This Spring Boot sample application is build with the spring-webflux
framework and is protected by the
spring-security-oauth2-resource-server
.
It uses the spring-security
module to validate JWT tokens issued by either the xsuaa
or the identity
service.
The xsuaa
service provides an OAuth access token, while the identity
service provides an OIDC token.
The tokens differ in the details they provide through token claims.
In both instances, the validated token is accessible as a Token
via the ReactiveSecurityContext
.
The Application Router is used to provide a single entry point to a business application that consists of several different apps (microservices). It dispatches requests to backend microservices and acts as a reverse proxy. The rules that determine which request should be forwarded to which destinations are called routes. The application router can be configured to authenticate the users and propagate the user information. Finally, the application router can serve static content.
mvn clean package
Use the cf CLI to create an XSUAA service instance based on the authentication settings in xs-security.json.
cf create-service xsuaa application xsuaa-webflux -c xs-security.json
cf create-service identity application ias-webflux -c ias-security.json
💡 You may need to adapt the hostname in the ias config.
The vars contain hosts and paths that need to be adapted.
Deploy the application using the cf CLI.
cf push --vars-file ../vars.yml
To get access to the sample application, you need a user with one of the following assigned:
- the role collection `Sample Viewer (spring-webflux-security-hybrid-usage)' (via XSUAA)
- the group
Read
(via IAS)
This can be done in the SAP BTP Cockpit or using the btp CLI.
Assign role collection via cockpit
In the cockpit navigate to your subaccount. To assign the role collection of the sample application to a user you have basically two options:- Navigate to the user by clicking on
Security
->Users
, select the user and click onAssign Role Collection
(more info at help.sap.com). - Navigate to the role collection by clicking on
Security
->Role Collections
, selectSample Viewer (spring-webflux-security-hybrid-usage)
, click onEdit
to add the user and finish by clicking onSave
(more info at help.sap.com).
Assign role collection via command line
To assign the role collection to a user via the btp CLI, you need to log in to your global account and execute the following command:
btp assign security/role-collection "Sample Viewer (spring-webflux-security-hybrid-usage)" --subaccount <subaccount id> --to-user <user email>
You need administrator permissions to create group Read
in IAS and assign it to a user.
:link: More information can be found at SAP Help: "Creating a User Group".
The sample application provides a single HTTP endpoint:
/v1/sayHello
- authorized access only
After the deployment, the application router will trigger authentication and route requests to the above endpoint. If you have assigned the role-collection as described above, you can access the application via XSUAA at:
https://spring-webflux-security-hybrid-usage-web-<<ID>>.<<LANDSCAPE_APPS_DOMAIN>>/xsuaa/sayHello
If you have assigned the group as described above, you can access the application via IAS at:
https://spring-webflux-security-hybrid-usage-web-<<ID>>.<<LANDSCAPE_APPS_DOMAIN>>/ias/sayHello
💡 you can find the route of your approuter application using the cf CLI:
cf app approuter-spring-webflux-security-hybrid-usage
You should see the JSON payload of the received JWT token.
:warning: In order to switch between XSUAA and IAS access, you need to remove any Application Access Tokens
from your profile page in th ecorresponding IAS tenant.
Furthermore, you want to delete any account related cookies in your browser or use a private browser window.
If you no longer need the sample application, you can free up resources using the cf CLI.
cf unbind-service spring-webflux-security-hybrid-usage ias-webflux
cf unbind-service approuter-spring-webflux-security-hybrid-usage ias-webflux
cf delete -f spring-webflux-security-hybrid-usage
cf delete -f approuter-spring-webflux-security-hybrid-usage
cf delete-service -f xsuaa-webflux
cf delete-service -f ias-webflux