README.md

Description

This sample is a Spring Boot application that utilizes the spring-security client library to authenticate JWT tokens issued by either the xsuaa service or the identity service. The xsuaa service generates an access token, while the identity service produces an OIDC token. The tokens differ in the details they provide through token claims. In both instances, the validated token is accessible as a Token via the Springorg.springframework.security.core.context.SecurityContextHolder.

Additionally, this sample showcases the use of the CorrelationIdFilter, which appends a correlation_id to the MDC context. This is then used to augment subsequent/outgoing requests with an X-CorrelationID header. For more information about the logging filter library employed, please visit this link.

Follow the deployment steps for Kyma/Kubernetes or Cloud Foundry.

Deployment on Kyma/Kubernetes

Expand this to follow the deployment steps

• Build docker image and push to repository
• Configure the deployment.yml
• Deploy the application
• Admin: Assign Role Collection to your XSUAA user
• Admin: Assign Group to your IAS user
• Access the application

Build docker image and push to repository

mvn spring-boot:build-image -Dspring-boot.build-image.imageName=<repositoryName>/<imageName>
docker push <repositoryName>/<imageName>

This makes use of Dockerfile.

Configure the deployment.yml

In deployment.yml replace the image repository placeholder <YOUR IMAGE REPOSITORY> with the one created in the previous step.

If you want to test the app with multiple Xsuaa bindings (application and broker plan) uncomment the following lines:

• Service Instance definition and the binding
• Volume mount for the service instance secret
• Volume for the service instance secret

Deploy the application

Deploy the application using kubectl cli

kubectl apply -f ./k8s/deployment.yml -n <YOUR NAMESPACE>

Cockpit administration task: Assign Xsuaa Role Collection to your User

Finally, as part of your Identity Provider, e.g. SAP ID Service, assign the deployed Role Collection XSUAA-Viewer to your user as depicted in the screenshot below and as documented here.

Further up-to-date information you can get on sap.help.com:

• Maintain Role Collections
• Maintain Roles for Applications.

IAS User administration task: Assign Group to your User

You need administrator permissions to create Groups "Read" in IAS and assign it to your user.
See also SAP Help: "Creating a User Group".

Access the application

1. Follow HowToFetchToken guide to fetch IAS and XSUAA tokens.

   1. Get an IAS oidc token via password grant token flow. You can get the information to fill the placeholders from the service binding secret:

      kubectl get secret "ias-service-binding" -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}' -n <YOUR NAMESPACE>

   2. Get a XSUAA access token via client-certificate token flow. You can get the information to fill the placeholders from the service binding secret:

      kubectl get secret "xsuaa-service-binding" -o go-template='{{range $k,$v := .data}}{{"### "}}{{$k}}{{"\n"}}{{$v|base64decode}}{{"\n\n"}}{{end}}' -n <YOUR NAMESPACE>

2. In the Kyma Console, go to <YOUR_NAMESPACE> - Discovery and Network - API Rules. Copy the host entry of the spring-security-hybrid-api api rule.

3. Call the following endpoints with Authorization header = "Bearer <your IAS/XSUAA token>"

   • <HOST of spring-security-hybrid-api>/sayHello - GET request that provides token details, but only if token provides expected read permission (scope/groups).
   • <HOST of spring-security-hybrid-api>/method - GET request executes a method secured with Spring Global Method Security, user requires read permission (scope/groups).

   💡 If you call the same endpoint without Authorization header you should get a 401.

Cleanup

Finally, delete your application and your service instances using the following command:

 kubectl delete -f ./k8s/deployment.yml -n <YOUR NAMESPACE>

Deployment on Cloud Foundry

To deploy the application, the following steps are required:

• Create an XSUAA service instance
• Create an Identity service instance
• Configure manifest.yml
• Compile and deploy the application
• Admin: Assign Role Collection to your XSUAA user
• Admin: Assign Group to your IAS user
• Access the application

Create the XSUAA Service Instance

Use the xs-security.json to define the X.509 authentication method with Xsuaa managed certificate and create a service instance.

cf create-service xsuaa broker xsuaa-broker -c xs-security.json #optional
cf create-service xsuaa application xsuaa-authn -c xs-security.json

❕ Xsuaa broker instance is optional. Use it if you want to test the application with multiple Xsuaa Service instances. You would also need to update the manifest.yml with the broker instance information.

Create the IAS Service Instance

Use the ias service broker and create an identity service instance

cf create-service identity application ias-authn

Configure the manifest

The vars contains hosts and paths that you might need to adopt.

Compile and deploy the application

Deploy the application using cf push. It will expect 1 GB of free memory quota.

mvn clean package
cf push --vars-file ../vars.yml

Note: In case of this error message An operation for service instance ias-authn is in progress. wait a moment, as identity service instance gets created asynchronously.

Cockpit administration task: Assign Xsuaa Role Collection to your User

Finally, as part of your Identity Provider, e.g. SAP ID Service, assign the deployed Role Collection(s) such as XSUAA-Viewer to your user as depicted in the screenshot below and as documented here.

Further up-to-date information you can get on sap.help.com:

• Maintain Role Collections
• Maintain Roles for Applications.

IAS User administration task: Assign Group to your User

You need administrator permissions to create a Groups "Read" in IAS and assign it to your user.

Access the application

1. Follow HowToFetchToken guide to fetch IAS and XSUAA tokens.

   1. Get an IAS oidc token via password grant token flow. You can get the information to fill the placeholders from your system environment cf env spring-security-hybrid-usage -> VCAP_SERVICES.identity
   2. Get a XSUAA access token via client-certificate token flow. You can get the information to fill the placeholders from your system environment cf env spring-security-hybrid-usage -> VCAP_SERVICES.xsuaa

2. Call the following endpoints with Authorization header = "Bearer <your IAS/XSUAA token>"

   • https://spring-security-hybrid-usage-<ID>.<LANDSCAPE_APPS_DOMAIN>/sayHello - GET request that provides token details, but only if token provides expected read permission (scope/groups).
   • https://spring-security-hybrid-usage-<ID>.<LANDSCAPE_APPS_DOMAIN>/method - GET request executes a method secured with Spring Global Method Security, user requires read permission (scope/groups).

   💡 If you call the same endpoint without Authorization header you should get a 401.

3. Have a look into the logs with:

   cf logs spring-security-hybrid-usage --recent

Clean-Up

Finally delete your application and your service instances using the following commands:

cf delete -f spring-security-hybrid-usage
cf delete-service -f xsuaa-authn
cf delete-service -f xsuaa-broker # optional
cf delete-service -f ias-authn