GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → SAP-samples → teched2019-cloud-cf-product-list

SAP-samples / teched2019-cloud-cf-product-list

Licence: Apache-2.0 license
Resources for SAP TechEd SEC364 Hands-on workshop, "Secure Microservices in Cloud Foundry Environment on SAP Cloud Platform".

Labels

samplecloud-foundrysap-cloud-platformtechedteched2019

Projects that are alternatives of or similar to teched2019-cloud-cf-product-list

cloud-cf-helloworld-nodejs
A "Hello World" application for Cloud Foundry using a simple RESTful API in Node.js with persistency in PostgreSQL and SAPUI5 UIs.
Stars: ✭ 45 (-19.64%)
Mutual labels:  sample, cloud-foundry, sap-cloud-platform
cloud-sample-spaceflight-java
Build Java applications with the application programming model on SAP Cloud Platform.
Stars: ✭ 49 (-12.5%)
Mutual labels:  sample, sap-cloud-platform, teched
cloud-cap-risk-management
The SAP Risk Management example applications show how to deploy a CAP (SAP Cloud Application Programming model) application to Cloud Foundry and Kyma.
Stars: ✭ 36 (-35.71%)
Mutual labels:  sample, cloud-foundry, sap-cloud-platform
cloud-cf-espm
A reference application showcasing an end-to-end development scenario in Java on SAP BTP, Cloud Foundry environment.
Stars: ✭ 14 (-75%)
Mutual labels:  sample, cloud-foundry, sap-cloud-platform
cloud-bulletinboard-ads
This is the bulletinboard-ads sample application code used in the openSAP course: Cloud-Native Development with SAP Business Technology Platform (formerly SAP Cloud Platform).
Stars: ✭ 75 (+33.93%)
Mutual labels:  sample, cloud-foundry, sap-cloud-platform
Fiori-for-iOS-Roadshow-2019
A collection of materials for the joined SAP and Apple Roadshow event.
Stars: ✭ 12 (-78.57%)
Mutual labels:  sample, cloud-foundry, sap-cloud-platform
cloud-cap-multitenancy
SAP Cloud Application Programming Model (CAP) sample code project with multitenancy using service manager-created SAP HANA containers for tenant data isolation.
Stars: ✭ 33 (-41.07%)
Mutual labels:  sample, cloud-foundry
cloud-cap-walkthroughs
This project contains exercises and tutorials for SAP Cloud Application Programming Model.
Stars: ✭ 66 (+17.86%)
Mutual labels:  sample, sap-cloud-platform
hcp-portal-service-samples
Code samples of site and page templates, applications, widgets, shell plugins and more, intended to be used as references for development of custom content for SAP HANA Cloud Platform portal service sites.
Stars: ✭ 29 (-48.21%)
Mutual labels:  sample, sap-cloud-platform
teched2021-developer-keynote
SAP TechEd 2021 Developer Keynote: Improving Developers' Lives.
Stars: ✭ 23 (-58.93%)
Mutual labels:  sample, teched
cloud-platform-iot-starterkit
This repository provides information and code for working with SAP Cloud Platform Internet of Things. It enables users to get an end-to-end IoT solution with either real hardware or simulators up and running fast and start their own extensions and usage based on this.
Stars: ✭ 276 (+392.86%)
Mutual labels:  sample, sap-cloud-platform
cloud-espm-cloud-native
Enterprise Sales and Procurement Model (ESPM) Cloud Native is a project that showcases how an application can be made resilient by implementing resilience design patterns. This application is developed using Spring Boot framework and can be deployed locally as well as on SAP BTP, Cloud Foundry environment.
Stars: ✭ 29 (-48.21%)
Mutual labels:  sample, cloud-foundry
cloud-function-nodejs-samples
SAP Cloud Platform Functions samples written in Node.JS
Stars: ✭ 14 (-75%)
Mutual labels:  sample, sap-cloud-platform
cloud-weatherapp
New sample application demonstrating the interplay of several HCP services to develop a full fledged application.
Stars: ✭ 17 (-69.64%)
Mutual labels:  sample, sap-cloud-platform
cloud-platform-workflow-virtual-event
Material for the virtual event on SAP Cloud Platform Workflow.
Stars: ✭ 25 (-55.36%)
Mutual labels:  sample, sap-cloud-platform
smb-summit-hackathon
Build Blocks for the SAP SMB Summit Hackathons.
Stars: ✭ 23 (-58.93%)
Mutual labels:  sample, sap-cloud-platform
btp-full-stack-typescript-app
A sample project to demonstrate how to implement a full-stack app with SAP Cloud Application Programming Model, plus SAPUI5 and TypeScript.
Stars: ✭ 27 (-51.79%)
Mutual labels:  sample, cloud-foundry
btp-workflow-management-opensap
This repository contain the exercises for the openSAP course "Improve Business Processes with SAP Workflow Management."
Stars: ✭ 30 (-46.43%)
Mutual labels:  sample, cloud-foundry
hana-shine
SAP HANA INteractive Education (SHINE) is an education content to learn, develop and deploy SAP HANA Application Services (XS Engine) based applications within the SAP HANA Platform
Stars: ✭ 89 (+58.93%)
Mutual labels:  sample
CameraX-Samples
No description or website provided.
Stars: ✭ 23 (-58.93%)
Mutual labels:  sample
View All Similar Projects ➔

REUSE status

Important Notice

This public repository is read-only and no longer maintained. For the latest sample code repositories, visit the SAP Samples organization.

Secure Microservices in Cloud Foundry Environment on SAP Cloud Platform

In this session you will learn how to secure Microservices in Cloud Foundry Environment on SAP Cloud Platform. Secure the Product List application and configure the OAuth 2.0 Authorization Code Grant (human to service communication).

This tutorial shows how to...

  • get access to SAP Cloud Platform Cloud Foundry Environment trial account
  • secure the Product List application and configure the OAuth 2.0 Authorization Code Grant

Scenario

Secure the Product List application by using a flexible authorization framework - OAuth 2.0. The authorization code grant of OAuth 2.0 provides an excellent security mechanism to grant only authorized users access to your application and its data. With the SAP XS Advanced Application Router, the SAP XSUAA OAuth authorization service and Spring Boot you have outstanding tools at your fingertips to configure roles, assign them to users and, finally, implement role checks in your application.

Understanding OAuth 2.0 Components

To better understand the content of this repository, you should gain a rough understanding about the SAP CP OAuth 2.0 components, which are depicted in figure below.



OAuth 2.0 Components Overview

OAuth Resource Server

First, we still have a microservice, in our case the Product List application that we want to secure. In OAuth terminology this is the Resource Server that protects the resources by checking the existence and validity of an OAuth2 access token before allowing a request from the Client to succeed.

OAuth Access Token (JWT)

Access and refresh tokens in the form of JSON Web Token (JWT) represent the user’s identity and authorization claims. If the access token is compromised, it can be revoked, which forces the generation of a new access token via the user’s refresh token.

Example JWT [rfc7519]

{
  "client_id": "sb-xsapplication!t895",
  "cid": "sb-xsapplication!t895",
  "exp": 2147483647,
  "user_name": "John Doe",
  "user_id": "P0123456",
  "email": "[email protected]",
  "zid": "1e505bb1-2fa9-4d2b-8c15-8c3e6e6279c6",
  "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
  "scope": [ "xsapplication!t895.Display" ],
  "xs.user.attributes": {
    "country": [
      "DE"
    ]
  }
}

OAuth Authorization Server

The Extended Services for User Account and Authentication (XSUAA service) is a multi-tenant identity management service. Its primary role is as an OAuth Authorization Server, issuing authorization codes and JWT tokens after the user was successfully authenticated by an identity provider with their Cloud Foundry credentials. Furthermore it can act as an SSO service using those credentials (or others). It has endpoints for managing user accounts and for registering OAuth 2.0 clients, as well as various other management functions.

OAuth Client

The Application Router (approuter) is an edge service that provides a single entry point to a business application that consists of several backend microservices. It acts as reverse proxy that routes incoming HTTP requests to the configured target microservice, which allows handling Cross-origin resource sharing (CORS) between the microservices. It plays a central role in the OAuth flow.

Just like HTTP, token-based authentication is stateless, and therefore for scalability reasons an OAuth Resource Server must not store a JWT. The consequence would be that the JWT is stored client side as it must be provided with every request. Here, the Application Router takes over this responsibility and acts an OAuth Client and is mainly responsible for managing authentication flows.

The Application Router takes incoming, unauthenticated requests from users and initiates an OAuth2 flow with the XSUAA. After the user has successfully logged on the Identity Provider the XSUAA considers this request as authenticated and uses the information of the Bearer Assertion to finally create a JWT containing the authenticated user as well as all scopes that he or she has been granted. Furthermore the Application Router enriches each subsequent request with the JWT, before the request is routed to a dedicated microservice (instance), so that they are freed up from this task.

In this flow it is important to notice that the JWT never appears in the browser as the Application Router acts as OAuth client where the user “authorizes” the approuter to obtain the authorizations - the JWT - from the XSUAA component.

Conclusion

You need to configure the Application Router for your business application. Note that the Application Router can be bypassed and the microservice can directly be accessed. So the backend microservices must protect all its endpoints by validating the JWT access token and implementing proper scope checks.

In order to validate an access token, the JWT must be decoded and its signature must be verified with one of the JSON Web Keys (JWK) such as public RSA keys. Furthermore the claims found inside the access token must be validated. For example, the client id (cid), the issuer (iss), the audience (aud), and the expiry time (exp).
Hence, every microservice has to maintain a service binding to the XSUAA that provides the XSUAA url as part of VCAP_SERVICES to get the current JWKs and has to configure the XSUAA as OAuth 2.0 Resource Server with its XSUAA access token validators by making use of one of SAP's Container Security Libraries.

Development & Tools

To go through the exercises you will need these components in your local development environment. If you use a TechEd provided laptop then they should be already installed and configured there.

  • Eclipse
  • CF CLI
  • Maven, Git, Java

Exercise Steps

1️⃣ Setup the environment

In this exercise, you will start a free SAP Cloud Platform Cloud Foundry Environment trial which you can use to deploy and run applications.

Start the Exercise

2️⃣ Download the sample application

Clone the Product List sample application from Github and import it in into your Eclipse IDE. This sample application is secured along this session.

Start the Exercise

3️⃣ Secure your application and push it into the cloud

Secure the Product List application.

Start the Exercise

Further References

License

Copyright (c) 2019-2020 SAP SE or an SAP affiliate company. All rights reserved. This project is licensed under the Apache Software License, version 2.0 except as noted otherwise in the LICENSE file.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].