This sample uses the SAP application router as a web server and forwards requests to a Java Spring back-end application running on Cloud Foundry. In a typcal UI5 application, the application router serves HTML files and REST data would be provided by a back-end application. To focus on the security part, UI5 has been omitted.
This sample is using the spring-security project. As of version 5 of spring-security, this includes the OAuth resource-server functionality. The security configuration needs to configure JWT for authentication.
Please see the spring-xsuaa descriptions for details.
To deploy the application, the following steps are required:
- Configure the Application Router
- Compile the Java application
- Create an XSUAA service instance
- Configure manifest.yml
- Deploy the application
- Assign Role Collection to your user
- Access the application
The Application Router is used to provide a single entry point to a business application that consists of several different apps (microservices). It dispatches requests to backend microservices and acts as a reverse proxy. The rules that determine which request should be forwarded to which destinations are called routes. The application router can be configured to authenticate the users and propagate the user information. Finally, the application router can serve static content.
Run maven to package the application
mvn clean packageUse the xs-security.json to define the authentication settings and create a service instance
cf create-service xsuaa application xsuaa-authentication -c xs-security.jsonThe vars contains hosts and paths that you might need to adopt.
Deploy the application using cf push. It will expect 1 GB of free memory quota.
cf push --vars-file ../vars.ymlFinally, as part of your Identity Provider, e.g. SAP ID Service, assign the deployed Role Collection(s) such as Viewer or Administrator to your user as depicted in the screenshot below and as documented here.
Further up-to-date information you can get on sap.help.com:
After deployment, the AppRouter will trigger authentication automatically when you access one of the following URLs:
https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v1/sayHello- GET request that provides XSUAA user token details, but only if token matches.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v1/method- GET request executes a method secured with Spring Global Method Security.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v1/getAdminData- GET request to read sensitive data via Global Method Security. You will get a403(UNAUTHORIZED), in case you do not haveAdminscope.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v2/sayHello- GET request that logs generic Jwt info, but only if token matches.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v3/requestClientCredentialsToken- GET request that requests the client credentials Jwt token and writes it into the log.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v3/requestUserToken- GET request that exchanges a Jwt token for a potential different client. It returns a refresh token.https://spring-security-xsuaa-usage-web-<ID>.<LANDSCAPE_APPS_DOMAIN>/v3/requestRefreshToken/<<your refresh token>>- GET request that retrieves a Jwt token for a refresh token and writes it into the log.
Have a look into the logs with:
cf logs spring-security-xsuaa-usage --recent
Note: https://spring-security-xsuaa-usage-web-.<LANDSCAPE_APPS_DOMAIN> points to the url of the AppRouter. Get all app routes with
cf apps.
Finally delete your application and your service instances using the following commands:
cf delete -f spring-security-xsuaa-usage
cf delete -f approuter-spring-security-xsuaa-usage
cf delete-service -f xsuaa-authentication