Skip to Content

Access Destination Service / Connectivity Service in RabbitMQ Consumer

Hi All,

we are building a java-based web api which runs in the cloud foundry environment. I will shortly describe what we are trying to achieve and what is shown in the picture.

1.The web api is called with JWT1 which holds the client information

2.The JWT1 gets validated and web api builds up a SecurityContext based on the JWT1.

3.The web request gets processed

3a.The web api creates a message and publish it into the rabbit-message-queue.

3b.The web api returns success to the client

4.The RabbitMQ Consumer process the message

4a.The RabbitMQ Consumer requests a JWT2 to access the destination instance.

4b.In parallel the RabbitMQ Consumer requests a JWT3 to access the connectivity instance.

5.The RabbitMQ Consumer requests destination configuration by sending JWT2.

6.The RabbitMQ Consumer sends request to the connectivity instance with JWT3 and the Authorization header.

7.SAP Cloud Platform Connectivity forwards request to the Cloud Connector.

8.Cloud Connector sends request to the on-premise system.

We are currently having issues in finding the right approach to propagate/pass the SecurityContext from the web api to the RabbitMQ Consumer or to create a new SecurityContext which is required to do step 4a to 6 (talk to destination and connectivity instance)

  • We could attach the JWT1 to the rabbit-message. And try to recreate the SecurityContext at the RabbitMQ Consumer. We are currently using the com.sap.xs2.security.container.SecurityContext on the web api side. We can not recreate this SecurityContext on RabbitMQ Consumer side because it requires an javax.servlet.http.HttpServletRequest to read the token. We could “fake” it but this doesn’t sound right.
  • If we attach the JWT to the rabbit-message what happens if the RabbitMQ Consumer needs longer for processing the message then the lifetime of the JWT. (The RabbitMQ Consumer could have been stopped as the message was published in the queue and could have been started after the lifetime of the JWT has expired)

Another approach could be to store a “ServiceUser” on RabbitMQ Consumer side which is used to somehow initialize the SecurityContext. But in this case, we also have the problem with the missing HttpServletRequest for the SecurityContext.

The general implementation concept for the destination service and connectivity service integration as well as the picture is taken from https://blogs.sap.com/2017/07/13/part-2-how-to-use-the-sap-cloud-platform-connectivity-and-the-cloud-connector-in-the-cloud-foundry-environment/

Our questions:

  1. How to call the destination service / connectivity service in a RabbitMQ consumer without having a 'real' SecurityContext ... ideally on behalf of the web api user (client)
  2. How to deal with expired tokens during later processing
  3. Are there differences in multi tenant aware scenarios

Thanks a lot

Sebastian

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

1 Answer

  • Oct 30, 2018 at 12:38 PM

    Hi Sebastian,

    I'm not sure if I understood your issue. Are you forwarding/ Do you want to forward the business user's JWT token to the consumer? This would bring the expiration problem you described above.

    Why doesn't your consumer app request its own JTW token from the UAA?

    Can you please confirm that I understood this correctly?

    Regards,

    Marius

    Add comment
    10|10000 characters needed characters exceeded

    • Hi Marius,

      you are basically right. We can put the tenant information in the message as mentioned by serializing the JWT1 or by simply putting the tenant identifier in the rabbit-mq-header.

      In a simple scenario this could work. You simply have to retrieve the subdomain of underling tenant to request the needed JWT’s. To sum this up. You need the credential from the destination- & connectivity-service which can be retrieved from the environment variables. And you need the tenant specific xsuaa-url to request the needed tokens.

      In case the destination authentication is configured as “NoAuthentication” or “BasicAuthentication” this information is sufficient and the destination service will return the needed authentication information in the authTokens section in the destination response.

      But in case the destination authentication is configured as “PrincipalPropagation” I need an authenticated user to derive the needed JWT which is forwarded to the OnPremise system via the cloud connector.

      Sure, I could simply serialize the JWT1 but then I’m back at the questions from above.

      • How to reinitialize the SecurityContext based on the serialized JWT1
      • How to deal with expired tokens

      Thx

      Sebastian