search

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
151 stars 135 forks source link

SCP CF application fails to start because XSUUA service plan "apiaccess" not supported #382

Closed faustefan closed 4 years ago

faustefan commented 4 years ago

Dear colleagues,

during the run of Fortify on a CAP project, we were made aware that the app should migrate from com.sap.xs2.security to com.sap.cloud.security. When doing and testing the necessary changes based on your good documentation, we found the issue that the java application could no longer be started in SCP CF due to a bean initialization error.

Reading the stack traces last "Caused By:" line (see below), we quickly came to the finding, that as soon as an application makes use of a XSUAA service instance with service plan apiaccess, the application can no longer be started. Temporarily removing the dependency to this service instance and redeploying the application made the app start up and work just as expected (besides functionality that depended on it).

I then checked what adding the service plan would result in. As expected the application now started successfully when the XSUAA service instance with service plan apiaccess is bound (we have two instance bound with service plans application and apiaccess). You can see the small changes I did in https://github.com/faustefan/cloud-security-xsuaa-integration/commit/399338533d681ce7ef1a8836fc588d4cfb44d11b.

I would ask you to take a look since I cannot judge if you are by intent not supporting the missing service plan or it is just missing. If you want, I can open a PR for the changes in above linked repo.

Thanks a ton, Stefan

Original stack trace of failing application startup:

org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'resourceServerFilter': Cannot create inner bean '(inner bean)#1469fd36' of type [org.springframework.security.oauth2.provider.authentication.OAuth2AuthenticationManager] while setting bean property 'authenticationManager'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#1469fd36': Cannot resolve reference to bean 'offlineTokenServices' while setting bean property 'tokenServices'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'offlineTokenServices' defined in com.sap.icd.tss.designtime.backend.config.WebSecurityConfig: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.sap.cloud.security.adapter.spring.SAPOfflineTokenServicesCloud]: Factory method 'offlineTokenServices' threw exception; nested exception is java.lang.IllegalArgumentException: No enum constant com.sap.cloud.security.config.cf.CFConstants.Plan.APIACCESS
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:313)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:129)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1522)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1269)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:551)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
    at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:757)
    at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:867)
    at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:542)
    at org.springframework.web.context.ContextLoader.configureAndRefreshWebApplicationContext(ContextLoader.java:443)
    at org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:325)
    at org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:107)
    at org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4689)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5155)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:183)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1412)
    at org.apache.catalina.core.ContainerBase$StartChild.call(ContainerBase.java:1402)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
    at java.lang.Thread.run(Thread.java:836)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name '(inner bean)#1469fd36': Cannot resolve reference to bean 'offlineTokenServices' while setting bean property 'tokenServices'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'offlineTokenServices' defined in com.sap.icd.tss.designtime.backend.config.WebSecurityConfig: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.sap.cloud.security.adapter.spring.SAPOfflineTokenServicesCloud]: Factory method 'offlineTokenServices' threw exception; nested exception is java.lang.IllegalArgumentException: No enum constant com.sap.cloud.security.config.cf.CFConstants.Plan.APIACCESS
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveValueIfNecessary(BeanDefinitionValueResolver.java:108)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.applyPropertyValues(AbstractAutowireCapableBeanFactory.java:1522)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1269)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:551)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBean(BeanDefinitionValueResolver.java:299)
    ... 24 more
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'offlineTokenServices' defined in com.sap.icd.tss.designtime.backend.config.WebSecurityConfig: Bean instantiation via factory method failed; nested exception is org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.sap.cloud.security.adapter.spring.SAPOfflineTokenServicesCloud]: Factory method 'offlineTokenServices' threw exception; nested exception is java.lang.IllegalArgumentException: No enum constant com.sap.cloud.security.config.cf.CFConstants.Plan.APIACCESS
    at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:599)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.instantiateUsingFactoryMethod(AbstractAutowireCapableBeanFactory.java:1176)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBeanInstance(AbstractAutowireCapableBeanFactory.java:1071)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:511)
    at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:481)
    at org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:312)
    at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:230)
    at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:308)
    at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:197)
    at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:351)
    ... 30 more
Caused by: org.springframework.beans.BeanInstantiationException: Failed to instantiate [com.sap.cloud.security.adapter.spring.SAPOfflineTokenServicesCloud]: Factory method 'offlineTokenServices' threw exception; nested exception is java.lang.IllegalArgumentException: No enum constant com.sap.cloud.security.config.cf.CFConstants.Plan.APIACCESS
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:189)
    at org.springframework.beans.factory.support.ConstructorResolver.instantiateUsingFactoryMethod(ConstructorResolver.java:588)
    ... 39 more
Caused by: java.lang.IllegalArgumentException: No enum constant com.sap.cloud.security.config.cf.CFConstants.Plan.APIACCESS
    at java.lang.Enum.valueOf(Enum.java:238)
    at com.sap.cloud.security.config.cf.CFConstants$Plan.valueOf(CFConstants.java:44)
    at com.sap.cloud.security.config.cf.CFConstants$Plan.from(CFConstants.java:48)
    at com.sap.cloud.security.config.cf.CFEnvironment.lambda$loadForServicePlan$0(CFEnvironment.java:136)
    at java.util.stream.ReferencePipeline$2$1.accept(ReferencePipeline.java:174)
    at java.util.ArrayList$ArrayListSpliterator.tryAdvance(ArrayList.java:1361)
    at java.util.stream.ReferencePipeline.forEachWithCancel(ReferencePipeline.java:126)
    at java.util.stream.AbstractPipeline.copyIntoWithCancel(AbstractPipeline.java:499)
    at java.util.stream.AbstractPipeline.copyInto(AbstractPipeline.java:486)
    at java.util.stream.AbstractPipeline.wrapAndCopyInto(AbstractPipeline.java:472)
    at java.util.stream.FindOps$FindOp.evaluateSequential(FindOps.java:152)
    at java.util.stream.AbstractPipeline.evaluate(AbstractPipeline.java:234)
    at java.util.stream.ReferencePipeline.findFirst(ReferencePipeline.java:464)
    at com.sap.cloud.security.config.cf.CFEnvironment.loadForServicePlan(CFEnvironment.java:137)
    at com.sap.cloud.security.config.cf.CFEnvironment.loadXsuaa(CFEnvironment.java:111)
    at com.sap.cloud.security.config.cf.CFEnvironment.getXsuaaConfiguration(CFEnvironment.java:51)
    at com.sap.cloud.security.adapter.spring.SAPOfflineTokenServicesCloud.<init>(SAPOfflineTokenServicesCloud.java:98)
    at com.sap.icd.tss.designtime.backend.config.WebSecurityConfig.offlineTokenServices(WebSecurityConfig.java:83)
    at com.sap.icd.tss.designtime.backend.config.WebSecurityConfig$$EnhancerBySpringCGLIB$$cd3ee7bd.CGLIB$offlineTokenServices$1(<generated>)
    at com.sap.icd.tss.designtime.backend.config.WebSecurityConfig$$EnhancerBySpringCGLIB$$cd3ee7bd$$FastClassBySpringCGLIB$$215b6030.invoke(<generated>)
    at org.springframework.cglib.proxy.MethodProxy.invokeSuper(MethodProxy.java:228)
    at org.springframework.context.annotation.ConfigurationClassEnhancer$BeanMethodInterceptor.intercept(ConfigurationClassEnhancer.java:358)
    at com.sap.icd.tss.designtime.backend.config.WebSecurityConfig$$EnhancerBySpringCGLIB$$cd3ee7bd.offlineTokenServices(<generated>)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.lang.reflect.Method.invoke(Method.java:498)
    at org.springframework.beans.factory.support.SimpleInstantiationStrategy.instantiate(SimpleInstantiationStrategy.java:162)
    ... 40 more
nenaraab commented 4 years ago

Hi @faustefan

cool. Thanks for reporting. You can test with master branch if you like.

Best regards, Nena

faustefan commented 4 years ago

Hi @nenaraab,

thanks a ton. I have run a local maven build of the java-api project based on master branch and deployed the resulting artifact with my app. It starts up just fine 👍

Thanks a ton for the quick fix. Looking forward to the patch version including it so I can bring the dependent changes to my apps code base.

Have a great day, Stefan

nenaraab commented 4 years ago

Solved with version 2.7.8