Protecting Access to Application Service Operations

To protect your application service methods, you can use permissions based on the User Management Engine (UME). You use the same mechanism as in Java EE applications.

1. Enable permission checks for the appropriate method:
   1. In the Composite Application perspective of the SAP NetWeaver Developer Studio, open your application service.
   2. Choose the Operations tab page.
   3. Select the operation whose access you want to protect.
   4. Choose Edit.
   5. In the Permission check dropdown box, select Enable.
   6. Choose Finish.

      A new permission with permission class com.sap.caf.rt.security.srv.ServicePermission is generated. It extends the java.security.BasicPermission class and is automatically used as the permission class for the permissions you define in your CAF application.

2. Modify the file actions.xml .
   1. In the Package Explorer view, open the following file:

      <your project name>/permissions/src/actions.xml.

      By default, the file contains an action for which full control is generated. Full control includes all permissions that are defined for service operations.

      In a separate section there is a new permission generated from step 1.

   2. Each permission is named by the fully qualified service name and operation name in the following way:
      Note

      <provider>/<xapp>/<service name>/<operation name>

   3. Copy and paste the permissions from the full control section and modify them for your application-specific permissions:

      actions.xm l

      <BUSINESSSERVICE>
      
          <DESCRIPTION LOCALE="en" VALUE="sap.com/myxapp"/>
      
         <ACTION NAME="Fullcontrol" >
      
             <DESCRIPTION LOCALE="en" VALUE="Permission to execute all application service operations"/>
      
            <PERMISSION CLASS="com.sap.caf.rt.security.srv.ServicePermission" NAME="sap.com/myxapp/MyAppService/my1stOperation" VALUE="*" />
      
            <PERMISSION CLASS="com.sap.caf.rt.security.srv.ServicePermission" NAME="sap.com/myxapp/MyAppService/my2ndOperation" VALUE="*" />
      
            <PERMISSION CLASS="com.sap.caf.rt.security.srv.ServicePermission" NAME="sap.com/myxapp/MyNewAppService/anotherOperation" VALUE="*" />
      
         </ACTION>
      
      <!-- Application specific permissions can be added to the following section -->
      
      <!-- //@@custom code start -->
      
       
      
      <!-- //@@custom code end -->
      
      </BUSINESSSERVICE>
       
      

   4. Save the file.
3. Build and deploy the application service.

   At runtime, create UME roles that contain the actions you have defined, and assign them to users

   Alternatively, you may implement application service operations permission checks by coding in the operation itself. To open the source code of your application service, go to the Implementation tab page and choose the link for the EJB class.

   Note that to be able to see the updated actions.xml file with the new permissions for an operation, you have to generate the CAF application.