SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 135 forks source link

Support for XSUAA Authentication #317

Closed SouravDas25 closed 4 years ago

SouravDas25 commented 4 years ago

Hi Team,

While trying out the new CAS framework, we have come across a blocker, The sample project spring-security-cas works fine, and we are able to play around with it.

But when using it with our existing Spring boot project, which uses XSUAA Authentication, Not the OAuth2 Authentication Provided in the sample,

The CAS framework is unable to retrieve the zone-id & for user-id the value is distorted e.g. user/ldap/sourav.das01@sap.com We can’t change the authentication type as our app will stay behind the app-router.

After a few hours of digging, I have found out that it is due the following code from the com.sap.cloud.security.cas:spring dependency AdcSpringSecurityExpression Class

image

The zone-id is retrieved only if it is on OAuth2AuthenticatedPrincipal, but our Authentication object is of XSUAA Authentication Class, Is there a possible workaround? we can use it.

We are using this XSUAA dependency

image

And also could you please share the step or inform us how to get a zoned enabled subaccount? We want to try it out with the AMS Service in CF.

Thanks & Regards Sourav Das

hassler-d commented 4 years ago

Hi Sourav,

thanks for the analysis! I think I understand the issue. Let me repeat what I understood: You are using our xsuaa-spring-boot-starter in your application. This leads to the authentication.getPrincipal() object in AdcSpringSecurityExpression being not of type OAuth2AuthenticatedPrincipal but of another type. What type are you getting there? XsuaaToken?

Edit: Can you also tell us what you are getting for the user id authentication.getName()?

Best Regards Daniel

hassler-d commented 4 years ago

Hi Sourav,

I have created a branch casXsuaa where I implemented OAuth2AuthenticatedPrincipal for XsuaaToken. Assuming XsuaaToken is what you got for the principal, this change might make the cas integration work for your scenario. If this is the case can you please check out the casXsuaa branch and try if it's working? Many Thanks!

Best Regards Daniel

SouravDas25 commented 4 years ago

Hi Daniel,

Thank you for your support,

I can see that you have implemented the OAuth2AuthenticatedPrincipal Interface in Xsuaa Token, nice!

is it available in this dependency, version 2.7.4.

<dependency>
    <groupId>com.sap.cloud.security.xsuaa</groupId>
    <artifactId>xsuaa-spring-boot-starter</artifactId>
    <version>2.7.3</version>
</dependency>

or do I have to build the Spring-Xsuaa module locally to use it,

hassler-d commented 4 years ago

Hi Sourav,

it is not part of any release (yet). So yes, you have to build and install the spring-xsuaa module from casXsuaa branch locally to test it out!

hassler-d commented 4 years ago

Hi Sourav,

I forgot to mention that if you checkout the casXsuaa branch you would have to install spring-xsuaa manually because it is not build automatically.

Steps required to test out casXsuaa

from the root of the library:

mvn clean install
cd spring-xsuaa
mvn clean install

After that you can build your sample and test your scenario again and please let us know if it is working!

Best Regards Daniel

SouravDas25 commented 4 years ago

Hi Daniel,

I have tested it out and it works.

get zoneId() returns me the actual zoneId,

in case of user-id it is returning user/ldap/sourav.das01@sap.com I think this is fine as email id will be unique. anyways.

you can close this issue.

hassler-d commented 4 years ago

XSUAA support is now part of the main cas branch.