Closed Augustine-Joshua closed 3 years ago
Hi @Augustine-Joshua,
thanks for your question! Yes, spring-xsuaa was NEVER suggested for NON-Spring (boot) applications.
Yes, the sample shows how to integrate to Tomcat Servlet container by implementing javax.servlet.Filter
class as described here:
https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/samples/java-security-usage/src/main/java/com/sap/cloud/security/samples/XsuaaSecurityFilter.java
This performs the token validation and fills the SecurityContext
in case the user could be authenticated (token is valid).
The same implementation has to be provided as part of a JAX-RS javax.ws.rs.container.ContainerRequestFilter
to support the same functionality for Jersey Servlet Container.
This webpage seems to provide a good explanation on how to implement such a ContainerRequestFilter: https://howtodoinjava.com/spring-boot/role-based-security-jaxrs-annotations/
The SecurityContext
then can be used within the same thread, request context. Or, you implement the isUserAllowed as explained in the references page.
Best regards, Nena
Further References
Hi @nenaraab ,
In continuation with issue https://github.com/SAP/cloud-security-xsuaa-integration/issues/409, The scope validation provided in the sample code is specific to HttpServlet class and it did not work for Java applications (JAX-RS) based on Jersey. Spring-xsuaa as well did not work for non-spring boot apps.
Could you please provide an example for Jersey-based apps. https://github.wdf.sap.corp/iot/configuration/blob/master/src/generated/java/com/sap/appcore/configuration/resource/ConfigurationResource.java#L16
Best regards, Augustine