2 xsuuaa instances throws exception

[Scyks]

We have a java cap application running with an xsuaa service for authentication. Since we wanna expose the application also as a service we implemented a service broker with another xsuaa instance as described in "Multitenancy in SAP CF" Paper

Now we tried to secure our endpoint using the cloud security and we get an exception: "Found more than one xsuaa binding. There can only be one".

Caused by: java.lang.RuntimeException: Found more than one xsuaa binding. There can only be one.
at com.sap.cloud.security.xsuaa.XsuaaServicesParser.getJSONObjectFromTag(XsuaaServicesParser.java:91)
at com.sap.cloud.security.xsuaa.XsuaaServicesParser.searchXSuaaBinding(XsuaaServicesParser.java:72)
at com.sap.cloud.security.xsuaa.XsuaaServicesParser.getAttribute(XsuaaServicesParser.java:59)
at com.sap.cloud.security.xsuaa.XsuaaServicePropertySourceFactory.getConfigurationProperties(XsuaaServicePropertySourceFactory.java:65)
at com.sap.cloud.security.xsuaa.XsuaaServicePropertySourceFactory.createPropertySource(XsuaaServicePropertySourceFactory.java:55)
at org.springframework.context.annotation.ConfigurationClassParser.processPropertySource(ConfigurationClassParser.java:452)
at org.springframework.context.annotation.ConfigurationClassParser.doProcessConfigurationClass(ConfigurationClassParser.java:271)
at org.springframework.context.annotation.ConfigurationClassParser.processConfigurationClass(ConfigurationClassParser.java:242)
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:199)
at org.springframework.context.annotation.ConfigurationClassParser.parse(ConfigurationClassParser.java:167)

How is it supposed to work? Do you know a way to reference the application xsuaa instead of the broker-xsuaa?

Wouldn't it be possible to select the correct xsuaa with the client_id of the JWT?

Could you please provide a solution/workarround/fix for the problem? Thank you

[mwdb]

Hi,

The broker plan has been updated to be usable for UI and API cases. This eliminates the need for supporting double bindings as you can bind the same service instance to the approuter and your service broker.

Changes you need to make: 1) In the broker plan instance set the tenant-mode to "shared" 2) Bind the broker plan instance to the approuter and service broker

Regards,

Martijn

[Scyks]

Hey Martijn,

i tried your suggestion. I removed the xsuaa instance with plan "application" and used the broker xsuaa everywhere now. The app deployed successfully but since we'd protected the subscription endpoints the subscriptions is still not working. I decoded the JWT and the expected scope was missing. I'm now binding an "application" plan xsuaa again to the app and the scope get's correctly send by the provisioning service. It seems like the provisioning services is expecting an application based xsuaa service and therefore the solution is not yet working.

Hope that's understandable.

Best Ronald

[mwdb]

Can you please point me to your master appid & landscape where you try this?

[Scyks]

I already send you a slack message. Would like to discuss this internally first and expose a solution afterwards.

[nenaraab]

@mwdb could you clarify / solve this issue?

[nenaraab]

Hi @Skyks,

please re-open this, in case you need further support.

Best regards, Nena

[nenaraab]

the procedure is described here: https://github.com/SAP/cloud-security-xsuaa-integration/blob/master/spring-xsuaa/Migration_JavaContainerSecurityProjects.md#multiple-xsuaa-bindings