diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 93c636413..3417ffef7 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -114,10 +114,6 @@ As the mock user authentication is active, all (CAP) endpoints are [authenticate
-::: tip -To simplify the development scenario, you can set cds.security.authentication.mode = "model-relaxed" to deactivate authentication of endpoints derived from unrestricted CDS services. -::: - If you stay with the standard authentication mode, sending the OData request results in a `401` error response from the server, indicating that the anonymous user has been rejected due to missing authentication. ```sh @@ -280,7 +276,7 @@ MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='vi
-``` +```sh [basic] - authenticated: { user: 'viewer-user', tenant: 'CrazyCars', features: [ 'cruise', 'park' ] } ``` @@ -755,7 +751,7 @@ IAS offers a cross-consumption mode that allows IAS users to consume legacy XSUA ::: tip In contrast to [IAS](#ias-auth), XSUAA does not allow cross-landscape user propagation out of the box. -::: +::: You can best configure and test XSUAA authentication in the Cloud, so let's enhance the sample with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF). diff --git a/java/security.md b/java/security.md index 37004007f..71f308cd1 100644 --- a/java/security.md +++ b/java/security.md @@ -91,11 +91,11 @@ The property `cds.security.authentication.mode` controls the strategy used for a | :---------------------------------------------------- | :----------------------------------------------------- | | `never` | No endpoint requires authentication. All protocol-adapter endpoints are considered public. | `model-relaxed` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is considered public. -| `model-strict` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is authenticated. An explicit `@requires: 'any'` makes the endpoint public (Default). +| `model-strict` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is authenticated. An explicit `@requires: 'any'` makes the endpoint public. | `always` | All endpoints require authentication. -By default the authentication mode is set to `model-strict` to comply with secure-by-default. -In that case you can use the annotation `@requires: 'any'` on service-level to make the service and its entities public again. +When the auth mode is explicitly configured, it takes precedence. When it is not configured, the mode is derived automatically i.e. `model-relaxed` if mock users are enabled (local development), `model-strict` otherwise (production). +But, one can use the annotation `@requires: 'any'` on service-level to make the service and its entities public again. You can only make an endpoint public if the full endpoint path is also considered public. For example you can only make an entity public, if the service that contains it is also considered public.