Skip to Content
author's profile photo Luca Grittini
2
Luca Grittini

Secure java application on Foundry and call it from external tool

Posted on Jul 05, 2020 at 08:13 AM 107 Views

Hi experts,

I'm developing a java servlet in SCP Foundry using the SAP Web IDE Full-Stack. I need to secure the servlet avoiding to access it without specific authorizations. I've followed this tutorial (concepts are explained very well):

Secure Your Application on SAP Cloud Platform Cloud Foundry

It works great and after prompted the right credentials, managed by Application Router, all the authorizations are correctly applied and the servlet is executed. Now I want to call this kind of servlet from an external tool (for example Postman). How to do it?

I don't know if this is the right way because the App Router works very well when there is a browser (and so a real user on the other side...) but I don't understand how to reach the same result calling it from external. I think this is not the real scope of App Router because it always need a user and so how is possibile to protect a java application and call it from external tool?

Thanks in advance

Luca

Add a comment
10|10000 characters needed characters exceeded

Assigned Tags

Related questions

2 Answers

  • Best Answer
    author's profile photo Carlos Roggan
    Carlos Roggan
    Posted on Jul 07, 2020 at 06:34 AM
    1

    Hi Luca,
    good that you found that article, it's interesting, makes sense, although it doesn't help in your scenario.
    I'm not security expert and no knowledge about SAML.
    I thought, maybe this other blog can help you?
    Idea would be, if there's no way to validate user-password by idp, maybe using client-credentials can do the trick?
    In the blog, I tried to find out how to call protected app from external app, where external app is no human user, so role cannot be assigned. It is client-credentials scenario, 2 instances of xsuaa involved, and solution is in the definiton of xs-security, where the providing app GRANTs the required authorization explicitly.

    Nevertheless, still hoping that an expert answers your question ;-)
    Cheers,
    Carlos

    Add a comment
    10|10000 characters needed characters exceeded

    • Luca Grittini
      Jul 24, 2020 at 10:07 PM

      Hi Carlos,

      sorry for the very late reply. Your solution works great! I've added the following configuration inside the xs-security.json in my original servlet at scope level:

      "grant-as-authority-to-apps": [
    "$XSAPPNAME(application,SECOND_SERVICE-uaa)"
]

      Then I've created a second xsuaa service (authorization and trust management service from service marketplace) adding this kind of configuration for an application service plan:

      {
	"xsappname": "SECOND_SERVICE-uaa",
	"tenant-mode": "dedicated",
	"description": "Security profile of called application",
	"authorities": ["$ACCEPT_GRANTED_AUTHORITIES"]
}

      The xsappname and service name for the second xsuaa instance is the same. Finally using the clientid and clientsecret of the second xsuaa service I see the scope defined in the first application servlet.

      Thank you very much!

      Luca

  • author's profile photo Carlos Roggan
    Carlos Roggan
    Posted on Jul 05, 2020 at 07:18 PM
    2

    Hi Luca,
    I have the feeling that this blog explains in detail exactly your question.
    In Cloud Foundry, you can create service key which provides the credentials for executing the oauth flow from external app.
    The approuter facilitates the same, which makes it comfortable for human users
    Cheers,
    Carlos

    Add a comment
    10|10000 characters needed characters exceeded

    • Luca Grittini
      Jul 06, 2020 at 09:15 PM

      Hi Carlos,

      thank you very much for your reply. I've followed your great blog and after a deep dive into the different ways to perform an authentication I found that my issue is regarding the use of a custom IdP. So using the standard SAP ID Service as identity provider I'm able to call the servlet as described into the blog but the same doesn't work behind a custom IdP. This SAP note is very clear:

      https://launchpad.support.sap.com/#/notes/2766354

      So my question has changed: is there a way to call a servlet from an external tool using a custom IdP supporting SAML protocol?

      Thanks

      Luca

Before answering

You should only submit an answer when you are proposing a solution to the poster's problem. If you want the poster to clarify the question or provide more information, please leave a comment instead, requesting additional details. When answering, please include specifics, such as step-by-step instructions, context for the solution, and links to useful resources. Also, please make sure that you answer complies with our Rules of Engagement.
You must be Logged in to submit an answer.

Up to 10 attachments (including images) can be used with a maximum of 1.0 MB each and 10.5 MB total.