This library enhances the spring-xsuaa project. This includes a XsuaaMockWebServer web server for the Xsuaa service that can provide token_keys for an offline JWT token validation. This is required only when there is no Xsuaa service (OAuth resource-server) in place, which is only the case in context of unit tests, as well as when running your Spring boot application locally.
The default implementation offers already valid token_keys for JWT tokens, that are generated by the JwtGenerator (spring-xsuaa-test library).
- Java 8
- maven 3.3.9 or later
- Spring Boot 2.1 and later
<dependency>
<groupId>com.sap.cloud.security.xsuaa</groupId>
<artifactId>spring-xsuaa-mock</artifactId>
<version>2.0.0</version>
</dependency>
<dependency> <!-- new with version 1.5.0 - provided with org.springframework.boot:spring-boot-starter:jar -->
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-autoconfigure</artifactId> <!--
</dependency>Add the following class, which makes sure, that the Xsuaa mock web server is only started in case a dedicated profile e.g. uaamock is active. Make sure that this profile (uaamock) is never active in production!
import com.sap.cloud.security.xsuaa.mock.XsuaaMockWebServer;
import org.springframework.beans.factory.DisposableBean;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.env.EnvironmentPostProcessor;
import org.springframework.core.env.ConfigurableEnvironment;
import org.springframework.core.env.Profiles;
public class XsuaaMockPostProcessor implements EnvironmentPostProcessor, DisposableBean {
private final XsuaaMockWebServer mockAuthorizationServer = new XsuaaMockWebServer();
@Override
public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
if (environment.acceptsProfiles(Profiles.of("uaamock"))) {
environment.getPropertySources().addFirst(this.mockAuthorizationServer);
}
}
@Override
public void destroy() throws Exception {
this.mockAuthorizationServer.destroy();
}
}Then you have to register this class to META-INF/spring.factories:
org.springframework.boot.env.EnvironmentPostProcessor=<<your package>>.XsuaaMockPostProcessor
From version 1.5.0 on the MockXsuaaServiceConfiguration is auto-configured here. This class overwrites Xsuaa url and uaadomain to point to the Xsuaa Mock Web Server. This is relevant for validating the jku URI that is provided as part of the JSON Web Signature (JWS). The jku of the Jwt token issued by the JwtGenerator references the public key URI of the XsuaaMockWebServer used for generating the signature.
Note: it is possible to extend the dispatcher and pass this to the XsuaaMockWebServer constructor. An example XsuaaMockPostProcessor implementation can be found here.
From version 1.3.0 and higher you can configure the JwtGenerator with a dedicated subdomain of a subaccount, e.g. testdomain and the header with a keyId:
String yourSubdomain = "testdomain";
String yourClientId = "sb-xsapp!20";
String jwtTokenHeaderKeyId = "legacy-token-key-" + yourSubdomain;
String jwtToken = new JwtGenerator(yourClientId, yourSubdomain).setJwtHeaderKeyId(jwtTokenHeaderKeyId).getToken().getTokenValue();Then your Mock Web Server can provide different token keys for different domains e.g. testdomain.