Skip to content

Latest commit

 

History

History
74 lines (56 loc) · 3.72 KB

File metadata and controls

74 lines (56 loc) · 3.72 KB

XSUAA Security Xsuaa Mock Library

Description

This library enhances the spring-xsuaa project. This includes a XsuaaMockWebServer web server for the Xsuaa service that can provide token_keys for an offline JWT token validation. This is required only when there is no Xsuaa service (OAuth resource-server) in place, which is only the case in context of unit tests, as well as when running your Spring boot application locally.

The default implementation offers already valid token_keys for JWT tokens, that are generated by the JwtGenerator (spring-xsuaa-test library).

Requirements

  • Java 8
  • maven 3.3.9 or later
  • Spring Boot 2.1 and later

Configuration

Maven Dependency

<dependency>
    <groupId>com.sap.cloud.security.xsuaa</groupId>
    <artifactId>spring-xsuaa-mock</artifactId>
    <version>2.4.1-SNAPSHOT</version>
</dependency>
<dependency> <!-- new with version 1.5.0 - provided with org.springframework.boot:spring-boot-starter:jar -->
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-autoconfigure</artifactId>
</dependency>

Setup Mock Web Server

Add the following class, which makes sure, that the Xsuaa mock web server is only started in case a dedicated profile e.g. uaamock is active. Make sure that this profile (uaamock) is never active in production!

import com.sap.cloud.security.xsuaa.mock.XsuaaMockWebServer;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.env.EnvironmentPostProcessor;
import org.springframework.core.env.ConfigurableEnvironment;
import org.springframework.core.env.Profiles;

public class XsuaaMockPostProcessor implements EnvironmentPostProcessor {

	private static final XsuaaMockWebServer mockAuthorizationServer = new XsuaaMockWebServer();

	@Override
	public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
		if (environment.acceptsProfiles(Profiles.of("uaamock"))) {
			environment.getPropertySources().addFirst(mockAuthorizationServer);
		}
	}
}

Then you have to register this class to META-INF/spring.factories:

org.springframework.boot.env.EnvironmentPostProcessor=<<your package>>.XsuaaMockPostProcessor

XSUAA Service Configuration

From version 1.5.0 on the MockXsuaaServiceConfiguration is auto-configured here. This class overwrites Xsuaa url and uaadomain to point to the Xsuaa Mock Web Server. This is relevant for validating the jku URI that is provided as part of the JSON Web Signature (JWS). The jku of the Jwt token issued by the JwtGenerator references the public key URI of the XsuaaMockWebServer used for generating the signature.

Extendability

Note: it is possible to extend the dispatcher and pass this to the XsuaaMockWebServer constructor. An example XsuaaMockPostProcessor implementation can be found here.

Multitenancy

From version 1.3.0 and higher you can configure the JwtGenerator with a dedicated subdomain of a subaccount, e.g. testdomain and the header with a keyId:

String yourSubdomain = "testdomain";
String yourClientId = "sb-xsapp!20";
String jwtTokenHeaderKeyId = "legacy-token-key-" + yourSubdomain;

String jwtToken = new JwtGenerator(yourClientId, yourSubdomain).setJwtHeaderKeyId(jwtTokenHeaderKeyId).getToken().getTokenValue();

Then your Mock Web Server can provide different token keys for different domains e.g. testdomain.