From b1fcb9ecbd9dff63fbc4c6d8d42b08d76fb8ef9c Mon Sep 17 00:00:00 2001 From: samyuktaprabhu <33195453+samyuktaprabhu@users.noreply.github.com> Date: Thu, 26 Mar 2026 14:00:03 +0100 Subject: [PATCH 1/3] Remove outdated tip on authentication mode from documentation and clarify default behavior of authentication settings --- guides/security/authentication.md | 4 ---- java/security.md | 6 +++--- 2 files changed, 3 insertions(+), 7 deletions(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 93c636413f..3a084470d9 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -114,10 +114,6 @@ As the mock user authentication is active, all (CAP) endpoints are [authenticate
-::: tip -To simplify the development scenario, you can set cds.security.authentication.mode = "model-relaxed" to deactivate authentication of endpoints derived from unrestricted CDS services. -::: - If you stay with the standard authentication mode, sending the OData request results in a `401` error response from the server, indicating that the anonymous user has been rejected due to missing authentication. ```sh diff --git a/java/security.md b/java/security.md index 37004007f8..71f308cd16 100644 --- a/java/security.md +++ b/java/security.md @@ -91,11 +91,11 @@ The property `cds.security.authentication.mode` controls the strategy used for a | :---------------------------------------------------- | :----------------------------------------------------- | | `never` | No endpoint requires authentication. All protocol-adapter endpoints are considered public. | `model-relaxed` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is considered public. -| `model-strict` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is authenticated. An explicit `@requires: 'any'` makes the endpoint public (Default). +| `model-strict` | Authentication is derived from the authorization annotations `@requires` and `@restrict`. If no such annotation is available, the endpoint is authenticated. An explicit `@requires: 'any'` makes the endpoint public. | `always` | All endpoints require authentication. -By default the authentication mode is set to `model-strict` to comply with secure-by-default. -In that case you can use the annotation `@requires: 'any'` on service-level to make the service and its entities public again. +When the auth mode is explicitly configured, it takes precedence. When it is not configured, the mode is derived automatically i.e. `model-relaxed` if mock users are enabled (local development), `model-strict` otherwise (production). +But, one can use the annotation `@requires: 'any'` on service-level to make the service and its entities public again. You can only make an endpoint public if the full endpoint path is also considered public. For example you can only make an entity public, if the service that contains it is also considered public. From f61981c7870756ddccb3b1cbd82d703fbea2d1b0 Mon Sep 17 00:00:00 2001 From: Mahati Shankar <93712176+smahati@users.noreply.github.com> Date: Thu, 26 Mar 2026 14:55:21 +0100 Subject: [PATCH 2/3] fix linting error --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 3a084470d9..243236cdb2 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -276,7 +276,7 @@ MockedUserInfoProvider: Resolved MockedUserInfo [id='mock/viewer-user', name='vi
-``` +```sh [basic] - authenticated: { user: 'viewer-user', tenant: 'CrazyCars', features: [ 'cruise', 'park' ] } ``` From 6a8a084641bbe4bc287af162af24d04a7946bbab Mon Sep 17 00:00:00 2001 From: Mahati Shankar <93712176+smahati@users.noreply.github.com> Date: Thu, 26 Mar 2026 15:08:04 +0100 Subject: [PATCH 3/3] fix linting error --- guides/security/authentication.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/guides/security/authentication.md b/guides/security/authentication.md index 243236cdb2..3417ffef72 100644 --- a/guides/security/authentication.md +++ b/guides/security/authentication.md @@ -751,7 +751,7 @@ IAS offers a cross-consumption mode that allows IAS users to consume legacy XSUA ::: tip In contrast to [IAS](#ias-auth), XSUAA does not allow cross-landscape user propagation out of the box. -::: +::: You can best configure and test XSUAA authentication in the Cloud, so let's enhance the sample with a deployment descriptor for SAP BTP, Cloud Foundry Runtime (CF).