This Spring Boot sample application is secured via Basic Auth and showcases the use of the spring-security and spring-security-starter modules.
⚠️ Unless absolutely necessary, do not secure your application via Basic Auth as shown in this sample.This sample is only meant for legacy use cases in which the user client does not support OAuth protocols.
For each incoming request, the application accepts user credentials via HTTP Basic Auth and then fetches an XSUAA OAuth2 access token via Password grant type.
This is done by implementing Spring's BearerTokenResolver interface and configuring the SecurityConfiguration to use it before proceeding with a JWT-based security configuration.
As a result, the application has access to the user's scopes configured via XSUAA to perform authorization checks.
The controller endpoints can be secured as if the request contained the access token directly.
❕ However, securing the application this way comes at several costs.
Firstly, using Password grant type is discouraged because it gives up many of the advantages for which OAuth2 is intended.
For example, the user's credentials are available in clear-text to this application.
Secondly, it is important in an application like this, to cache the users' access tokens for subsequent requests to reduce HTTP traffic and latency.
The Caffeine cache shown in this example is a simple in-memory cache that might be too simple for production.
Furthermore, due to caching, administrative changes of a user's privileges, e.g. roles and/or scopes, will not be respected by subsequent requests until the cache has timed out and a new token is fetched for that user.
Spring's BearerTokenResolver interface is implemented in TokenBrokerResolver which uses the token-client module to fetch the access tokens.
Thanks to the autoconfiguration of spring-security-starter, a bean of type XsuaaTokenFlows is available for injection which is used by the TokenBrokerResolver to perform the Password token flow.
In the JUnit tests of this application, a mocked XsuaaOAuth2TokenService is used with stubbed responses to provide access tokens for pre-defined user credentials.
To use this service, the TokenBrokerResolver bean is overridden in TokenBrokerTestConfiguration to make use of it.
In order to get the basic auth login popup, the response header WWW-Authenticate must be changed from Bearer to Basic.
This is done by means of the class BasicAuthenticationEntryPoint in the SecurityConfiguration.
Deployment on Cloud Foundry
mvn clean packageUse the cf CLI to create an XSUAA service instance based on the authentication settings in xs-security.json.
cf create-service xsuaa application xsuaa-basic -c xs-security.jsonThe vars contain hosts and paths that need to be adapted.
Deploy the application using the cf CLI.
cf push --vars-file ../vars.ymlDeployment on Kubernetes
Execute the following docker commands to build and push the docker image to a repository.
Replace <repository>/<image> with your repository and image name.
mvn spring-boot:build-image -Dspring-boot.build-image.imageName=<repository>/<image>
docker push <repository>/<image>In deployment.yml replace the placeholder <YOUR IMAGE TAG> with the image tag created in the previous step.
Deploy the application using kubectl.
kubectl apply -f k8s/deployment.yml💡 You can postpone this step if you first want to test the application without the required authorization.
To get full access to the sample application, you need a user having the role collection Sample Viewer (spring-security-basic-auth) assigned.
This can be done in the SAP BTP Cockpit or using the btp CLI.
Assign role collection via cockpit
In the cockpit navigate to your subaccount. To assign the role collection of the sample application to a user you have basically two options:- Navigate to the user by clicking on
Security->Users, select the user and click onAssign Role Collection(more info at help.sap.com). - Navigate to the role collection by clicking on
Security->Role Collections, selectSample Viewer (spring-security-basic-auth), click onEditto add the user and finish by clicking onSave(more info at help.sap.com).
Assign role collection via command line
To assign the role collection to a user via the btp CLI, you need to log in to your global account and execute the following command:
btp assign security/role-collection "Sample Viewer (spring-security-basic-auth)" --subaccount <subaccount id> --to-user <user email>After deployment, the spring service can be called with basic authentication. If you have assigned the role-collection as described above, you can access the application via curl.
curl command to access Cloud Foundry deployment
curl -i --user "<username>:<password>" \
-X GET https://spring-security-basic-auth-<ID>.<LANDSCAPE_APPS_DOMAIN>/fetchToken
curl command to access Kubernetes deployment
curl -i --user "<username>:<password>" \
-X GET https://spring-security-basic-auth-api.<K8s DOMAIN>/fetchToken💡 If you access the application via browser you should be prompted for basic authentication.
As response, you will get a description of the access token as JSON that was fetched with the provided user credentials. Note that the response format is not a JWT.
If you no longer need the sample application, you can free up resources using the cf CLI or the Kubernetes CLI.
Cleanup commands for Cloud Foundry
cf delete -f spring-security-basic-auth
cf delete-service -f xsuaa-basicCleanup command for Kubernetes
kubectl delete -f k8s/deployment.yml