Skip to content

Latest commit

 

History

History

spring-webflux-security-hybrid-usage

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 

SAP BTP Spring Security Client Library Webflux sample application

This Spring Boot sample application is build with the spring-webflux framework and is protected by the spring-security-oauth2-resource-server. It uses the spring-security module to validate JWT tokens issued by either the xsuaa or the identity service. The xsuaa service provides an OAuth access token, while the identity service provides an OIDC token. The tokens differ in the details they provide through token claims. In both instances, the validated token is accessible as a Token via the ReactiveSecurityContext.

Configure the Application Router

The Application Router is used to provide a single entry point to a business application that consists of several different apps (microservices). It dispatches requests to backend microservices and acts as a reverse proxy. The rules that determine which request should be forwarded to which destinations are called routes. The application router can be configured to authenticate the users and propagate the user information. Finally, the application router can serve static content.

Build and Deploy

1. Run maven to compile and package the sample application:

mvn clean package

2. The following steps deploy the application using Cloud Foundry.

Create the XSUAA service instance

Use the cf CLI to create an XSUAA service instance based on the authentication settings in xs-security.json.

cf create-service xsuaa application xsuaa-webflux -c xs-security.json

Create the IAS service instance

cf create-service identity application ias-webflux -c ias-security.json

💡 You may need to adapt the hostname in the ias config.

Configure the manifest

The vars contain hosts and paths that need to be adapted.

Deploy the application

Deploy the application using the cf CLI.

cf push --vars-file ../vars.yml

⚠️ This will expect 1 GB of free memory quota.

3. Give permission to user

To get access to the sample application, you need a user with one of the following assigned:

  • the role collection `Sample Viewer (spring-webflux-security-hybrid-usage)' (via XSUAA)
  • the group Read (via IAS)

Assign Role Collection (XSUAA)

This can be done in the SAP BTP Cockpit or using the btp CLI.

Assign role collection via cockpit In the cockpit navigate to your subaccount. To assign the role collection of the sample application to a user you have basically two options:
  1. Navigate to the user by clicking on Security -> Users, select the user and click on Assign Role Collection (more info at help.sap.com).
  2. Navigate to the role collection by clicking on Security -> Role Collections, select Sample Viewer (spring-webflux-security-hybrid-usage), click on Edit to add the user and finish by clicking on Save (more info at help.sap.com).
Assign role collection via command line

To assign the role collection to a user via the btp CLI, you need to log in to your global account and execute the following command:

btp assign security/role-collection "Sample Viewer (spring-webflux-security-hybrid-usage)" --subaccount <subaccount id> --to-user <user email>

Assign group (IAS)

You need administrator permissions to create group Read in IAS and assign it to a user. :link: More information can be found at SAP Help: "Creating a User Group".

3. Access the application

The sample application provides a single HTTP endpoint:

  • /v1/sayHello - authorized access only

After the deployment, the application router will trigger authentication and route requests to the above endpoint. If you have assigned the role-collection as described above, you can access the application via XSUAA at:

https://spring-webflux-security-hybrid-usage-web-<<ID>>.<<LANDSCAPE_APPS_DOMAIN>>/xsuaa/sayHello

If you have assigned the group as described above, you can access the application via IAS at:

https://spring-webflux-security-hybrid-usage-web-<<ID>>.<<LANDSCAPE_APPS_DOMAIN>>/ias/sayHello

💡 you can find the route of your approuter application using the cf CLI:

cf app approuter-spring-webflux-security-hybrid-usage

You should see the JSON payload of the received JWT token. :warning: In order to switch between XSUAA and IAS access, you need to remove any Application Access Tokens from your profile page in th ecorresponding IAS tenant. Furthermore, you want to delete any account related cookies in your browser or use a private browser window.

4. Cleanup

If you no longer need the sample application, you can free up resources using the cf CLI.

cf unbind-service spring-webflux-security-hybrid-usage ias-webflux
cf unbind-service approuter-spring-webflux-security-hybrid-usage ias-webflux
cf delete -f spring-webflux-security-hybrid-usage
cf delete -f approuter-spring-webflux-security-hybrid-usage
cf delete-service -f xsuaa-webflux
cf delete-service -f ias-webflux