How to replace java-container-security to get rid of deprecated spring-security-oauth2

[santoshkashyap]

Hi,

I have a question on maven dependencies for xsuaa. In our Spring boot project, we have the following dependency:
`
com.sap.cloud.security.xsuaa
java-container-security
3.14.0

and

import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;

@EnableWebSecurity
@EnableResourceServer // deprecated
public class WebSecurityConfig extends ResourceServerConfigurerAdapter { // ResourceServerConfigurerAdapter is also deprecated
// rest of the code
`

With this we also get spring-security-oauth2:2.5.0.RELEASE dependency as a transitive. Since, this is deprecated, is it now recommended to use the maven artifact - xsuaa-spring-boot-starter instead of java-container-security as above ?
From the nice set of usage samples provided, I think sample fits our Spring boot app (MVC)
Thank you

Regards,
Santosh

[nenaraab]

Hi @santoshkashyap

yes, in case you like to get rid of the deprecated sping-security-oauth2 lib and you have implemented a spring-boot application, this might fit best.

Please have also a look at this migration guide:
https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/spring-xsuaa/Migration_JavaContainerSecurityProjects.md

Best regards,
Nena

[santoshkashyap]

Hi @nenaraab , Thank you for quick response. The link to migration guide is exactly what I was looking for 👍 However, I have a follow-up question

• We currently use sap_java_buildpack in SCP (cloud foundry). For sap_java_buildpack, the note in the migration guide above links to a different migration guide for sap_build_pack - https://github.com/SAP/cloud-security-xsuaa-integration#token-validation-for-java-web-applications-using-sap-java-buildpack and the sample https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/samples/sap-java-buildpack-api-usage. But, this is a Java servlet app.

• For Spring boot application, can we still use the latest xsuaa-spring-boot-starter to check for scopes in SCP CF(application-to-application authorization) ?
  Basically our scenario is the following:

1. Consumers create a service binding for our spring boot service in SCP CF which gives them credentials(clientID, url and clientSecret). Using the credentials and also the service url provided( via service binding VCAP) they can invoke the service APIs passing the auth token obtained from client id/secret via the token endpoint
2. Our application now needs to validate the incoming request by checking for scopes and allow or block access accordingly. Currently, we use the com.sap.xs2.security:java-container-security for this purpose and are now considering to migrate to the new xsuaa-spring-boot-starter to avoid spring oauth deprecation issue. Is this recommended ?

Regards,
Santosh

[nenaraab]

Hi @santoshkashyap

The readme here provides an overview about all Java open-source client libraries, that are provided here:
https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/README.md

These migration guides supports you to migrate from

Recommended replacement for Spring 5 based and Spring Boot applications is spring-xsuaa.
Please check the Migration Guide.

Recommended replacement for J2EE applications is SAP Java Buildpack (>= version 1.26.1).
Please check the Migration Guide.

Recommended replacement for Java native applications is java-security.
If you like to have a smooth migration experience, and like to stick to the Spring Security OAuth (deprecated) you can follow this Migration Guide.

Best regards,
Nena