Need sample for scope validation for Jersey-based applications

[Augustine-Joshua]

Hi @nenaraab ,

In continuation with issue https://github.com/SAP/cloud-security-xsuaa-integration/issues/409, The scope validation provided in the sample code is specific to HttpServlet class and it did not work for Java applications (JAX-RS) based on Jersey. Spring-xsuaa as well did not work for non-spring boot apps.

Could you please provide an example for Jersey-based apps. https://github.wdf.sap.corp/iot/configuration/blob/master/src/generated/java/com/sap/appcore/configuration/resource/ConfigurationResource.java#L16

Best regards, Augustine

[nenaraab]

Hi @Augustine-Joshua,

thanks for your question! Yes, spring-xsuaa was NEVER suggested for NON-Spring (boot) applications.

Yes, the sample shows how to integrate to Tomcat Servlet container by implementing javax.servlet.Filter class as described here: https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/samples/java-security-usage/src/main/java/com/sap/cloud/security/samples/XsuaaSecurityFilter.java

This performs the token validation and fills the SecurityContext in case the user could be authenticated (token is valid). The same implementation has to be provided as part of a JAX-RS javax.ws.rs.container.ContainerRequestFilter to support the same functionality for Jersey Servlet Container.

This webpage seems to provide a good explanation on how to implement such a ContainerRequestFilter: https://howtodoinjava.com/spring-boot/role-based-security-jaxrs-annotations/

The SecurityContext then can be used within the same thread, request context. Or, you implement the isUserAllowed as explained in the references page.

Best regards, Nena

Further References

• https://github.com/SAP/cloud-security-xsuaa-integration/tree/master/java-security