This spring boot application sample uses spring-security client library to validate jwt tokens issued by xsuaa service or by identity service. On the one hand xsuaa service issues an access token and on the other hand identity service issues an oidc token. The tokens vary with regard to the information provided via token claims. In both cases the validated token is available of type Token via the SecurityContextHolder.
This sample also demonstrates usage of CorrelationIdFilter that adds correlation_id to MDC context that is used to enhance subsequent/outgoing requests with X-CorrelationID header. More information about logging filter library used can be found here.
This sample is using the spring-security library, which is based on Spring's Security project and runs on SAP Cloud Business Technology Platform. It integrates with Spring Security OAuth 2.0 Resource Server. The security configuration needs to configure jwt for authentication.
Follow the deployment steps for Kyma/Kubernetes or Cloud Foundry.
Expand this to follow the deployment steps
- Build docker image and push to repository
- Configure the deployment.yml
- Deploy the application
- Admin: Assign Role Collection to your XSUAA user
- Admin: Assign Group to your IAS user
- Access the application
mvn spring-boot:build-image -Dspring-boot.build-image.imageName=<repositoryName>/<imageName>
docker push <repositoryName>/<imageName>This makes use of
Dockerfile.
In deployment.yml replace the image repository placeholder <YOUR IMAGE REPOSITORY> with the one created in the previous step.
Deploy the application using kubectl cli
kubectl apply -f ./k8s/deployment.yml -n <YOUR NAMESPACE>Finally, as part of your Identity Provider, e.g. SAP ID Service, assign the deployed Role Collection XSUAA-Viewer to your user as depicted in the screenshot below and as documented here.
Further up-to-date information you can get on sap.help.com:
You need administrator permissions to create Groups "Read" in IAS and assign it to your user.
See also SAP Help: "Creating a User Group".
-
Follow HowToFetchToken guide to fetch IAS and XSUAA tokens.
- Get an IAS oidc token via
passwordgrant token flow. You can get the information to fill the placeholders from the service binding secret:kubectl get secret "ias-service-binding" -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}' -n <YOUR NAMESPACE>
- Get a XSUAA access token via
client-certificatetoken flow. You can get the information to fill the placeholders from the service binding secret:kubectl get secret "xsuaa-service-binding" -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}' -n <YOUR NAMESPACE>
- Get an IAS oidc token via
-
In the Kyma Console, go to
<YOUR_NAMESPACE>-Discovery and Network-API Rules. Copy the host entry of thespring-security-hybrid-apiapi rule. -
Call the following endpoints with
Authorizationheader = "Bearer <your IAS/XSUAA token>"<HOST of spring-security-hybrid-api>/sayHello- GET request that provides token details, but only if token provides expected read permission (scope/groups).<HOST of spring-security-hybrid-api>/method- GET request executes a method secured with Spring Global Method Security, user requires read permission (scope/groups).
💡 If you call the same endpoint without
Authorizationheader you should get a401.
Finally, delete your application and your service instances using the following command:
kubectl delete -f ./k8s/deployment.yml -n <YOUR NAMESPACE>To deploy the application, the following steps are required:
- Create a XSUAA service instance
- Create an Identity service instance
- Configure manifest.yml
- Compile and deploy the application
- Admin: Assign Role Collection to your XSUAA user
- Admin: Assign Group to your IAS user
- Access the application
Use the xs-security.json to define the X.509 authentication method with Xsuaa managed certificate and create a service instance
cf create-service xsuaa application xsuaa-authn -c xs-security.jsonUse the ias service broker and create an identity service instance
cf create-service identity application ias-authnThe vars contains hosts and paths that you might need to adopt.
Deploy the application using cf push. It will expect 1 GB of free memory quota.
mvn clean package
cf push --vars-file ../vars.ymlNote: In case of this error message
An operation for service instance ias-authn is in progress.wait a moment, as identity service instance gets created asynchronously.
Finally, as part of your Identity Provider, e.g. SAP ID Service, assign the deployed Role Collection(s) such as XSUAA-Viewer to your user as depicted in the screenshot below and as documented here.
Further up-to-date information you can get on sap.help.com:
You need administrator permissions to create a Groups "Read" in IAS and assign it to your user.
-
Follow HowToFetchToken guide to fetch IAS and XSUAA tokens.
-
Get an IAS oidc token via
passwordgrant token flow. You can get the information to fill the placeholders from your system environmentcf env spring-security-hybrid-usage->VCAP_SERVICES.identity -
Get a XSUAA access token via
client-certificatetoken flow. You can get the information to fill the placeholders from your system environmentcf env spring-security-hybrid-usage->VCAP_SERVICES.xsuaa
-
-
Call the following endpoints with
Authorizationheader = "Bearer <your IAS/XSUAA token>"https://spring-security-hybrid-usage-<ID>.<LANDSCAPE_APPS_DOMAIN>/sayHello- GET request that provides token details, but only if token provides expected read permission (scope/groups).https://spring-security-hybrid-usage-<ID>.<LANDSCAPE_APPS_DOMAIN>/method- GET request executes a method secured with Spring Global Method Security, user requires read permission (scope/groups).
💡 If you call the same endpoint without
Authorizationheader you should get a401. -
Have a look into the logs with:
cf logs spring-security-hybrid-usage --recent
Finally delete your application and your service instances using the following commands:
cf delete -f spring-security-hybrid-usage
cf delete-service -f xsuaa-authn
cf delete-service -f ias-authn