How to write a servlet that on request will do all token exchanges, set required cookies and redirect caller

[maxvader]

Hello, we need to allow our customers to access directly to our angular application that is behind the application router without showing the usual cloud foundry login page. So we thought that we have no alternative than:

• create a servlet on our java backend
• access it without passing from the router
• in the servlet do everyting that is needed to log the user in CF and generate the requied cookies
• send the cookies to the customer with a redirect that points to the angular application protected by the router

Will this scenario work? Can you point me to the java code that will do the login in cf, generate cookies, etc?

Thank you!

[nenaraab]

Hi @maxvader,

• do you make use of any web framework?
• why is the user unable to access directly via approuter?
• maybe this is not the right place to get your question answered. As SAP employee I would suggest the SAP Jam.

Best regards, Nena

[maxvader]

Hi @nenaraab , I am aware that my question seems like a lazy newbie question, I was trying to be most concise as possible. A year ago I contacted you for a very similar problem, related to our use of sapjco3 in CF enviroment. Our architecture uses Spring and the most relevant packages are : com.sap.cloud.security.xsuaa spring-xsuaa and token-client, org.springframework.security spring-security-oauth2-resource-server and spring-security-oauth2-jose, neo-java-web-api, javax.servlet-api.

On why the user is unable to access directly via the router: we absolutely need to have a direct login without showing the Cloud Foundry form. This because it is an integration and the user expects to click on a link and open our page. The user is already logged in another system and absolutely doesn't want to log in again. Too bad our commercial sold that... Se we think to provide the necessary parameters encoded in the url and let some java code do the login part.

I even thought about other ways, like IDP federation, but my collegues told me that the login form would appear even in that case (I have no experience on that, maybe they are wrong).

So, sorry for coming here with this strange question, you are the most competent people I know of. I tried in the past to ask question on sap forums but no one was able to answer. I don't know SAP Jam, I tried once but it seemed to me to be invitation only, if you can let me in I will gladly enter. My business email is: massimo.nann@horsa.it

[nenaraab]

Hi @maxvader

Still not sure whether I've understood your scenario.

• by which "system" the user is already authenticated?
• Does the customer has a custom identity provider? And is there only one custom identity provider mapped to your xsuaa service?

Further ideas...

• you can configure the approuter with another "authentication type", e.g. basic auth (technical user) or none: see also here: https://www.npmjs.com/package/@sap/approuter#plugins-configuration, but a very weak kind of authentication.
• spring-xsuaa is a little bit restrictive, it serves as resource server (see Spring Security OAuth 2.0 Resource Server), that mean it requires a valid access token from the xsuaa by default. Additionally basic auth can be activated as well. You could establish your own "authentication" logic by implementing the BearerTokenResolver (or Authentication Manager Resolver) similar as we did it here: https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/IasXsuaaExchangeBroker.java but in all cases spring-xsuaa (and your application) may expect the users information in form of a Token instance.

Best regards, Nena

[maxvader]

Thank you @nenaraab , you opened me a lot of possibilities. I have to admit that despite using CF for some time some concepts are still vague to me. I guess we will try first with basic auth or no auth in the app router, we already have an authentication mechanism in the back end and woul be perfect. Looking around I discovered that is is even possible to get an access token directly from XSUAA with api calls like in this tutorial (it's for ABAP but they are just http calls), but that would require some code.

I need to ask you just one last question: the IDP case. We have SAP Identity Authentication configured for CF and the customer uses his own IDP for the sofware that will display the link to our application. You are saying that in some way the customer IDP can be connected or federated with CF to skip the app router phase? This would be very useful and interesting... I promise this is the last question :-)

[nenaraab]

Hi @maxvader

in regard to the access token from xsuaa... in java you can leverage the token-client that implements some of the token flows: https://docs.cloudfoundry.org/api/uaa/version/74.1.0/index.html#token

In regard to you last question, could you please open a new issue with this question, then i could forward it to the experts (pls. expect some delay).

Best regards, Nena