available to users with the `Admin` role and restrict the results during read operations to only those records where the language column has the value of German (DE).
+
+    ```cap cds
+    using app.interactions from '../db/interactions';
+    service CatalogService {
+
+    @requires: 'authenticated-user'
+    entity Interactions_Header
+        as projection on interactions.Interactions_Header;
+
+    @requires: 'Admin'
+    @restrict: [{ grant: 'READ', where: 'LANGU = ''DE'''}]
+    entity Interactions_Items
+        as projection on  interactions.Interactions_Items;
+
+    }
+    ```
+
+1. When you do add scopes to the services as we did in the previous step you can generate a sample `xs-security.json` using the following command and merge that into the basics `xs-security.json` file generated by the Application Router wizard.
 
     ```shell
-    cds compile srv/ --to xsuaa
+    cds compile srv/ --to xsuaa > xs-security.json
     ```
 
-1. Since we want to test the security setup from the Business Application Studio, we are going to have add some additional configuration to the xs-security.json. You need to add another property to the xs-security.json to configure which redirect URIs are allowed. Also while editing, add an `xsappname` with the value `myhanaapp` and a `tenant-mode` of `dedicated` as well
+    ![Updated xs-security.json](updated_xs_security.png)
+
+1. Since we want to test the security setup from the Business Application Studio, we are going to have add some additional configuration to the `xs-security.json`. You need to add another property to the `xs-security.json` to configure which redirect URIs are allowed by the `OAuth` configuration. Also while editing, add an `xsappname` with the value `myhanaapp` and a `tenant-mode` of `dedicated` as well. We can also add `credential-types` as a security best practice. You can read more about the [Credential Types in this blog post](https://blogs.sap.com/2022/07/05/why-developers-should-care-about-credential-types-for-xsuaa/) by [`Dinu PAVITHRAN`](https://people.sap.com/dinu.pavithran)
 
     ```json
     {
-        "xsappname": "myhanaapp",
-        "tenant-mode": "dedicated",
-        "scopes": [],
-        "attributes": [],
-        "role-templates": [],
-        "oauth2-configuration": {
-            "redirect-uris": [
-                "https://*.applicationstudio.cloud.sap/**"
-            ]
+    "xsappname": "myhanaapp",
+    "tenant-mode": "dedicated",
+    "scopes": [
+        {
+            "name": "$XSAPPNAME.Admin",
+            "description": "Admin"
+        }
+    ],
+    "attributes": [],
+    "role-templates": [
+        {
+            "name": "Admin",
+            "description": "generated",
+            "scope-references": [
+                "$XSAPPNAME.Admin"
+            ],
+            "attribute-references": []
         }
+    ],
+    "oauth2-configuration": {
+        "credential-types": [
+            "binding-secret",
+            "x509"
+        ],
+        "redirect-uris": [
+            "https://*.applicationstudio.cloud.sap/**"
+        ]
+    }
     }
     ```
 
     ![oauth2-configuration in the xs-security.json](oauth2_config.png)
 
     This wild card will allow testing from the Application Studio by telling the XSUAA it should allow authentication requests from this URL. See section [Application Security Descriptor Configuration Syntax](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/517895a9612241259d6941dbf9ad81cb.html) for more details on configuration options.
 
-1. Open a terminal and create the XSUAA services instance with the xs-security.json configuration using the following command:
+1. Open a terminal and create the XSUAA services instance with the `xs-security.json` configuration using the following command:
 
     ```shell
     cf create-service xsuaa application MyHANAApp-auth -c xs-security.json
@@ -75,57 +113,16 @@ The UAA will provide user identity, as well as assigned roles and user attribute
 
 ### Configure the application
 
-1. In the previous tutorial, the application router wizard created a `default-env.json` file in the root of the project, to configure the connection to the service instance when running locally for testing. We will now extend that same file to do the same for the XSUAA instance we just created in the previous step.
-
-1. Open the default-env.json and add an `xsuaa` section with a placeholder for the credentials which we will fill soon:
-
-    ```json
-    "VCAP_SERVICES":{
-        "xsuaa": [{
-            "name": "MyHANAApp-auth",
-            "label": "xsuaa",
-            "tags": ["xsuaa"],
-            "credentials": {
-                ...
-            }
-        }]
-    ```
-
-    ![default-env.json xsuaa placeholder](xsuaa_placeholder.png)
-
 1. From the terminal, we need to create a service key. This will give us access to the credentials for your XSUAA instance.
 
     ```shell
-    cf create-service-key MyHANAApp-auth default
-    cf service-key MyHANAApp-auth default
+    cf create-service-key MyHANAApp-auth default  
     ```
 
-    ![Create service key](create_service_key.png)
-
-1. Copy the output of the service-key command and paste it into the credentials section of the default-env.json file.
-
-    ![Paste Service Key details](paste_service_key.png)
-
-    It should look something like this:
-
-    ![Example default-env.json with Service Key Details](example_default_env.png)
-
 1. Change back to the root of your project in the terminal and issue the command `cds bind -2 MyHANAApp-auth:default`.  This is the same command that we used to bind our running CAP application to HANA DB earlier. Now we are adding a binding to the security XSUAA service as well.
 
     ![CDS Bind](cds_bind.png)
 
-1. Open the `srv/interaction_srv.cds` file. You need to add `@requires: 'authenticated-user'` to the service definition. Authentication and scopes can also be applied at the individual entity level.
-
-    ![Add Authentication to CDS Service](cds_auth.png)
-
-1. Finally we are going to need some additional Node.js modules for CAP to process the authentication. We can both add them to the package.json dependencies and install them all in one step from the terminal.
-
-    ```shell
-    npm install -save passport @sap/xssec @sap/xsenv @sap/audit-logging
-    ```
-
-    ![Add Node.js dependencies](node_dependencies.png)
-
 ### Create and grant roles for application
 
 1. Before we can test our application, we need to create a role that includes the XSUAA instance details and grant to that our user. We will do this from the SAP Business Technology Platform cockpit. In the cockpit, you set up the roles and role collections and assign the role collections to your users. This brings the necessary authorization information into the JWT token when the user logs on to your application through XSUAA and Application Router.
@@ -150,30 +147,34 @@ The UAA will provide user identity, as well as assigned roles and user attribute
 
 1. The `approuter` component implements the necessary handshake with XSUAA to let the user log in interactively. The resulting JWT token is sent to the application where it's used to enforce authorization.
 
-1. Next open the xs-app.json file in the /app folder.  Here want to make several adjustments. Change the `authenicationMethod` to `route`. This will turn on authentication. You can deactivate it later by switching back to `none`.  Also add/update the routes.  We are adding authentication to CAP service route.  We are also adding the Application Router User API route (which is nice for testing the UAA connection).  Finally add the route to the local directory to serve the UI5/Fiori web content.
+1. Next open the xs-app.json file in the /app folder.  Here want to make several adjustments. Change the `authenicationMethod` to `route`. This will turn on authentication. You can deactivate it later by switching back to `none`.  Also add/update the routes.  We are adding authentication to CAP service route.  We are also adding the Application Router User API route (`sap-approuter-userapi`), which is nice for testing the UAA connection. We will also add the custom `logoutEndpoint` of `/app-logout`.  You can add this path to your URL if you want to force logout your user; which can be helpful to pickup any changes to your role configuration during development. Finally add the route to the local directory to serve the UI5/Fiori web content.
 
     ```json
-    {
+   {
     "authenticationMethod": "route",
+    "logout": {
+        "logoutEndpoint": "/app-logout",
+        "logoutPage": "/"
+    },
     "routes": [
         {
-        "source": "^/app/(.*)$",
-        "target": "$1",
-        "localDir": ".",
-        "cacheControl": "no-cache, no-store, must-revalidate",
-        "authenticationType": "xsuaa"
+            "source": "^/app/(.*)$",
+            "target": "$1",
+            "localDir": ".",
+            "cacheControl": "no-cache, no-store, must-revalidate",
+            "authenticationType": "xsuaa"
         },
         {
-        "source": "^/user-api(.*)",
-        "target": "$1",
-        "service": "sap-approuter-userapi"
+            "source": "^/user-api(.*)",
+            "target": "$1",
+            "service": "sap-approuter-userapi"
         },
         {
-        "source": "^/(.*)$",
-        "target": "$1",
-        "destination": "srv-api",
-        "csrfProtection": true,
-        "authenticationType": "xsuaa"
+            "source": "^/(.*)$",
+            "target": "$1",
+            "destination": "srv-api",
+            "csrfProtection": true,
+            "authenticationType": "xsuaa"
         }
     ]
     }
@@ -187,19 +188,19 @@ The UAA will provide user identity, as well as assigned roles and user attribute
 
     This means your security setup is working. Accessing the CAP service directly will always produce an error now as there is no authentication token present.  We need to run via the Application Router to generate and forward the authentication token.
 
-1. Without stopping the CAP service, open a second terminal. In this terminal change to the `/app` folder and then run `npm start` to start the Application Router.
+1. Without stopping the CAP service, open a second terminal. In this terminal run `cds bind --exec -- npm start --prefix app` to start the Application Router but using the `cds bind` command to inject all the `UAA` configuration into the Application Router automatically and securely as well.
 
     ![Run Application Router](run_app_router.png)
 
 1. Open the application router in a new tab. Click on the `Interactions_Header`. Now instead of the Unauthorized error you received when testing CAP service directly, you should see the data returned normally.
 
     ![CAP Service successful](cap_successful.png)
 
-1. Finally change the ULR path to `/interaction_items/webapp/index.html`. You are now testing the Fiori free style application from the previous tutorial with data from the CAP service but all with authentication.
+1. Finally change the ULR path to `/interaction_items/webapp/index.html`. You are now testing the Fiori free style application from the previous tutorial with data from the CAP service but all with authentication. You should also only be seeing a single record thanks to the data restriction we placed on the service as well.
 
     ![Fiori with authentication](fiori_with_authentication.png)
 
-1. Add /user-api/attributes to the end of the URL and you should see your Email and other User details. This is testing that the application router is actually getting the security token from the UAA instance.
+1. Add `/user-api/attributes` to the end of the URL and you should see your Email and other User details. This is testing that the application router is actually getting the security token from the UAA instance.
 
     ![test auth details](user_attributes.png)
 
 
@@ -9,7 +9,7 @@ parser: v2
 
 # Create Calculation View and Expose via CAP (SAP HANA Cloud)
 
-<!-- description -->Learn how to combine HANA native artifacts, like calculation views, with SAP Cloud Application Programming Model (CAP).
+<!-- description -->Learn how to combine HANA native artifacts, like calculation views, with SAP Cloud Application Programming Model (CAP)
 
 ## You will learn
 
 
@@ -46,7 +46,7 @@ The SAP Cloud Application Programming model utilizes core data services to defin
 
 1. Use the following content in this new file:
 
-    ```CDS
+    ```CAP CDS
     namespace app.interactions;
 
     using { Country } from '@sap/cds/common';
@@ -89,7 +89,7 @@ The SAP Cloud Application Programming model utilizes core data services to defin
 
 1. Use the following content in this new file:
 
-    ```CDS
+    ```CAP CDS
 
     using app.interactions from '../db/interactions';
     service CatalogService {
@@ -213,7 +213,7 @@ You can now check the generated tables and views in the Database Explorer.
 1. Note the name of the table matches the generated `hdbtable` artifacts. You will also see the physical schema managed by the HDI container.
 
     > Unless a name is specified during deployment, HDI containers are automatically created with names relative to the project and user generating them. This allows developers to work on different versions of the same HDI container at the same time.
-    > !![Build database module](8.png)
+    > ![Build database module](8.png)
 
 ### Load data into your tables