Skip to Content
Technical Articles
Author's profile photo Rahul Rajagopal

XSUAA Based Authentication – Using Managed Approuter

Welcome back. it is time to discuss about the authentication methodologies in CAP. As stated in CAPire, SAP CAP offers different types of Authentications.

You can find more details in the CAPire .However, this blog will focus on the end to end XSUAA based authentication implementation.

You can refer the pervious blogs here.

To start with, lets create a new project. As you are familiar with model and service creation, we will not be discussing it in very detail. However, i will add the required source code and CLI commands whenever needed.

  1. Let’s first log on to your BTP account. Make sure that your HANA DB account is running. If you do not have a HANA Database, follow the link. Moreover, as discussed in the earlier blog, HDI container service is also mandatory. if you do not have an instance running yet, follow the link to enable the same.
  2. Open your business application studio and start your development space. Open your workspace, “project” directory.
  3. Create a new project with name IMP_XSUAA_AUTH using the command “cds init IMP_XSUAA_AUTH“. As you aware, this command will create a CAP project in your workspace.
  4. Create a new model file under the “db” folder with name “Product-model.cds” and add the below code in it.
    namespace gen.xsuaa.m;
    using { cuid,  managed} from '@sap/cds/common';
    entity Product : cuid {
        ProductID : String(40);
        Productname: String(40);
        ProductType: String(10)
    entity ProductDesc : cuid {
        Description : String(100)
  5. Create a new service file under the “srv” folder with name “Product-service.cds” and add the below code in it.
    using gen.xsuaa.m as pr from '../db/Product-model';
    service ProductServide {
        @requires: 'authenticated-user'
        entity ProductInfo as select from pr.Product;
        @requires: 'Admin'
        @restrict: [{grant: 'READ'}]
        entity ProductDesc as select from pr.ProductDesc;
  6. In the above sample code, you need to understand few things.
    1. @requires: ‘authenticated-user’ : This enforce the service that only the authenticated user can access the entity “ProductInfo
    2. @requires: ‘Admin’ : This enforce the service that only Admin can be able to access the entity “ProductDesc
    3. @restrict: [{grant: ‘READ’}] : This enforce the service that the Admin also have a READ ONLY access to the entity “ProductDesc“.
    4. If you do not want to enforce additional role based authentication, you can ignore step 2 and step 3.
  7. If you need the service in OData V2, create another file, “server.js” under the “srv” folder to convert your OData V4 to OData V2 and add the below code inside. Here the file name must be “server.js” .
    const cds = require("@sap/cds");
    const cov2ap = require("@sap/cds-odata-v2-adapter-proxy");
    cds.on("bootstrap", (app) => app.use(cov2ap()));
    module.exports = cds.server;​
  8. As we done with the basic file set up. Let’s now prepare the application with the necessary package installation. Execute the below command for the same.
    1. cds add hana
    2. npm install @sap/hana-client
    3. npm install hdb
    4. npm add passport
    5. npm add @sap/xssec
    6. npm install @sap/cds-odata-v2-adapter-proxy
  9. Let’s prepare the component as well using “cds deploy –to hana”. Make sure your “hana instance” in running. Otherwise, you will experience error during the execution of the above command.
  10. The next important thing is to add an Approuter. Depends on the scenarios, we can have “standalone Approuter” or “Managed Approuter”.  In our case, we are using “Managed Approuter”.
  11. Execute the command “cds add mta” to generate the mta.yaml file.
  12. Once the mta.yaml file generated, right click and choose the option “Create MTA module from Template” and  Choose “Approuter Configuration” from the options.
  13. Select “Managed Approuter” from the drop down. Further provide a meaningful name(IMP_XSUAA_MAN_AR1) for your Approuter and select “yes” for Do you plan to add a UI? option and press “Next”. You Approuter is now added.
  14. Let’s now create a UI5 application.
  15. right click and choose the option “Create MTA module from Template” and  Choose “SAP Fiori Application” from the options, click Next.
  16. Choose “List Report Page” from the next view and click Next.
    1. Select the data source : Use a Local CAP Project
    2. Choose your CAP Project : select from drop down(IMP_XSUAA_MANAGED_1)
    3. OData service : Select the service from the dropdown(ProductServide (Node.js))
    4. Click Next
    5. Choose Main Entity : select from dropdown, ProductInfo
    6. Select “yes” for option Automatically add table columns to the list page and a section to the object page if none already exists? and click Next
    7. Input Module Name : imp_xsuaa_m_f01
    8. Application title : Managed Approuter : Example
    9. Application Namespace : myapp(Not Mandatory)
    10. Add deployment configuration to MTA project : Yes
    11. Add FLP configuration : Yes
    12. Configure advanced options : No
    13. Please choose the target : Select “Cloud Foundry” from the dropdown
    14. Destination Name : Local CAP Project API (Instance Based Destination)
    15. Sematic Object : ManageApprouter
    16. Action : display
    17. Title : Managed Approuter : Example
  17. Click on Finish button.
  18. Open “package.json” and add “auth”: “xsuaa” under “cds” section as shown below.
        "cds": {
            "requires": {
                "db": "hana",
                "auth": "xsuaa"
  19. Execute the command
    1. cds add xsuaa –for production.
    2. npm i
  20. Now, build the project
  21. Once the mta archive is ready, deploy the same.
  22. After deployment, you will get “401 Unauthorized” if you click on the service, which is an expected behaviour.
  23. Open the “HTML Applications” section and find your application there.
  24. Click on the url, your application will now open. try to insert data manually in the database table using “HANA Database Explorer”.


You are now able to implement and use XSUAA based authentication in your CAP application using Managed Approuter.

Also, please follow the topic page, post and answer questions and read other posts on the topic

Assigned Tags

      You must be Logged on to comment or reply to a post.
      Author's profile photo Rupak Bhattacharjee
      Rupak Bhattacharjee

      Hi Rahul,


      Can you check to see if the application is loading from SAP Build WZ.

      Also how shall you enable multi tenancy for this application.

      Author's profile photo Rahul Rajagopal
      Rahul Rajagopal
      Blog Post Author

      Hi Rupak,


      Application will definitely load from Build WZ. I never faced any issue till now.

      For multi tenancy, wait for my next blog soon.



      Rahul R