Need help to remove the deprecated Spring Security OAuth2 library

[sabineheider]

Hi colleagues,

we need some help in replacing the deprecated Spring Security OAuth2 library.

We are maintaining an XSA on-premise application that isn't being developed any further (so maintenance only). In that application, we are using the SAP Java Security library plus Spring Security and Spring Security OAuth2 (no Spring Boot though). We have already upgraded the Java Security library to version 2.8.0 and didn’t observe any problems with incompatibilities. These are the versions currently in use (copied from https://github.wdf.sap.corp/TelcoBigData/MarginAssurance/blob/op_2.60/java/pom.xml):

           <version.sap.security.client>2.8.0</version.sap.security.client>
           <spring.core.version>5.2.11.RELEASE</spring.core.version>
           <spring.security.version>5.3.6.RELEASE</spring.security.version>
           <spring.security.oauth2.version>2.5.0.RELEASE</spring.security.oauth2.version>

We would like to get rid of the deprecated Spring Security OAuth2 library, but to be honest I don’t really know how. It's only used within spring-security.xml files. They look all more or less the same for the different backend services. Here is one example (on op_2.60 branch, master isn't in use any more): https://github.wdf.sap.corp/TelcoBigData/MarginAssurance/blob/op_2.60/java/base_set_explorer/src/main/webapp/WEB-INF/spring-security.xml.

We developed the application according to what was "state-of-the-art" at that time, the spring-security.xml setup has been copied from a sample application and was just adapted to our needs. That's why I was hoping for a migration guide or an already migrated sample project for that case, but I couldn't find any.

Would you assist us in getting rid of the Spring Security OAuth2 library? Any help is highly appreciated.

Thanks and best regards, Sabine

[nenaraab]

Hi @sabineheider

• to how many xsuaa service instances your application is bound to?
• which buildpack do you use? Java community or SAP Java buildpack?
• I'm not that familiar with the odata / olingo framework you're using... in case its Servlet-based, we may have a chance to leverage SAP Java Buildpack for token validation and role-checks (authorization checks on scopes). A migration document is not provided here.

Best regards, Nena

[sabineheider]

Hi @nenaraab,

there is only one xsuaa service to which all our applications are bound. We use the SAP Java buildpack. I'm not very familiar with the details of the olingo library myself, but I'm pretty sure that it's not based on Servlets, so I don't think we can't use that mechanism.

Thanks and best regards, Sabine

[nenaraab]

Hi @sabineheider

I've checked the history... and i've seen olingo/odata projects using all of these different java and spring security libraries:

• they had Servlets and made use of SAP Java Buildpack (supports multiple xsuaa bindings as well) https://github.com/SAP/cloud-security-xsuaa-integration/issues/398 ( and #420) github of odata-project Migration Guide
• this uses spring-boot security https://github.com/SAP/cloud-security-xsuaa-integration/issues/414 Migration Guide
• this uses cloud sdk (which uses java-security) https://github.com/SAP/cloud-security-xsuaa-integration/issues/413

Best regards, Nena

[nenaraab]

Hi @sabineheider

please check also this up-to-date guide, which refers to all available migration guides: https://github.com/SAP-samples/teched2020-DEV263

Best regards, Nena

[sabineheider]

Thank you @nenaraab I will check the linked projects and resources later.