Need sample application that shows how to integrate `java-security`

[Augustine-Joshua]

Hi,

We are using Java apps which use spring security for scope validation (non-spring boot app). We have successfully migrated from java-container-security library to com.sap.cloud.security.java-security library 2.7.5 version. Scope validation for the APIs are done in spring-security.xml file.

Now we need to migrate from spring security oauth library to spring security library as explained here https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide. Is there any example available for this case? Could you please guide here.

Best Regards, Augustine

[nenaraab]

Hi @Augustine-Joshua

am I right that you are not a Spring (Boot) Application, neither a J2EE application?

As you wrote you've followed the easy-path to use the open-source java-security client library. It provides a "spring-adapter" that makes use of the deprecated Spring OAuth2 library (as stated in our migration guide). The point is that there is no simple and compatible replacement or migration path provided with Spring Security (see also Spring Migration Guide https://github.com/spring-projects/spring-security/wiki/OAuth-2.0-Migration-Guide).

So, the only option you have is to setup and integrate java-security by yourself e.g. as part of a ServletFilterusing the XsuaaTokenAuthenticator.

Do you deploy your application as war or as jar file? Furthermore which servlet container do you make use of?

Best regards, Nena

[Augustine-Joshua]

Hi Nena,

You are right, the application is not spring boot, neither J2EE as well. We use spring security only for scope validation through spring-security.xml using intercept-url as mentioned below.

Our application is deployed as a war file in CF. Servlet container used - org.glassfish.jersey.servlet.ServletContainer

Best regards, Augustine

[nenaraab]

Hi @Augustine-Joshua

I've improved the java-security-usage sample here in this branch java-samples. Here it makes use of a Servlet Filter, which hopefully works also in your context. Please have a try and provide feedback.

I've tried also with using SAP java buildpack, but it seems only to work in combination with Servlet Security.

Related PR #411 411

[Augustine-Joshua]

Hi @nenaraab ,

Thanks for the code sample. I'm able to get the token validation successful. Now I have two questions:

1. Could you please provide me a sample to do the scope validation for APIs using antMatchers, just like it is done in spring-boot applications like this. i tried following this spring-xsuaa sample but the authentication classes are not available for java-security. I don't want to do this in method level, as there are many existing APIs and doing it in central place using antMatchers is a simpler approach for migrated applications. https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/samples/spring-security-xsuaa-usage/src/main/java/sample/spring/xsuaa/SecurityConfiguration.java#L50
2. SecurityContext.getAccessToken() does not work for asynchronous calls. This is because SecurityContext class uses ThreadLocal to store the context. Earlier we have used SpringSecurityContext to overcome this limitation, as SpringSecurityContext uses SecurityContextHolder to provide access to the context in asynchronous threads. Could you please enable SecurityContext class to use InheritableThreadLocal instead of ThreadLocal or use SecurityContextHolder like in SpringSecurityContext. This will solve the problem.

I found a similar GitHub issue https://github.com/SAP/cloud-security-xsuaa-integration/issues/311 created for the second question, which ended with an open question "But what if the child thread lives on and the parent gets reused for a different request. Do I now have access to the SecurityContext from this request? Or is it only passed down once when the child is being created?" - In my opinion, when the parent thread gets a new request context, it also creates a new child thread and hence the previous request context is not impacted.

Best regards, Augustine

[nenaraab]

Hi @Augustine-Joshua

1. as discussed, unfortunately Spring authorization checks are not supported with java-security. Only with deprecated Spring security oauth2 lib (as described in the migration guide). Alternatively you can decide for spring-xsuaa client lib (with Spring support) for Spring (boot) applications.

2. Thats true as documented.

We are not going to support InheritableThreadLocal as it is a dangerous (and insecure) when used in combination with ThreadPools. Using Spring MODE_INHERITABLETHREADLOCAL can result in a thread pool containing threads with the wrong security context for async tasks. A better approach is to use an executor that delegates the security context when it runs the task. See also these references:

• https://stackoverflow.com/questions/7296623/inheritablethreadlocal-and-thread-pools
• https://github.com/spring-projects/spring-security/issues/6856#issuecomment-518787966

Best regards, Nena

[nenaraab]

I would then close this issue, as this seems to be answered / solved. Please create new issues for further questions.