[Question]autosync SpringSecurityContext to SecurityContext

SAP / cloud-security-services-integration-library

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.

Apache License 2.0

151 stars 136 forks source link

[Question]autosync SpringSecurityContext to SecurityContext #596

Closed ankdusad closed 3 years ago

ankdusad commented 3 years ago

we use spring-security-xsuaa library whereas one of the internal team's client library depends on CP Java Security Client Library and expects tokens to be available at the thread-local cache (SecurityContext) but we use SpringSecurityContext to store logged-in user tokens.

java.lang.IllegalStateException: No AccessToken available from SecurityContext" at com.sap.it.op.multicloud.utils.commons.uaa.AccessTokenHelper.getAccessToken(AccessTokenHelper.java:135) at com.sap.it.op.multicloud.utils.accesspolicy.clientlib.impl.AccessPolicyAccessor.getAccessToken(AccessPolicyAccessor.java:314) Is there a out of the box solution available by which we can sync and transfer token from SpringSecurityContext to SecurityContext?

I recently learned that adding below dependency will set some autoconfigure bean to sync above mentioned context:

com.sap.cloud.security.xsuaa

 <artifactId>xsuaa-spring-boot-starter</artifactId>
  <version>2.10.2</version>

` I tried the above solution with no success. Can you please check and let us know if the above change is sufficient enough for auto config beans to sync SpringSecurityContext with that of SecurityContext. Do we need to set up any additional properties?

nenaraab commented 3 years ago

Hi @ankdusad thanks for your request!

spring-security-xsuaa library whereas one of the internal team's client library depends on CP Java Security Client Library and expects tokens to be available at the thread-local cache (SecurityContext) but we use SpringSecurityContext to store logged-in user tokens.

My questions to that:

One application uses only one client library, isn't it?
Pls provide us the groupId/artifactId of the "CP Java Security Client Library"

I recently learned that adding below dependency will set some autoconfigure bean to sync above mentioned context:

Yes, that's true, but it is provided with another dependency, which is documented on the same page here but you tried it with xsuaa-spring-boot-starter.

You can easily implement it by your own. Just copy the code from here, remove all @ConditionalOn* annotations and adapt it to your needs, e.g. to the SecurityContext you like to support in your particular case. https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.java

Kind regards, Nena

ankdusad commented 3 years ago

Hi @nenaraab Thanks for the quick feedback!

Answering a few of the queries asked:

One application uses only one client library, isn't it? : There is a third party library that uses "CP Java Security Client Library"
Pls provide us the groupId/artifactId of the "CP Java Security Client Library": java-api-2.7.7

I've tried the mentioned way by remove all @ConditionalOn* annotations and adapt them however I'm not able to transfer SpringSecurityContext's token to SecurityContext:

@Bean public MethodInvokingFactoryBean methodInvokingFactoryBean() {...copied_code.... }

These are the dependency I've added:

org.springframework.boot

        <artifactId>spring-boot-starter-security</artifactId>
    </dependency>
    <dependency>
        <groupId>com.sap.cloud.security</groupId>
        <artifactId>resourceserver-security-spring-boot-starter</artifactId>
        <version>2.10.2</version>
    </dependency>
    <dependency>
        <groupId>org.apache.httpcomponents</groupId>
        <artifactId>httpclient</artifactId>
    </dependency>
    <dependency>
        <groupId>com.sap.cloud.security.xsuaa</groupId>
        <artifactId>xsuaa-spring-boot-starter</artifactId>
        <version>2.10.2</version>
    </dependency>`

I'll further check on this.

nenaraab commented 3 years ago

Hi @ankdusad

don’t add this dependency:

com.sap.cloud.security: resourceserver-security-spring-boot-starter

Kind regards, Nena

ankdusad commented 3 years ago

Hi @nenaraab

Now,I've removed com.sap.cloud.security: resourceserver-security-spring-boot-starter and added com.sap.cloud.security:spring-security for JavaSecurityContextHolderStrategy

Below code is as it is: @Bean public MethodInvokingFactoryBean methodInvokingFactoryBean() {...copied_code.... }

from /actuator/beans, I get SecurityContextAutoConfigurationas an active beans:

com.sap.cloud.security.spring.autoconfig.SecurityContextAutoConfiguration$$EnhancerBySpringCGLIB$$4f5f9416",
          "resource": "URL [jar:file:/home/vcap/app/BOOT-INF/lib/spring-security-2.10.2.jar!/com/sap/cloud/security/spring/autoconfig/SecurityContextAutoConfiguration.class]"

I still don't get the token from SecurityContext: No AccessToken available from SecurityContext However token is available at SpringSecurityContext.