cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Access Destination Service / Connectivity Service in RabbitMQ Consumer

former_member512562
Explorer

on ‎10-25-2018 11:13 AM

0 Kudos

Hi All,

we are building a java-based web api which runs in the cloud foundry environment. I will shortly describe what we are trying to achieve and what is shown in the picture.

1.The web api is called with JWT1 which holds the client information

2.The JWT1 gets validated and web api builds up a SecurityContext based on the JWT1.

3.The web request gets processed

3a.The web api creates a message and publish it into the rabbit-message-queue.

3b.The web api returns success to the client

4.The RabbitMQ Consumer process the message

4a.The RabbitMQ Consumer requests a JWT2 to access the destination instance.

4b.In parallel the RabbitMQ Consumer requests a JWT3 to access the connectivity instance.

5.The RabbitMQ Consumer requests destination configuration by sending JWT2.

6.The RabbitMQ Consumer sends request to the connectivity instance with JWT3 and the Authorization header.

7.SAP Cloud Platform Connectivity forwards request to the Cloud Connector.

8.Cloud Connector sends request to the on-premise system.

We are currently having issues in finding the right approach to propagate/pass the SecurityContext from the web api to the RabbitMQ Consumer or to create a new SecurityContext which is required to do step 4a to 6 (talk to destination and connectivity instance)

  • We could attach the JWT1 to the rabbit-message. And try to recreate the SecurityContext at the RabbitMQ Consumer. We are currently using the com.sap.xs2.security.container.SecurityContext on the web api side. We can not recreate this SecurityContext on RabbitMQ Consumer side because it requires an javax.servlet.http.HttpServletRequest to read the token. We could “fake” it but this doesn’t sound right.
  • If we attach the JWT to the rabbit-message what happens if the RabbitMQ Consumer needs longer for processing the message then the lifetime of the JWT. (The RabbitMQ Consumer could have been stopped as the message was published in the queue and could have been started after the lifetime of the JWT has expired)

Another approach could be to store a “ServiceUser” on RabbitMQ Consumer side which is used to somehow initialize the SecurityContext. But in this case, we also have the problem with the missing HttpServletRequest for the SecurityContext.

The general implementation concept for the destination service and connectivity service integration as well as the picture is taken from https://blogs.sap.com/2017/07/13/part-2-how-to-use-the-sap-cloud-platform-connectivity-and-the-cloud...

Our questions:

  1. How to call the destination service / connectivity service in a RabbitMQ consumer without having a 'real' SecurityContext ... ideally on behalf of the web api user (client)
  2. How to deal with expired tokens during later processing
  3. Are there differences in multi tenant aware scenarios

Thanks a lot

Sebastian

Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (1)

Answers (1)

mariusobert
Developer Advocate
Developer Advocate
‎10-30-2018 12:38 PM
0 Kudos

Hi Sebastian,

I'm not sure if I understood your issue. Are you forwarding/ Do you want to forward the business user's JWT token to the consumer? This would bring the expiration problem you described above.

Why doesn't your consumer app request its own JTW token from the UAA?

Can you please confirm that I understood this correctly?

Regards,

Marius

Show replies
Show replies
former_member512562
Explorer
‎10-30-2018 3:46 PM
0 Kudos

Hi Marius,

thx for your answer. Your assumption is correct.

Why doesn't your consumer app request its own JWT token from the UAA?

But how to request an own JWT from UAA in a multi tenant aware setup and with which user information / credentials?

Thx upfront

Sebastian

mariusobert
Developer Advocate
Developer Advocate
‎10-31-2018 9:06 AM
0 Kudos

Hi Sebastian,

at first, I would like to mention that I'm not an expert on multi-tenant scenarios. Let's see if I'm still able to help you.

Wouldn't it be possible to "serialize" the JWT1 token (e.g. extracting the user/tenant info) there and attach this info to the RabbitMQ message?

Regards,

Marius

former_member512562
Explorer
‎11-06-2018 11:46 AM
0 Kudos

Hi Marius,

you are basically right. We can put the tenant information in the message as mentioned by serializing the JWT1 or by simply putting the tenant identifier in the rabbit-mq-header.

In a simple scenario this could work. You simply have to retrieve the subdomain of underling tenant to request the needed JWT’s. To sum this up. You need the credential from the destination- & connectivity-service which can be retrieved from the environment variables. And you need the tenant specific xsuaa-url to request the needed tokens.

In case the destination authentication is configured as “NoAuthentication” or “BasicAuthentication” this information is sufficient and the destination service will return the needed authentication information in the authTokens section in the destination response.

But in case the destination authentication is configured as “PrincipalPropagation” I need an authenticated user to derive the needed JWT which is forwarded to the OnPremise system via the cloud connector.

Sure, I could simply serialize the JWT1 but then I’m back at the questions from above.

  • How to reinitialize the SecurityContext based on the serialized JWT1
  • How to deal with expired tokens

Thx

Sebastian

Ask a Question