on 10-25-2018 11:13 AM
Hi All,
we are building a java-based web api which runs in the cloud foundry environment. I will shortly describe what we are trying to achieve and what is shown in the picture.
1.The web api is called with JWT1 which holds the client information
2.The JWT1 gets validated and web api builds up a SecurityContext based on the JWT1.
3.The web request gets processed
3a.The web api creates a message and publish it into the rabbit-message-queue.
3b.The web api returns success to the client
4.The RabbitMQ Consumer process the message
4a.The RabbitMQ Consumer requests a JWT2 to access the destination instance.
4b.In parallel the RabbitMQ Consumer requests a JWT3 to access the connectivity instance.
5.The RabbitMQ Consumer requests destination configuration by sending JWT2.
6.The RabbitMQ Consumer sends request to the connectivity instance with JWT3 and the Authorization header.
7.SAP Cloud Platform Connectivity forwards request to the Cloud Connector.
8.Cloud Connector sends request to the on-premise system.
We are currently having issues in finding the right approach to propagate/pass the SecurityContext from the web api to the RabbitMQ Consumer or to create a new SecurityContext which is required to do step 4a to 6 (talk to destination and connectivity instance)
Another approach could be to store a “ServiceUser” on RabbitMQ Consumer side which is used to somehow initialize the SecurityContext. But in this case, we also have the problem with the missing HttpServletRequest for the SecurityContext.
The general implementation concept for the destination service and connectivity service integration as well as the picture is taken from https://blogs.sap.com/2017/07/13/part-2-how-to-use-the-sap-cloud-platform-connectivity-and-the-cloud...
Our questions:
Thanks a lot
Sebastian
Hi Sebastian,
I'm not sure if I understood your issue. Are you forwarding/ Do you want to forward the business user's JWT token to the consumer? This would bring the expiration problem you described above.
Why doesn't your consumer app request its own JTW token from the UAA?
Can you please confirm that I understood this correctly?
Regards,
Marius
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Sebastian,
at first, I would like to mention that I'm not an expert on multi-tenant scenarios. Let's see if I'm still able to help you.
Wouldn't it be possible to "serialize" the JWT1 token (e.g. extracting the user/tenant info) there and attach this info to the RabbitMQ message?
Regards,
Marius
Hi Marius,
you are basically right. We can put the tenant information in the message as mentioned by serializing the JWT1 or by simply putting the tenant identifier in the rabbit-mq-header.
In a simple scenario this could work. You simply have to retrieve the subdomain of underling tenant to request the needed JWT’s. To sum this up. You need the credential from the destination- & connectivity-service which can be retrieved from the environment variables. And you need the tenant specific xsuaa-url to request the needed tokens.
In case the destination authentication is configured as “NoAuthentication” or “BasicAuthentication” this information is sufficient and the destination service will return the needed authentication information in the authTokens section in the destination response.
But in case the destination authentication is configured as “PrincipalPropagation” I need an authenticated user to derive the needed JWT which is forwarded to the OnPremise system via the cloud connector.
Sure, I could simply serialize the JWT1 but then I’m back at the questions from above.
Thx
Sebastian
User | Count |
---|---|
89 | |
10 | |
9 | |
9 | |
9 | |
6 | |
6 | |
5 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.