Open rogerxu opened 6 years ago
Buildpacks | Cloud Foundry Docs
Java Buildpack | Cloud Foundry Docs
Node.js Buildpack | Cloud Foundry Docs
Cloud Foundry automatically uses the Node.js buildpack if it detects a package.json
file in the root directory of your project.
Staticfile Buildpack | Cloud Foundry Docs
Cloud Foundry requires a file named Staticfile
in the root directory of the app to use the Staticfile buildpack with the app.
The Security Assertion Markup Language (SAML 2.0) is an open standard based on XML for exchanging authentication and authorization data of a principal (user) between an identity provider (IdP) and a service provider (SP). The data exchange is done through messages termed "Bearer Assertions". A "Bearer" is any party in possesion of the assertion. The integrity of the assertion is protected through XML encryption and XML signature. SAML addresses the requirement of web browser single sign-on across the internet.
Authorizations are expressed through "User-Groups" to which the principal is assigned to. It is up to the service provider and the respective implementation how the User-Groups are interpreted resp. translated into specific authorizations.
The OAuth 2.0 Authorization Framework is exclusively a protocol for delegating authorizations and not for authentication.
The OAuth 2.0 specification defines four roles:
JWT is an emerging open standard that defines a compact token format for securely transmitting information between parties as a JSON object.
The cloud application has a trust relationship with the authorization server. The trust is configured in the environment variable VCAP_SERVICES
for the approuter and each micro service. VCAP_SERVICES
contains a credentials string for the UAA, which is created by the respective service broker when the approuter is bound to the UAA service instance. The credentials string contains, amongst other information - the public key corresponding to the private key of the UAA. The public key is used to verify the token signature.
OpenID Connect is an authentication layer on top of the OAuth 2.0 Authorization Framework. It specifies a RESTful HTTP API, using JSON as a data format. The standard is also sometimes nicknamed as "Social Login", because it is supported by all recognized social networks (Facebook, Google, etc.) for authentication and single sign-on.
The XSA UAA relies on SAML 2.0 Assertions for the authentication process. Therefore, it is not possible to configure Google or Facebook as the identity provider for XSA UAA.
In this flow it is important to notice that the JWT Token never appears in the browser. This is achieved by the "Authorization Code": with it, the user "authorizes" the approuter to obtain the authorizations - the JWT Token - from the XSA UAA component. The browser never needs to know about the authorizations, because the approuter enriches each subsequent request with the JWT Token, before the request is routed to the micro service.
Each instance of Application Router holds it´s own mappings of JWT-Tokens to jSessionIDs. The mappings are not shared across multiple instances of Application Router nor are the mappings persisted in a common persistency. Application Router uses Cloud Foundry session stickiness (VCAP_ID
) to ensure that requests belonging to the same session are routed via the same Application Router instance - this means that the user will need to re-authenticate if an Application Router instance of a particular session goes down and is recovered by a new Application Router instance
The authorization model of CF has a predefined role and scope set. Associations of CF user accounts to Org/Space roles are persisted in the Cloud Controller database of the CF installation.
The authorization model of a business app is defined in xs-security.json
.
The role-templates are then used to derive roles with the Role Application Builder. The roles of a business app are persisted in the UAA Component of XSA.
Home · SAP/cf-java-logging-support Wiki
Writing Application Logs · SAP/cf-java-logging-support Wiki
pom.xml
<!-- Logging -->
<dependency>
<groupId>com.sap.hcp.cf.logging</groupId>
<artifactId>cf-java-logging-support-logback</artifactId>
<version>${cf-logging-version}</version>
</dependency>
<dependency>
<groupId>ch.qos.logback</groupId>
<artifactId>logback-classic</artifactId>
<version>1.2.3</version>
</dependency>
src/main/resources/logback-spring.xml
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<include resource="org/springframework/boot/logging/logback/base.xml"/>
<logger name="org.springframework.web" level="DEBUG"/>
<!-- write logs to console -->
<appender name="STDOUT-JSON" class="ch.qos.logback.core.ConsoleAppender">
<!-- encode and enrich full message with the required fields/tags -->
<encoder class="com.sap.hcp.cf.logback.encoder.JsonEncoder"/>
</appender>
<!-- for local development, you may want to switch to a more human-readable layout -->
<appender name="STDOUT" class="ch.qos.logback.core.ConsoleAppender">
<encoder>
<pattern>%date %-5level [%thread] - [%logger] [%mdc] - %msg%n</pattern>
</encoder>
</appender>
<!-- default log level for all loggers is INFO by default -->
<root level="${LOG_ROOT_LEVEL:-INFO}">
<appender-ref ref="STDOUT-JSON" />
</root>
<!-- request metrics are reported using INFO level, so make sure the instrumentation loggers are set to that level -->
<logger name="com.sap.hcp.cf" level="${LOG_HCP_CF_LEVEL:-INFO}" />
</configuration>
private static final Logger LOGGER = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass());
LOGGER.error("some accompanying message {}", "parameter", ex);
Marker dbCall = MarkerFactory.getMarker("db-call");
String logMsg = createMsg(request);
LOGGER.info(dbCall, logMsg);
import static com.sap.hcp.cf.logging.common.customfields.CustomField.customField;
LOGGER.info("Logging with custom field {}", customField("customKey", customValue));
Dynamic Log Levels · SAP/cf-java-logging-support Wiki
DYN_LOG_HEADER
: a specific header name for the log level token can be defined here. If not specified, the default value (SAP-LOG-LEVEL
) is used.DYN_LOG_LEVEL_KEY
: a public key which can be used to verify the JWT tokens that contain the dynamic log level.In the logback.xml
file, a turbofilter has to be defined by adding the following line to the configuration element:
<turboFilter class="com.sap.hcp.cf.logback.filter.CustomLoggingTurboFilter" />
A valid JWT token should be signed with RS256. Its payload should contain the email of the issuer, the desired log-level, a timestamp for the time at which the token has been generated and a timestamp that represents the expiry date. The Java class TokenCreator can be used to create valid tokens.
Header
{
"alg": "RS256",
"typ": "JWT"
}
Payload
{
"issuer": "<valid e-mail address>",
"level": "TRACE",
"iat": 1506016127,
"exp": 1506188927
}
cloud-cf-product-list-sample/README.md at master · SAP/cloud-cf-product-list-sample
Step 12 with SAP S/4HANA Cloud SDK: Logging with SAP S/4HANA Cloud SDK | SAP Blogs
Each HystrixCommand
is executed within a separate thread and is timed out automatically after 1000ms by default.
String string = new MyCommand().execute();
Future<String> future = new MyCommand().queue();
String string = future.get();
Cloud Foundry Docs