This Sample is deprecated and will be removed with the next major release 4.x See Migration guide and use spring-security-hybrid-usage sample instead.
This sample is a Spring Boot application that utilizes the spring-xsuaa client library uses the SAP application router as OAuth client and forwards as reverse proxy the requests to a Java Spring back-end application.
In a typical UI5 application, the application router serves HTML files and REST data would be provided by a back-end application. To focus on the security part, UI5 has been omitted.
Furthermore, it demonstrates how to leverage the token flows provided by the Token Client library to request exchange access tokens.
To deploy the application, the following steps are required:
- Configure the Application Router
- Compile the Java application
- Create an XSUAA service instance
- Configure manifest.yml
- Deploy the application
- Assign Role Collection to your user
- Access the application
The Application Router is used to provide a single entry point to a business application that consists of several different apps (microservices). It dispatches requests to backend microservices and acts as a reverse proxy. The rules that determine which request should be forwarded to which destinations are called routes. The application router can be configured to authenticate the users and propagate the user information. Finally, the application router can serve static content.
Run maven to package the application
mvn clean package❗ XSUAA supports X.509 authentication method.
- Use the xs-security.json to define the X.509 authentication method with Xsuaa managed certificate and create a service instance
- Use the xs-security-deprecated.json to define the authentication method with binding secret method and settings and create a service instance
cf create-service xsuaa application xsuaa-authentication -c xs-security.jsonThe vars contains hosts and paths that you might need to adopt.
Deploy the application using cf push. It will expect 1 GB of free memory quota.
cf push --vars-file ../vars.ymlFinally, as part of your Identity Provider, e.g. SAP ID Service, assign the deployed Role Collection(s) such as Viewer or Administrator to your user as depicted in the screenshot below and as documented here.
Further up-to-date information you can get on sap.help.com:
After deployment, the AppRouter will trigger authentication automatically when you access one of the following URLs:
https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v1/sayHello- GET request that provides XSUAA user token details, but only if token matches.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v1/method- GET request executes a method secured with Spring Global Method Security.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v1/getAdminData- GET request to read sensitive data via Global Method Security. You will get a403(UNAUTHORIZED), in case you do not haveAdminscope.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v2/sayHello- GET request that logs generic Jwt info, but only if token matches.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v3/requestClientCredentialsToken- GET request that requests the client credentials Jwt token and writes it into the log.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v3/requestUserToken- GET request that exchanges a Jwt token for a potential different client.
Have a look into the logs with:
cf logs spring-security-xsuaa-usage --recent
cf logs approuter-spring-security-xsuaa-usage --recent
Note: https://spring-security-xsuaa-usage-web-.<LANDSCAPE_APPS_DOMAIN> points to the url of the AppRouter. Get all app routes with
cf apps.
Finally, delete your application and your service instances using the following commands:
cf delete -f spring-security-xsuaa-usage
cf delete -f approuter-spring-security-xsuaa-usage
cf delete-service -f xsuaa-authentication