4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.annotation; 7 | 8 | /** 9 | * Signifies that a public API (public class, method or field) is subject to incompatible changes, or even removal, in a 10 | * future release. 11 | */ 12 | public @interface Beta { 13 | } 14 | -------------------------------------------------------------------------------- /spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/authentication/PostValidationAction.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *
4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.token.authentication; 7 | 8 | import org.springframework.security.oauth2.jwt.Jwt; 9 | 10 | public interface PostValidationAction { 11 | 12 | void perform(Jwt token); 13 | } 14 | -------------------------------------------------------------------------------- /java-security-it/src/test/resources/ias-simple/token.json: -------------------------------------------------------------------------------- 1 | { 2 | "header": { 3 | "alg": "RS256", 4 | "kid": "default-kid" 5 | }, 6 | "payload": { 7 | "aud": [ 8 | "T000310", 9 | "T000333" 10 | ], 11 | "azp": "T000310", 12 | "email": "john.doe@email.org", 13 | "exp": 6974031600, 14 | "given_name": "john", 15 | "iss": "https://gets.overwritten.com", 16 | "sub": "P176945", 17 | "user_uuid": "1234567890", 18 | "zone_uuid": "0987654321" 19 | } 20 | } -------------------------------------------------------------------------------- /java-security-test/src/main/resources/publicKey.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/ 3 | 2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTN 4 | VTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9Y 5 | oU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GP 6 | n38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0 7 | frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4 8 | oQIDAQAB 9 | -----END PUBLIC KEY----- -------------------------------------------------------------------------------- /samples/vars.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # some data to make the urls unique 5 | # change to another value, e.g. your User ID 6 | ID: 00-00-00 7 | 8 | # Choose cfapps.eu10.hana.ondemand.com for the EU10 landscape, cfapps.us10.hana.ondemand.com for US10 9 | LANDSCAPE_APPS_DOMAIN: cfapps.eu10.hana.ondemand.com 10 | #LANDSCAPE_APPS_DOMAIN: cfapps.us10.hana.ondemand.com 11 | 12 | -------------------------------------------------------------------------------- /java-security-test/src/main/java/com/sap/cloud/security/test/extension/IasExtension.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *
4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.test.extension; 7 | 8 | import com.sap.cloud.security.config.Service; 9 | 10 | public class IasExtension extends SecurityTestExtension { 11 | 12 | public IasExtension() { 13 | super(Service.IAS); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /java-security/src/main/java/com/sap/cloud/security/token/ScopeConverter.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token;
7 |
8 | import java.io.Serializable;
9 | import java.util.Collection;
10 | import java.util.Set;
11 |
12 | public interface ScopeConverter extends Serializable {
13 | Set
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.test.extension;
7 |
8 | import com.sap.cloud.security.config.Service;
9 |
10 | public class XsuaaExtension extends SecurityTestExtension {
11 |
12 | public XsuaaExtension() {
13 | super(Service.XSUAA);
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/spring-xsuaa-test/src/main/resources/spring-xsuaa-publicKey.txt:
--------------------------------------------------------------------------------
1 | -----BEGIN PUBLIC KEY-----
2 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn5dYHyD/nn/Pl+/W8jNG
3 | WHDaNItXqPuEk/hiozcPF+9l3qEgpRZrMx5ya7UjGdvihidGFQ9+efgaaqCLbk+b
4 | BsbU5L4WoJK+/t1mgWCiKI0koaAGDsztZsd3Anz4LEi2+NVNdupRq0ScHzweEKzq
5 | aa/LgtBi5WwyA5DaD33gbytG9hdFJvggzIN9+DSverHSAtqGUHhwHSU4/mL36xSR
6 | eyqiKDiVyhf/y6V6eiE0USubTEGaWVUANIteiC+8Ags5UF22QoqMo3ttKnEyFTHp
7 | GCXSn+AEO0WMLK1pPavAjPaOyf4cVX8b/PzHsfBPDMK/kNKNEaU5lAXo8dLUbRYq
8 | uQIDAQAB
9 | -----END PUBLIC KEY-----
--------------------------------------------------------------------------------
/token-client/src/test/resources/iasJsonWebTokenKeys.json:
--------------------------------------------------------------------------------
1 | {
2 | "keys": [
3 | {
4 | "kty": "RSA",
5 | "e": "AQAB",
6 | "use": "sig",
7 | "n": "j9XvbTYr3uXbkrAM10zQmOXkt4Gaj-SKZHbOK1y_eIdvrZge_LeSKVIgce6ZtC5b7F3HfJ1TAPy2kCSfusQ-P17egl6ka6-kMvPhDltWnurgAgfjDPnt6NckHxadut7L_-s9kd2L84GO-PznvcHGbc8ntTjtlgLmxDq-gZgCJKJqhWM3NYifUkLbbQT-c4dK6my-JtNyuye2fd2cR_G7IQE1UrZm7zqu9DttjN5A-R1eLYmtTuTC3xSHRCLVks6OyzIjzXP1TcyxXUvbwZWD6LpTidcapztRcwckO_AJHsztAvtC2hsPbl03lKzloHqQeRSEWVzRcgtK5ViRxcH7VQ"
8 | }
9 | ]
10 | }
--------------------------------------------------------------------------------
/java-api/src/main/java/com/sap/cloud/security/token/InvalidTokenException.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token;
7 |
8 | /**
9 | * Runtime exception during token validation.
10 | */
11 | public class InvalidTokenException extends RuntimeException {
12 | public InvalidTokenException(String message) {
13 | super(message);
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/java-security/src/test/resources/iasJsonWebTokenKeys_noKid.json:
--------------------------------------------------------------------------------
1 | {
2 | "keys": [
3 | {
4 | "kty": "RSA",
5 | "e": "AQAB",
6 | "use": "sig",
7 | "n": "AJtUGmczI7RHx3Ypqxz9_9mK_tc-vOXojlJcMm0VRvYvMLIDlIfj1BrkC_IYLpS2Vl1OTG8AS0xAgBDEG3EUzVU6JZKuIuuxD-iXrBySBQA2ytTYtCrjHD7osji7wyogxDJ2BtVz9191gjX7AlU_WKFPpViK2a_2bCL0K4vI3M6-EZMp20wbD2gDsoD1JYqag66WnTDtZqJjQm3mv6Ohj59_C8RMOtPSLX4AxoS-n_8lYneaRc2UFm_vZepgricMNIZ4TuoLekb_fDlg7cvRtH61gD8hH7iFvQfpkf9rxoclPSG21qbxV4svUVW27DOd_Ewo3eSRdnSb8ctuGnXQuKE="
8 | }
9 | ]
10 | }
--------------------------------------------------------------------------------
/java-security-it/src/test/resources/uaa/token.json:
--------------------------------------------------------------------------------
1 | {
2 | "header": {
3 | "alg": "RS256",
4 | "jku": "http://auth.com/token_keys",
5 | "kid": "key-id-0"
6 | },
7 | "payload": {
8 | "aud": [
9 | "dashboard_client-Id"
10 | ],
11 | "azp": "dashboard_client-Id",
12 | "exp": "6974031600",
13 | "grant_type": "authorization_code",
14 | "iss": "http://auth.com/oauth/token",
15 | "origin": "sap.ids",
16 | "user_name": "testUser",
17 | "user_id": "testUserId",
18 | "zid": "uaa"
19 | }
20 | }
--------------------------------------------------------------------------------
/spring-xsuaa-it/src/main/java/testservice/api/nohttp/SecurityConfiguration.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package testservice.api.nohttp;
7 |
8 | import org.springframework.context.annotation.Configuration;
9 | import org.springframework.context.annotation.Profile;
10 |
11 | @Configuration
12 | @Profile({ "test.api.nohttp" })
13 | public class SecurityConfiguration {
14 |
15 | }
16 |
--------------------------------------------------------------------------------
/java-api/src/main/java/com/sap/cloud/security/x509/X509Constants.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.x509;
7 |
8 | public final class X509Constants {
9 |
10 | private X509Constants() {
11 | }
12 |
13 | public static final String FWD_CLIENT_CERT_HEADER = "x-forwarded-client-cert";
14 | public static final String FWD_CLIENT_CERT_SUB = "cert-sub";
15 | }
16 |
--------------------------------------------------------------------------------
/env/src/test/resources/vcapIasServiceDomainsMissing.json:
--------------------------------------------------------------------------------
1 | {
2 | "identity": [
3 | {
4 | "binding_name": null,
5 | "credentials": {
6 | "clientsecret": "clientsecret",
7 | "clientid": "clientid",
8 | "url": "https://myauth.com"
9 | },
10 | "instance_name": "myservice",
11 | "label": "identity",
12 | "name": "myservice",
13 | "plan": "application",
14 | "provider": null,
15 | "syslog_drain_url": null,
16 | "tags": [],
17 | "volume_mounts": []
18 | }
19 | ]
20 | }
--------------------------------------------------------------------------------
/token-client/src/test/resources/privateRSAKey.txt:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF
3 | At0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr
4 | QA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS
5 | kQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce
6 | 7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J
7 | BO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN
8 | A24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==
9 | -----END RSA PRIVATE KEY-----
--------------------------------------------------------------------------------
/java-security-it/src/test/resources/privateRSAKey.txt:
--------------------------------------------------------------------------------
1 | -----BEGIN RSA PRIVATE KEY-----
2 | MIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF
3 | At0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr
4 | QA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS
5 | kQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce
6 | 7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J
7 | BO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN
8 | A24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw==
9 | -----END RSA PRIVATE KEY-----
--------------------------------------------------------------------------------
/java-security-it/src/test/resources/xsa-simple/vcap_services-single.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsuaa" : [ {
3 | "name" : "java-uaa",
4 | "label" : "xsuaa",
5 | "tags" : [ "xsuaa" ],
6 | "plan" : "space",
7 | "credentials" : {
8 | "tenantmode" : "dedicated",
9 | "clientid" : "sb-java-hello-world!i1",
10 | "xsappname" : "java-hello-world!i1",
11 | "identityzone" : "uaa",
12 | "identityzoneid" : "uaa",
13 | "clientsecret" : "",
14 | "url" : "https://xsa-test.c.eu-de-2.cloud.sap:30132/uaa-security"
15 | }
16 | } ]
17 | }
--------------------------------------------------------------------------------
/java-security-test/src/test/resources/claims.json:
--------------------------------------------------------------------------------
1 | {
2 | "ext_attr": {
3 | "enhancer": "XSUAA",
4 | "serviceinstanceid": "brokerCloneServiceInstanceId",
5 | "zdn": "uaa",
6 | "acl": ["app1!t23"]
7 | },
8 | "scope": [
9 | "openid", "testScope", "testApp.localScope"
10 | ],
11 | "empty_list" : [],
12 | "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
13 | "email": "test@uaa.org",
14 | "exp": 1542416800,
15 | "az_attr": {"external_id":"abcd1234"},
16 | "xs.system.attributes": {"subaccountid": "test-subaccount"}
17 | }
--------------------------------------------------------------------------------
/samples/spring-security-basic-auth/src/test/java/sample/spring/xsuaa/config/XsuaaExtensionFixedPort.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | * SPDX-License-Identifier: Apache-2.0
4 | */
5 | package sample.spring.xsuaa.config;
6 |
7 | import com.sap.cloud.security.test.extension.XsuaaExtension;
8 |
9 | public class XsuaaExtensionFixedPort extends XsuaaExtension {
10 |
11 | public XsuaaExtensionFixedPort() {
12 | super();
13 | this.setPort(2222);
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/samples/spring-security-basic-auth/src/test/java/sample/spring/xsuaa/ApplicationTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.xsuaa;
7 |
8 | import org.junit.jupiter.api.Test;
9 | import org.springframework.boot.test.context.SpringBootTest;
10 |
11 | @SpringBootTest
12 | public class ApplicationTest {
13 |
14 | @Test
15 | public void whenSpringContextIsBootstrapped_thenNoExceptions() {
16 | }
17 | }
--------------------------------------------------------------------------------
/spring-xsuaa/src/test/resources/XsuaaJwtDecoderTest.properties:
--------------------------------------------------------------------------------
1 | xsuaa.uaadomain=localhost
2 | xsuaa.clientid=sb-clientId!t0815
3 | xsuaa.verificationkey=-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTNVTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9YoU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GPn38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4oQIDAQAB-----END PUBLIC KEY-----
--------------------------------------------------------------------------------
/java-security-it/src/test/resources/xsuaa/token.json:
--------------------------------------------------------------------------------
1 | {
2 | "header": {
3 | "alg": "RS256",
4 | "jku": "http://auth.com/token_keys",
5 | "kid": "key-id-0"
6 | },
7 | "payload": {
8 | "aud": [
9 | "clientId"
10 | ],
11 | "azp": "clientId",
12 | "exp": "6974031600",
13 | "ext_attr": {
14 | "enhancer": "XSUAA",
15 | "zdn": "theSubdomain"
16 | },
17 | "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer",
18 | "iss": "http://auth.com",
19 | "origin": "userIdp",
20 | "user_name": "testUser"
21 | }
22 | }
--------------------------------------------------------------------------------
/java-security-it/src/test/resources/ias-simple/vcap_services-single.json:
--------------------------------------------------------------------------------
1 | {
2 | "identity": [
3 | {
4 | "binding_name": null,
5 | "credentials": {
6 | "clientsecret": "",
7 | "clientid": "T000310",
8 | "domains": ["domain.gets.overwritten.bylocalhost.com"]
9 | },
10 | "instance_name": "myservice",
11 | "label": "identity",
12 | "name": "myservice",
13 | "plan": "application",
14 | "provider": null,
15 | "syslog_drain_url": null,
16 | "tags": [],
17 | "volume_mounts": []
18 | }
19 | ]
20 | }
--------------------------------------------------------------------------------
/java-security/images/xsuaaFilter.puml:
--------------------------------------------------------------------------------
1 | @startuml
2 | -> SecurityFilter: new()
3 | SecurityFilter --> XsuaaTokenAuthenticator: new()
4 | XsuaaTokenAuthenticator -> SecurityFilter: XsuaaTokenAuthenticator
5 |
6 | -> SecurityFilter: doFilter()
7 | SecurityFilter --> XsuaaTokenAuthenticator: validateRequest()
8 | XsuaaTokenAuthenticator -> SecurityFilter: TokenAuthenticationResult
9 |
10 | XsuaaTokenAuthenticator -> SecurityContext: if XsuaaTokenAuthenticator.isAuthenticated() setToken(Token)
11 |
12 | WebServlet --> SecurityContext: getToken()
13 | SecurityContext -> WebServlet: Token
14 | @enduml
15 |
16 |
17 |
--------------------------------------------------------------------------------
/spring-xsuaa-it/src/main/java/testservice/api/XsuaaITApplication.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package testservice.api;
7 |
8 | import org.springframework.boot.SpringApplication;
9 | import org.springframework.boot.autoconfigure.SpringBootApplication;
10 |
11 | @SpringBootApplication
12 | public class XsuaaITApplication {
13 |
14 | public static void main(String[] args) {
15 | SpringApplication.run(XsuaaITApplication.class, args);
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/samples/spring-security-basic-auth/src/main/java/sample/spring/xsuaa/Application.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.xsuaa;
7 |
8 | import org.springframework.boot.SpringApplication;
9 | import org.springframework.boot.autoconfigure.SpringBootApplication;
10 |
11 | @SpringBootApplication
12 | public class Application {
13 |
14 | public static void main(String[] args) {
15 | SpringApplication.run(Application.class, args);
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/samples/spring-security-xsuaa-usage/src/main/java/sample/spring/xsuaa/Application.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.xsuaa;
7 |
8 | import org.springframework.boot.SpringApplication;
9 | import org.springframework.boot.autoconfigure.SpringBootApplication;
10 |
11 | @SpringBootApplication
12 | public class Application {
13 |
14 | public static void main(String[] args) {
15 | SpringApplication.run(Application.class, args);
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/java-api/src/test/java/com/sap/cloud/security/token/test/CustomTokenFactory.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token.test;
7 |
8 | import com.sap.cloud.security.token.Token;
9 | import com.sap.cloud.security.token.TokenFactory;
10 | import org.mockito.Mockito;
11 |
12 | public class CustomTokenFactory implements TokenFactory {
13 | @Override
14 | public Token create(String jwtToken) {
15 | return Mockito.mock(Token.class);
16 | }
17 | }
18 |
--------------------------------------------------------------------------------
/spring-xsuaa-it/src/test/resources/mockServer/testdomain_token_keys.json:
--------------------------------------------------------------------------------
1 | {
2 | "keys": [
3 | {
4 | "kty": "RSA",
5 | "e": "AQAB",
6 | "use": "sig",
7 | "kid": "$kid",
8 | "alg": "RS256",
9 | "value": "$public_key",
10 | "n": "ANhuTFBe7M1DCX4moIWHm8AfgYGhuMJGyA2eXyVPGZtP1p2rqQgil9H4LiwttRbRwEwukjqTrlQpV3vRmPQFSat58qgLIlIpeuox_WPpJni3kVaAafClzENefluvRjVO_7GL_tJOTy1GsST5nMG_lgqvYcO-s0V3hIo52eNWJVQvY3J2eyIx46dgQEqM5yJphiQ1uhd9BUWz_zC7X7-XzKY9ezs4lTRPnmnLiMoEh9CGWfsL1ewHCQGZRMJAhas821cdnC70SKWnB89nIuLHiCMXT0Y_Du4uMtvYXUrB6k0RS7UIsAoCK-2CLQOb6FWP20vgmMvGtTEnJHV7xWuY2Hs"
11 | }
12 | ]
13 | }
--------------------------------------------------------------------------------
/token-client/src/main/java/com/sap/cloud/security/xsuaa/http/MediaType.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.http;
7 |
8 | public enum MediaType {
9 | APPLICATION_JSON("application/json"), APPLICATION_FORM_URLENCODED("application/x-www-form-urlencoded");
10 |
11 | private final String value;
12 |
13 | MediaType(String value) {
14 | this.value = value;
15 | }
16 |
17 | public String value() {
18 | return value;
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/env/src/test/resources/vcapIasServiceSingleBinding.json:
--------------------------------------------------------------------------------
1 | {
2 | "identity": [
3 | {
4 | "binding_name": null,
5 | "credentials": {
6 | "clientsecret": "pCghfbrLudwzXM2fPq7YSIhujAmpHj_I0DeMKHKRAqs=",
7 | "clientid": "T000310",
8 | "url": "https://myauth.com",
9 | "domains": ["myauth.com", "my.auth.com"]
10 | },
11 | "instance_name": "myservice",
12 | "label": "identity",
13 | "name": "myservice",
14 | "plan": "application",
15 | "provider": null,
16 | "syslog_drain_url": null,
17 | "tags": [],
18 | "volume_mounts": []
19 | }
20 | ]
21 | }
--------------------------------------------------------------------------------
/spring-xsuaa-test/src/test/java/com/sap/cloud/security/xsuaa/test/TestConstants.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.test;
7 |
8 | public interface TestConstants {
9 | String DUMMY_SCOPE = "someScope";
10 | String ANOTHER_SCOPE = "someOtherScope";
11 | String DUMMY_ATTRIBUTE = "dummy-attribute";
12 | String ANOTHER_ATTRIBUTE = "another-attribute";
13 | String ANOTHER_ATTRIBUTE_VALUE = "100";
14 | String ANOTHER_ATTRIBUTE_VALUE_2 = "200";
15 | }
16 |
--------------------------------------------------------------------------------
/samples/sap-java-buildpack-api-usage/src/main/webapp/WEB-INF/web.xml:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.json;
7 |
8 | /**
9 | * An extraordinary runtime exception during json parsing.
10 | */
11 | public class JsonParsingException extends RuntimeException {
12 |
13 | public JsonParsingException(String message) {
14 | super(message);
15 | }
16 |
17 | public JsonParsingException(String message, Throwable cause) {
18 | super(message, cause);
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/samples/spring-webflux-security-hybrid-usage/src/main/java/sample/spring/webflux/hybrid/Application.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.webflux.hybrid;
7 |
8 | import org.springframework.boot.SpringApplication;
9 | import org.springframework.boot.autoconfigure.SpringBootApplication;
10 |
11 | @SpringBootApplication
12 | public class Application {
13 |
14 | public static void main(String[] args) {
15 | SpringApplication.run(Application.class, args);
16 | }
17 |
18 | }
19 |
--------------------------------------------------------------------------------
/java-security/src/test/resources/xsuaaAccessTokenRSA256_signedWithVerificationKey.txt:
--------------------------------------------------------------------------------
1 | eyJqa3UiOiJodHRwOi8vbG9jYWxob3N0OjY1MTQ4L3Rva2VuX2tleXMiLCJhbGciOiJSUzI1NiJ9.eyJncmFudF90eXBlIjoidXNlcl90b2tlbiIsInNjb3BlIjpbImJ1bGxldGluYm9hcmQtQzUyOTU0MDAuRGlzcGxheSIsImJ1bGxldGluYm9hcmQtQzUyOTU0MDAuVXBkYXRlIl0sImNpZCI6InNiLWNsaWVudElkIXQwODE1In0=.CetA62rQSNRj93S9mqaHrKJyzONKeEKcEJ9O5wObRD_RHrRNHAIOtXUgm2Qy6IrrhvPNY8CdNVmosrXOOebJZLwGdNNREqSz0Xu1tl3_Z3fzekq4dTV0yccTCfAYHVvUNbCdkXBYr2UTYULSMMXHXI5yuEtQaaQTxWN7k67Tgajq4BXUOT-asp3X-zhmMpmoTqAj8ARNrtaXUOzEt9inPgkMMhMJM3HT47p6SHe3XL8v0yBEIAsAQlxPPCjak9BSpCUUA-c6ZOEOIZBb346zZhCsV5SN1xC5cMZiFjHP6P0LIzQBEVlPpOy0NfIWdyH-o8FUUcI3nEzFx0qxc_TvuQ==
--------------------------------------------------------------------------------
/samples/spring-security-xsuaa-usage/approuter/xs-app.json:
--------------------------------------------------------------------------------
1 | {
2 | "welcomeFile": "index.html",
3 | "authenticationMethod": "route",
4 | "routes": [
5 | {
6 | "source": "^/v1",
7 | "target": "/v1",
8 | "destination": "token-destination",
9 | "authenticationType": "xsuaa"
10 | },
11 | {
12 | "source": "^/v2",
13 | "target": "/v2",
14 | "destination": "token-destination",
15 | "authenticationType": "xsuaa"
16 | },
17 | {
18 | "source": "^/v3",
19 | "target": "/v3",
20 | "destination": "token-destination",
21 | "authenticationType": "xsuaa"
22 | }
23 | ]
24 | }
25 |
--------------------------------------------------------------------------------
/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/authentication/TokenInfoExtractor.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.token.authentication;
7 |
8 | import com.nimbusds.jwt.JWT;
9 |
10 | /**
11 | * Responsible to extract information out of the token and provide it to the JwtDecoder.
12 | */
13 | public interface TokenInfoExtractor {
14 |
15 | String getJku(JWT jwt);
16 |
17 | String getKid(JWT jwt);
18 |
19 | String getUaaDomain(JWT jwt);
20 | }
21 |
--------------------------------------------------------------------------------
/spring-xsuaa-it/src/main/resources/cc.txt:
--------------------------------------------------------------------------------
1 | {
2 | "jti": "8e7b3b00-7751-4b46-9b1a-5a46a2a1d5b8",
3 | "sub": "1002191",
4 | "scope": [
5 | "java-hello-world.Display",
6 | "openid",
7 | "java-hello-world.Delete",
8 | "java-hello-world.Create"
9 | ],
10 | "client_id": "sb-java-hello-world",
11 | "cid": "sb-java-hello-world",
12 | "azp": "sb-java-hello-world",
13 | "grant_type": "client_credentials",
14 | "iat": 1442912244,
15 | "exp": $exp,
16 | "iss": "http://localhost:8080/uaa/oauth/token",
17 | "zid": "$zid",
18 | "aud": [
19 | ],
20 | "ext_attr": {
21 | "serviceinstanceid": "abcd1234",
22 | "zdn": "$zdn"
23 | }
24 | }
--------------------------------------------------------------------------------
/java-security/images/iasApplication.puml:
--------------------------------------------------------------------------------
1 | @startuml
2 | -> Application: setup()
3 | Application --> Environments: getCurrent().getIasConfiguration()
4 |
5 | Environments -> Application: OAuth2ServiceConfiguration
6 |
7 | Application -> JwtValidatorBuilder: getInstance(OAuth2ServiceConfiguration).build()
8 | JwtValidatorBuilder --> Application: CombinedValidator
9 |
10 | -> Application: anyProtectedFunction()
11 |
12 |
13 | Application -> SapIdToken: new("abyJhbGci1iJSUzI1NiJ9.eyJhdW...")
14 | SapIdToken --> Application: Token
15 |
16 | Application -> CombinedValidator: validate(Token)
17 | CombinedValidator --> Application: ValidationResult
18 | @enduml
19 |
20 |
21 |
--------------------------------------------------------------------------------
/java-api/src/main/java/com/sap/cloud/security/x509/InvalidCertificateException.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.x509;
7 |
8 | /**
9 | * Runtime exception during certificate parsing and validation.
10 | */
11 | public class InvalidCertificateException extends RuntimeException {
12 | public InvalidCertificateException(String message, Exception e) {
13 | super(message, e);
14 | }
15 |
16 | public InvalidCertificateException(String message) {
17 | super(message);
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/token-client/src/main/java/com/sap/cloud/security/client/HttpClientException.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.client;
7 |
8 | /**
9 | * Thrown to signal issues during a http client initialization.
10 | */
11 | public class HttpClientException extends RuntimeException {
12 | /**
13 | * Instantiates a new Service client exception.
14 | *
15 | * @param message
16 | * the message
17 | */
18 | public HttpClientException(String message) {
19 | super(message);
20 | }
21 | }
22 |
--------------------------------------------------------------------------------
/java-api/src/main/java/com/sap/cloud/security/token/ProviderNotFoundException.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token;
7 |
8 | /**
9 | * A dedicated runtime exception for missing implementations in {@link java.util.ServiceLoader} context
10 | */
11 | public class ProviderNotFoundException extends RuntimeException {
12 |
13 | public ProviderNotFoundException() {
14 | super();
15 | }
16 |
17 | public ProviderNotFoundException(String message) {
18 | super(message);
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Compiled class file
2 | *.class
3 |
4 | # Log file
5 | *.log
6 |
7 | # BlueJ files
8 | *.ctxt
9 |
10 | # Mobile Tools for Java (J2ME)
11 | .mtj.tmp/
12 |
13 | # Package Files #
14 | *.jar
15 | *.war
16 | *.ear
17 | *.zip
18 | *.tar.gz
19 | *.rar
20 |
21 | # OS generated files
22 | .DS_Store
23 |
24 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml
25 | hs_err_pid*
26 |
27 | target
28 | .project
29 | .settings
30 | .classpath
31 | *.iml
32 | bin
33 |
34 | ### IntelliJ IDEA ###
35 | .idea
36 | *.iws
37 | *.ipr
38 | /venv/
39 | vim.exe.stackdump
40 |
41 | __pycache__/
42 | /.metadata/
43 |
44 | ### Misc ###
45 | samples/vars.yml
46 |
--------------------------------------------------------------------------------
/java-api/src/test/java/com/sap/cloud/security/servlet/HybridTokenFactory.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.servlet;
7 |
8 | import com.sap.cloud.security.token.AccessToken;
9 | import com.sap.cloud.security.token.Token;
10 | import com.sap.cloud.security.token.TokenFactory;
11 | import org.mockito.Mockito;
12 |
13 | public class HybridTokenFactory implements TokenFactory {
14 |
15 | @Override
16 | public Token create(String jwtToken) {
17 | return Mockito.mock(AccessToken.class);
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/java-security/src/test/resources/iasTokenInvalidCnfRSA256.txt:
--------------------------------------------------------------------------------
1 | eyJraWQiOiJkZWZhdWx0LWtpZC1pYXMiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOlsibXlDbGllbnRJZCJdLCJ1c2VyX3V1aWQiOiJ0aGUtdXNlci1pZCIsImF6cCI6IlQwMDAzMTAiLCJpc3MiOiJodHRwczovL2FwcGxpY2F0aW9uLm15YXV0aC5jb20iLCJ6b25lX3V1aWQiOiJ0aGUtem9uZS1pZCIsImNuZiI6eyJ4NXQjUzI1NiI6ImludmFsaWQifSwiZXhwIjo2OTc0MDMxNjAwLCJjaWQiOiJUMDAwMzEwIn0.Z2BwS6CpC9EAuh25xDB62RgeVfHpu0BzYnNMy7j-dq_deWrBVTr0ZEYDObM-E_c7J1gtSVQ4paJHS0OTcZkv3iigpxjjjUqUp1rhCZc76KXKgVG7JKZH8AtmeK-mTP5ssaEre-oLhatkWILieMrCcAkpcxF1W4wPsnOdljFwme7PzMkXDNTkD2lHuNt1IT1hi12GEGV6cv8M8tcf-A8JG0CtVbjA15qzCXOhIS-KpYBl41x_Onk6OtHnCPLkNzTjZn9lk_59Tc1NNzPp3_EgwCNvlAmWu3o9k_bHteoWuy8Mjr78L8a5JxaJeyZ6E9zbpEDldwHMmeNg0zEe4Zj91Q
--------------------------------------------------------------------------------
/java-api/src/main/java/com/sap/cloud/security/token/TokenFactory.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token;
7 |
8 | /**
9 | * Represents a {@link com.sap.cloud.security.token.Token} creation interface.
10 | */
11 | public interface TokenFactory {
12 |
13 | /**
14 | * Returns a token interface for the given JWT token
15 | *
16 | * @param jwtToken
17 | * the encoded JWT token, e.g. from the Authorization Header
18 | * @return the new token instance
19 | */
20 | Token create(String jwtToken);
21 |
22 | }
23 |
--------------------------------------------------------------------------------
/java-security-test/src/test/resources/vcapServices/vcapSimple.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsuaa": [
3 | {
4 | "binding_name": null,
5 | "credentials": {
6 | "clientid": "clientId",
7 | "identityzone": "uaa",
8 | "identityzoneid": "uaa",
9 | "sburl": "http://localhost/uaa",
10 | "tenantmode": "dedicated",
11 | "verificationkey": "-----BEGIN PUBLIC KEY-----fake, only for test-----END PUBLIC KEY-----",
12 | "uaadomain": "auth.com",
13 | "url": "https://paastenant.auth.com",
14 | "xsappname": "java-hello-world"
15 | },
16 | "name": "example-xsuaa",
17 | "plan": "broker",
18 | "volume_mounts": []
19 | }
20 | ]
21 | }
--------------------------------------------------------------------------------
/samples/spring-security-xsuaa-usage/src/test/java/sample/spring/xsuaa/junitjupiter/ApplicationTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.xsuaa.junitjupiter;
7 |
8 | import org.junit.jupiter.api.Test;
9 | import org.springframework.boot.test.context.SpringBootTest;
10 | import sample.spring.xsuaa.Application;
11 |
12 | @SpringBootTest(classes = Application.class)
13 | @java.lang.SuppressWarnings("squid:S2699")
14 | class ApplicationTest {
15 |
16 | @Test
17 | void whenSpringContextIsBootstrapped_thenNoExceptions() {
18 | }
19 | }
20 |
--------------------------------------------------------------------------------
/spring-xsuaa/src/test/resources/accessTokenRSA256WithVerificationKey.txt:
--------------------------------------------------------------------------------
1 | eyJqa3UiOiJodHRwOi8vbG9jYWxob3N0OjY0MzEyL3Rva2VuX2tleXMiLCJraWQiOiJkZWZhdWx0LWtpZCIsImFsZyI6IlJTMjU2In0.eyJPcmlnaW4iOiJ4c3VhYSIsImF1ZCI6WyJzYi1jbGllbnRJZCF0MDgxNSJdLCJncmFudF90eXBlIjoidXNlcl90b2tlbiIsInNjb3BlIjpbInhzYXBwIXQwODE1LkRpc3BsYXkiLCJ4c2FwcCF0MDgxNS5VcGRhdGUiXSwiZXhwIjo2OTc0MDMxNjAwLCJjaWQiOiJzYi1jbGllbnRJZCF0MDgxNSJ9.Q3JsYsRLDprzcIb7mrmPFhK_UmodQfIuSVXQx5cK3XMCVXOQyhdglXjsn-M0BMM5CE31D_7kxbkZXEB507gIibGM7SCgcpuQ0rh0L7ZSuZMwDWcmvPZXvzs_reaq4c9_qn5hg0d9Wd17wmdIvkiiKojKtvfxQyx4sAiX-XRWrrYsK69QS9Yp2-cU7UDncvOZ-IYa8HCfUOo20XJ4ZfE4KzNnffeKMRfo9_J_jnD_j2MGURminAlbtKIzdqLzOXXjIzRz81pb5V0QRiIlPcBNN_Cgk6pcJwUyPPNH5ULHdHBepJbiDoL9-PaJ5nyA4DwTDi1QScWLhd5p7M6HDB-lKg
--------------------------------------------------------------------------------
/java-security-test/src/main/resources/oidcConfigurationTemplate.json:
--------------------------------------------------------------------------------
1 | {
2 | "issuer": "$issuer",
3 | "authorization_endpoint": "$issuer/oauth2/authorize",
4 | "token_endpoint": "$issuer/oauth2/token",
5 | "jwks_uri": "$issuer/token_keys",
6 | "response_types_supported": [
7 | "code",
8 | "id_token"
9 | ],
10 | "grant_types_supported": [
11 | "password",
12 | "authorization_code",
13 | "refresh_token"
14 | ],
15 | "subject_types_supported": [
16 | "public"
17 | ],
18 | "id_token_signing_alg_values_supported": [
19 | "RS256"
20 | ],
21 | "scopes_supported": [
22 | "openid"
23 | ],
24 | "token_endpoint_auth_methods_supported": [
25 | "client_secret_basic"
26 | ]
27 | }
--------------------------------------------------------------------------------
/java-security/src/test/resources/iasTokenWithCnfRSA256.txt:
--------------------------------------------------------------------------------
1 | eyJraWQiOiJkZWZhdWx0LWtpZC1pYXMiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOlsibXlDbGllbnRJZCJdLCJ1c2VyX3V1aWQiOiJ0aGUtdXNlci1pZCIsImF6cCI6IlQwMDAzMTAiLCJpc3MiOiJodHRwczovL2FwcGxpY2F0aW9uLm15YXV0aC5jb20iLCJ6b25lX3V1aWQiOiJ0aGUtem9uZS1pZCIsImNuZiI6eyJ4NXQjUzI1NiI6ImZVLVhvUWxoTVRwUXN6OUFyWGw2ekhJcE1HdVJPNEV4TEtkTFJUYzVWak0ifSwiZXhwIjo2OTc0MDMxNjAwLCJjaWQiOiJUMDAwMzEwIn0.dlALBMbhbKQg0JylLNQOdFYXYbohRPahsjJZeS7I-grIq8sIyWb2U1h9PyC6-XQa3c_d6ttvSAZluRTgCAjbjWbZbdlbojoo_Q-drr32xS8fCMRUxfBmtQ8We5FjX4U593VH0XIe6Am_64Met1g0Vq0tr5RGh0ucgqy-wQi2MCl1RVa0OEJzpPT_5tEmQgUAG3I7i-BjquMKuimBoq-srrmRgkmJlTFLn_SoOu1F54Wz6yrwdIJEz8UVmnAfjAFsvPSkwXohF9QSiAvfgtd6fYax429bdb607xCGicQFdeiIQ_FFjhF2PaTK0ZgrrmfVstcGxIvhVLQ0kVlOophEWw
--------------------------------------------------------------------------------
/token-client/src/test/java/com/sap/cloud/security/client/TestHttpClientFactory.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.client;
7 |
8 | import com.sap.cloud.security.config.ClientIdentity;
9 | import org.apache.http.impl.client.CloseableHttpClient;
10 | import org.mockito.Mockito;
11 |
12 | public class TestHttpClientFactory implements HttpClientFactory {
13 |
14 | @Override
15 | public CloseableHttpClient createClient(ClientIdentity clientIdentity) throws HttpClientException {
16 | return Mockito.mock(CloseableHttpClient.class);
17 | }
18 | }
19 |
--------------------------------------------------------------------------------
/java-api/src/test/java/com/sap/cloud/security/config/ServiceTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.config;
7 |
8 | import org.junit.Test;
9 |
10 | import static org.assertj.core.api.Assertions.assertThat;
11 |
12 | public class ServiceTest {
13 |
14 | @Test
15 | public void getCFNameOfIas_shouldReturnCorrectName() {
16 | assertThat(Service.IAS.getCFName()).isEqualTo("identity");
17 | }
18 |
19 | @Test
20 | public void getCFNameOfXsuaa_shouldReturnCorrectName() {
21 | assertThat(Service.XSUAA.getCFName()).isEqualTo("xsuaa");
22 | }
23 |
24 | }
--------------------------------------------------------------------------------
/java-security/src/main/java/com/sap/cloud/security/token/validation/ValidationListener.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token.validation;
7 |
8 | /**
9 | * Implement this interface to register custom validation listener to the {@link CombiningValidator}. Those classes will
10 | * be called whenever a token is being validated.
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token.validation;
7 |
8 | /**
9 | * Generic validator interface over type {@link T}.
10 | *
11 | * @param
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.xsuaa;
7 |
8 | import org.junit.Test;
9 | import org.junit.runner.RunWith;
10 | import org.springframework.boot.test.context.SpringBootTest;
11 | import org.springframework.test.context.junit4.SpringRunner;
12 |
13 | @RunWith(SpringRunner.class)
14 | @SpringBootTest(classes = Application.class)
15 | @java.lang.SuppressWarnings("squid:S2699")
16 | public class ApplicationTest {
17 |
18 | @Test
19 | public void whenSpringContextIsBootstrapped_thenNoExceptions() {
20 | }
21 | }
--------------------------------------------------------------------------------
/java-security/src/test/java/com/sap/cloud/security/TestConstants.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security;
7 |
8 | import java.time.Duration;
9 | import java.time.Instant;
10 | import java.time.LocalDate;
11 | import java.time.temporal.TemporalAmount;
12 |
13 | import static java.time.ZoneOffset.UTC;
14 |
15 | public class TestConstants {
16 | public static final Instant NOW = LocalDate.of(2019, 3, 3).atStartOfDay().toInstant(UTC);
17 | public static final TemporalAmount ONE_MINUTE = Duration.ofMinutes(1);
18 | public static final TemporalAmount ONE_SECOND = Duration.ofSeconds(1);
19 | }
20 |
--------------------------------------------------------------------------------
/java-security-test/src/test/java/com/sap/cloud/security/test/SecurityTestTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.test;
7 |
8 | import com.sap.cloud.security.config.Service;
9 | import org.junit.Test;
10 |
11 | import static org.assertj.core.api.Assertions.assertThat;
12 |
13 | public class SecurityTestTest {
14 |
15 | private SecurityTest cut = new SecurityTest(Service.XSUAA);
16 |
17 | @Test
18 | public void wireMockServerIsNotRunningAfterTearDown() throws Exception {
19 | cut.setup();
20 | cut.tearDown();
21 | assertThat(cut.wireMockServer.isRunning()).isFalse();
22 | }
23 |
24 | }
--------------------------------------------------------------------------------
/samples/localEnvironmentSetup.sh:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
2 | # SPDX-License-Identifier: Apache-2.0
3 | export VCAP_APPLICATION='{}' # required when cloud profile is active
4 | export VCAP_SERVICES='{ "xsuaa": [ { "credentials": { "uaadomain": "localhost", "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn5dYHyD/nn/Pl+/W8jNGWHDaNItXqPuEk/hiozcPF+9l3qEgpRZrMx5ya7UjGdvihidGFQ9+efgaaqCLbk+bBsbU5L4WoJK+/t1mgWCiKI0koaAGDsztZsd3Anz4LEi2+NVNdupRq0ScHzweEKzqaa/LgtBi5WwyA5DaD33gbytG9hdFJvggzIN9+DSverHSAtqGUHhwHSU4/mL36xSReyqiKDiVyhf/y6V6eiE0USubTEGaWVUANIteiC+8Ags5UF22QoqMo3ttKnEyFTHpGCXSn+AEO0WMLK1pPavAjPaOyf4cVX8b/PzHsfBPDMK/kNKNEaU5lAXo8dLUbRYquQIDAQAB-----END PUBLIC KEY-----" } } ] }'
5 |
--------------------------------------------------------------------------------
/spring-security/src/main/java/com/sap/cloud/security/spring/config/XsuaaServiceConfiguration.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.spring.config;
7 |
8 | import com.sap.cloud.security.config.Service;
9 | import org.springframework.boot.context.properties.ConfigurationProperties;
10 |
11 | @ConfigurationProperties("sap.security.services.xsuaa")
12 | public class XsuaaServiceConfiguration extends OAuth2ServiceConfigurationProperties {
13 |
14 | /**
15 | * Creates a new instance to map configuration of a dedicated identity service.
16 | */
17 | public XsuaaServiceConfiguration() {
18 | super(Service.XSUAA);
19 | }
20 | }
--------------------------------------------------------------------------------
/samples/spring-security-basic-auth/manifest.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Configuration:
5 | # configured for EU10. For other landscapes, please adopt LANDSCAPE_APPS_DOMAIN in ../vars.yml
6 | # If the route is occupied, you might need to change ID in in ../vars.yml
7 | applications:
8 | - name: spring-security-basic-auth
9 | instances: 1
10 | memory: 896M
11 | routes:
12 | - route: spring-security-basic-auth-((ID)).((LANDSCAPE_APPS_DOMAIN))
13 | path: target/spring-security-basic-auth.jar
14 | services:
15 | - xsuaa-basic
16 | buildpacks:
17 | - java_buildpack
18 | env:
19 | JBP_CONFIG_OPEN_JDK_JRE: '{jre: { version: 17.0.+ }}'
20 |
21 |
22 | ...
23 |
--------------------------------------------------------------------------------
/spring-security/src/main/java/com/sap/cloud/security/spring/config/IdentityServiceConfiguration.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.spring.config;
7 |
8 | import com.sap.cloud.security.config.Service;
9 | import org.springframework.boot.context.properties.ConfigurationProperties;
10 |
11 | @ConfigurationProperties("sap.security.services.identity")
12 | public class IdentityServiceConfiguration extends OAuth2ServiceConfigurationProperties {
13 |
14 | /**
15 | * Creates a new instance to map configuration of a dedicated identity service.
16 | */
17 | public IdentityServiceConfiguration() {
18 | super(Service.IAS);
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/java-security/src/test/resources/iasOidcTokenRSA256.txt:
--------------------------------------------------------------------------------
1 | eyJraWQiOiJkZWZhdWx0LWtpZC1pYXMiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJQMTc2OTQ1IiwiYXBwX3RpZCI6InRoZS1hcHAtdGlkIiwiaXNzIjoiaHR0cHM6Ly9hcHBsaWNhdGlvbi5teWF1dGguY29tIiwiZ2l2ZW5fbmFtZSI6ImpvaG4iLCJhdWQiOlsiVDAwMDMxMCIsIlQwMDAzMzMiXSwic2NpbV9pZCI6InNjaW0tMTIzNDU2Nzg5MCIsInVzZXJfdXVpZCI6IjEyMzQ1Njc4OTAiLCJhenAiOiJUMDAwMzEwIiwiem9uZV91dWlkIjoidGhlLXpvbmUtaWQiLCJleHAiOjY5NzQwMzE2MDAsImZhbWlseV9uYW1lIjoiZG9lIiwiZW1haWwiOiJqb2huLmRvZUBlbWFpbC5vcmciLCJjaWQiOiJUMDAwMzEwIn0.NkM70DLlYg1kDS37QXtlj5sQbyjk-UGSh6pmeGDDAj8-En4eNxRsG3wF_b7zv-ZseRINLURKp5mSW1O_xqI91w77Z9wwT45g_7WynH7kfXhKiAU0Te0RpZ6Iy19JbZXkfmMfbSjGNNRz5VIiVlTQOMS0bsNNLtGzz5QvhC6MkpwS8afDMjw-RX4zK-KO2CHsU7r7wjsLLpOmIfzgtao_HJJUhQCBkqwPNgmEJeHKTzJeDHxeAk-_Zbz5Won7nkajNZ4W6kn7eb3E-Vry9z7HDpV2_OKZpOP5lAWHVW1b7abPQ92npPqEdKaIhZT105-oGiwp20dX5Up7enAT_um38A
--------------------------------------------------------------------------------
/java-security/src/test/resources/xsuaaJwtBearerTokenRSA256.txt:
--------------------------------------------------------------------------------
1 | eyJqa3UiOiJodHRwOi8vYXV0aC5jb20vdG9rZW5fa2V5cyIsImtpZCI6ImtleS1pZC0wIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOlsiY2xpZW50SWQiXSwiZXh0X2F0dHIiOnsiemRuIjoidGhlU3ViZG9tYWluIiwiZW5oYW5jZXIiOiJYU1VBQSJ9LCJ6aWQiOiJ0aGUtem9uZS1pZCIsImdyYW50X3R5cGUiOiJ1cm46aWV0ZjpwYXJhbXM6b2F1dGg6Z3JhbnQtdHlwZTpqd3QtYmVhcmVyIiwiYXpwIjoiY2xpZW50SWQiLCJ1c2VyX25hbWUiOiJ0ZXN0VXNlciIsIm9yaWdpbiI6InVzZXJJZHAiLCJpc3MiOiJodHRwOi8vYXV0aC5jb20iLCJleHAiOjY5NzQwMzE2MDAsImNpZCI6ImNsaWVudElkIn0.jD6fsDWbTvTX7Biy7BjIV_Wu3UGe09fYeVevQ3qV1Rd6jkjps2a1gSzzPxNgf3MkkV7Ow54UnC0k2kQclT6MgsDHtakGmjCGxd4BMnqSe8tO38UY1MytRpRbP6Vy1C5StbdgyoIO1YIMMV-IYfYbQZBzB6VowY7n5v7UJ5-qQiGfarpJDfOz9LlggYmHiFWaTHn0HCQrpUQvikwRuDjcDm2YXNvO_sFTeMJGDmGJgDY7ICGdCuN3yGnRybZMLOiEgSyciSgex59hfwH4r7mJpGyB3L_-FwpX-7u1NF8qEjKsmR9dtFmrxvoth1Otpv_NYoL2mGd4Ea5FO9b-DWzAMA
--------------------------------------------------------------------------------
/samples/spring-security-hybrid-usage/src/main/resources/application.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Setting Log Levels
5 | logging.level:
6 | com.sap: DEBUG # set SAP-class loggers to DEBUG.
7 | org.springframework: ERROR # set to DEBUG to see all beans loaded and auto-config conditions met.
8 | org.springframework.security: DEBUG # set to ERROR for production setups.
9 | org.springframework.web: DEBUG # set to ERROR for production setups.
10 |
11 | # Server Port (from environment or 8080 if not set).
12 | server:
13 | port: ${PORT:8080}
14 |
15 | # Enable to make Spring Boot log debug information.
16 | # debug: true
17 |
18 |
--------------------------------------------------------------------------------
/samples/spring-security-xsuaa-usage/src/main/resources/application.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Setting Log Levels
5 | logging.level:
6 | com.sap.cloud.security: DEBUG # set SAP-class loggers to DEBUG.
7 | org.springframework: ERROR # set to DEBUG to see all beans loaded and auto-config conditions met.
8 | org.springframework.security: DEBUG # set to ERROR for production setups.
9 | org.springframework.web: DEBUG # set to ERROR for production setups.
10 |
11 | # Server Port (from environment or 8080 if not set).
12 | server:
13 | port: ${PORT:8080}
14 |
15 | # Enable to make Spring Boot log debug information.
16 | # debug: true
--------------------------------------------------------------------------------
/REUSE.toml:
--------------------------------------------------------------------------------
1 | version = 1
2 | SPDX-PackageName = "Cloud Security Client Java"
3 | SPDX-PackageSupplier = "SAP SE
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.webflux.hybrid;
7 |
8 | import com.sap.cloud.security.spring.autoconfig.HybridIdentityServicesAutoConfiguration;
9 | import org.junit.Test;
10 | import org.junit.runner.RunWith;
11 | import org.springframework.boot.test.context.SpringBootTest;
12 | import org.springframework.test.context.junit4.SpringRunner;
13 |
14 | @RunWith(SpringRunner.class)
15 | @SpringBootTest(classes = { HybridIdentityServicesAutoConfiguration.class })
16 | public class ApplicationTest {
17 |
18 | @Test
19 | public void contextLoads() {
20 | }
21 |
22 | }
--------------------------------------------------------------------------------
/samples/java-security-usage/manifest.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Configuration:
5 | # configured for EU10. For other landscapes, please adopt the destination in ../vars.yml
6 | # If the routes are occupied, you might need to change the host
7 | applications:
8 | - name: java-security-usage
9 | instances: 1
10 | memory: 896M
11 | routes:
12 | - route: java-security-usage-((ID)).((LANDSCAPE_APPS_DOMAIN))
13 | host:
14 | path: target/java-security-usage.war
15 | buildpacks:
16 | - https://github.com/cloudfoundry/java-buildpack.git
17 | env:
18 | JBP_CONFIG_OPEN_JDK_JRE: '{ jre: { version: 17.0.+ } }'
19 | JBP_CONFIG_TOMCAT: '{ tomcat: { version: 10.0.+ } }'
20 | services:
21 | - xsuaa-java-security
22 | ...
23 |
--------------------------------------------------------------------------------
/samples/spring-security-hybrid-usage/src/test/java/sample/spring/security/ApplicationTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.security;
7 |
8 | import org.junit.jupiter.api.Test;
9 | import org.junit.jupiter.api.extension.ExtendWith;
10 | import org.springframework.boot.test.context.SpringBootTest;
11 | import org.springframework.test.context.junit.jupiter.SpringExtension;
12 |
13 | @ExtendWith(SpringExtension.class)
14 | @SpringBootTest(classes = Application.class)
15 | @java.lang.SuppressWarnings("squid:S2699")
16 | // test properties are provided with /resources/application.yml
17 | class ApplicationTest {
18 |
19 | @Test
20 | void whenSpringContextIsBootstrapped_thenNoExceptions() {
21 | }
22 | }
--------------------------------------------------------------------------------
/samples/java-security-usage/src/main/java/com/sap/cloud/security/samples/HealthServlet.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.samples;
7 |
8 | import jakarta.servlet.annotation.WebServlet;
9 | import jakarta.servlet.http.HttpServlet;
10 | import jakarta.servlet.http.HttpServletRequest;
11 | import jakarta.servlet.http.HttpServletResponse;
12 |
13 | import java.io.IOException;
14 |
15 | @WebServlet(HealthServlet.ENDPOINT)
16 | public class HealthServlet extends HttpServlet {
17 |
18 | static final String ENDPOINT = "/health";
19 |
20 | @Override
21 | protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
22 | resp.getWriter().write("OK");
23 | }
24 |
25 | }
26 |
--------------------------------------------------------------------------------
/samples/java-security-usage-ias/src/main/java/com/sap/cloud/security/samples/ias/HealthServlet.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.samples.ias;
7 |
8 | import jakarta.servlet.annotation.WebServlet;
9 | import jakarta.servlet.http.HttpServlet;
10 | import jakarta.servlet.http.HttpServletRequest;
11 | import jakarta.servlet.http.HttpServletResponse;
12 |
13 | import java.io.IOException;
14 |
15 | @WebServlet(HealthServlet.ENDPOINT)
16 | public class HealthServlet extends HttpServlet {
17 |
18 | static final String ENDPOINT = "/health";
19 |
20 | @Override
21 | protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException {
22 | resp.getWriter().write("OK");
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/spring-xsuaa/src/test/resources/vcap_multipleBindings.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsuaa": [
3 | {
4 | "credentials": {
5 | "clientid": "client-id-api",
6 | "clientsecret": "client-secret-api"
7 | },
8 | "instance_name": "xsuaa-api",
9 | "label": "xsuaa",
10 | "name": "xsuaa-api",
11 | "plan": "apiaccess",
12 | "tags": [
13 | "xsuaa"
14 | ]
15 | },
16 | {
17 | "credentials": {
18 | "clientid": "client-id",
19 | "clientsecret": "client-secret",
20 | "apiurl": "https://api.mydomain.com",
21 | "tenantid": "tenant-id",
22 | "subaccountid": "subaccount-id"
23 | },
24 | "instance_name": "xsuaa-main",
25 | "label": "xsuaa",
26 | "name": "xsuaa-main",
27 | "plan": "application",
28 | "tags": [
29 | "xsuaa"
30 | ]
31 | }
32 | ]
33 | }
34 |
--------------------------------------------------------------------------------
/samples/sap-java-buildpack-api-usage/xs-security.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsappname": "sap-java-buildpack-api-usage",
3 | "description": "SAP BTP Java Security Client Library Buildpack sample application",
4 | "tenant-mode": "dedicated",
5 | "scopes": [
6 | {
7 | "name": "$XSAPPNAME.Read",
8 | "description": "Scope for sap-java-buildpack-api-usage sample application"
9 | }
10 | ],
11 | "role-templates": [
12 | {
13 | "name": "Viewer",
14 | "description": "Role for sap-java-buildpack-api-usage sample application",
15 | "scope-references": [
16 | "$XSAPPNAME.Read"
17 | ]
18 | }
19 | ],
20 | "role-collections": [
21 | {
22 | "name": "Sample Viewer (sap-java-buildpack-api-usage)",
23 | "description": "Role collection for sap-java-buildpack-api-usage sample application",
24 | "role-template-references": [
25 | "$XSAPPNAME.Viewer"
26 | ]
27 | }
28 | ]
29 | }
30 |
--------------------------------------------------------------------------------
/samples/java-security-usage/xs-security.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsappname": "java-security-usage",
3 | "description": "SAP BTP Java Security Client Library with XSUAA sample application",
4 | "tenant-mode": "dedicated",
5 | "scopes": [
6 | {
7 | "name": "$XSAPPNAME.Read",
8 | "description": "Scope for java-security-usage sample application"
9 | }
10 | ],
11 | "role-templates": [
12 | {
13 | "name": "Viewer",
14 | "description": "Role for java-security-usage sample application",
15 | "scope-references": [
16 | "$XSAPPNAME.Read"
17 | ]
18 | }
19 | ],
20 | "role-collections": [
21 | {
22 | "name": "Sample Viewer (java-security-usage)",
23 | "description": "Role collection for java-security-usage sample application",
24 | "role-template-references": [
25 | "$XSAPPNAME.Viewer"
26 | ]
27 | }
28 | ]
29 | }
30 |
--------------------------------------------------------------------------------
/java-security-test/src/main/java/com/sap/cloud/security/token/validation/LocalhostIssuerValidator.java:
--------------------------------------------------------------------------------
1 | package com.sap.cloud.security.token.validation;
2 |
3 | /**
4 | * LocalhostIssuerValidator brings backward-compatibility for test credentials in consumer applications written before
5 | * 2.17.0 that are used to validate java-security-test tokens. This is necessary for successful validation of localhost
6 | * issuers that include a port when 'localhost' is defined as trusted domain without port in the service credentials.
7 | * This class MUST NOT be loaded outside test scope and MUST be the ONLY implementation of {@link TestIssuerValidator}.
8 | */
9 | public class LocalhostIssuerValidator implements TestIssuerValidator {
10 |
11 | @Override
12 | public boolean isValidIssuer(String issuer) {
13 | return issuer.startsWith("http://localhost") || issuer.startsWith("https://localhost");
14 | }
15 | }
16 |
--------------------------------------------------------------------------------
/java-security-test/src/test/java/com/sap/cloud/security/test/extension/IasExtensionTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.test.extension;
7 |
8 | import com.sap.cloud.security.test.api.SecurityTestContext;
9 | import org.junit.jupiter.api.Test;
10 | import org.junit.jupiter.api.extension.ExtendWith;
11 |
12 | import static org.assertj.core.api.Assertions.assertThat;
13 | import static org.junit.jupiter.api.Assertions.assertNotNull;
14 |
15 | @ExtendWith(IasExtension.class)
16 | public class IasExtensionTest {
17 |
18 | @Test
19 | void resolveSecurityTestConfigurationParameter(SecurityTestContext context) {
20 | assertNotNull(context);
21 | assertThat(context.getWireMockServer().isRunning()).isTrue();
22 | }
23 | }
24 |
--------------------------------------------------------------------------------
/java-security-test/src/test/java/com/sap/cloud/security/test/extension/XsuaaExtensionTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.test.extension;
7 |
8 | import com.sap.cloud.security.test.api.SecurityTestContext;
9 | import org.junit.jupiter.api.Test;
10 | import org.junit.jupiter.api.extension.ExtendWith;
11 |
12 | import static org.assertj.core.api.Assertions.assertThat;
13 | import static org.junit.jupiter.api.Assertions.assertNotNull;
14 |
15 | @ExtendWith(XsuaaExtension.class)
16 | public class XsuaaExtensionTest {
17 |
18 | @Test
19 | void resolveSecurityTestConfigurationParameter(SecurityTestContext context) {
20 | assertNotNull(context);
21 | assertThat(context.getWireMockServer().isRunning()).isTrue();
22 | }
23 | }
--------------------------------------------------------------------------------
/java-api/src/main/java/com/sap/cloud/security/token/TokenHeader.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token;
7 |
8 | /**
9 | * Constants denoting Jwt header parameters. https://tools.ietf.org/html/rfc7515#section-4
11 | */
12 | public final class TokenHeader {
13 | private TokenHeader() {
14 | throw new IllegalStateException("Utility class");
15 | }
16 |
17 | public static final String ALGORITHM = "alg"; // Algorithm Header Parameter
18 | public static final String JWKS_URL = "jku"; // JWK Set URL Header Parameter
19 | public static final String KEY_ID = "kid"; // Key ID Header Parameter
20 | public static final String TYPE = "typ"; // Type Header Parameter
21 | }
--------------------------------------------------------------------------------
/java-api/src/test/java/com/sap/cloud/security/token/TokenTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token;
7 |
8 | import org.junit.Test;
9 |
10 | import static org.junit.Assert.assertFalse;
11 | import static org.junit.Assert.assertNotNull;
12 |
13 | public class TokenTest {
14 |
15 | @Test
16 | public void create() {
17 | Token cut = Token.create("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9");
18 | assertNotNull(cut);
19 |
20 | cut = Token.create("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9");
21 | assertNotNull(cut);
22 |
23 | // Assert that custom Token factory has a priority over default
24 | // com.sap.cloud.security.servlet.HybridTokenFactory
25 | assertFalse(cut.getClass().getName().contains("AccessToken"));
26 | }
27 |
28 | }
29 |
--------------------------------------------------------------------------------
/samples/spring-security-hybrid-usage/manifest.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Configuration:
5 | # configured for EU10. For other landscapes, please adopt LANDSCAPE_APPS_DOMAIN in ../vars.yml
6 | # If the route is occupied, you might need to change ID in ../vars.yml
7 | applications:
8 | - name: spring-security-hybrid-usage
9 | instances: 1
10 | memory: 896M
11 | routes:
12 | - route: spring-security-hybrid-usage-((ID)).((LANDSCAPE_APPS_DOMAIN))
13 | path: target/spring-security-hybrid-usage.jar
14 | buildpacks:
15 | - java_buildpack
16 | env:
17 | JBP_CONFIG_OPEN_JDK_JRE: '{jre: { version: 17.0.+ }}'
18 | services:
19 | - name: xsuaa-authn
20 | # - name: xsuaa-broker
21 | - name: ias-authn
22 | parameters: { "credential-type": "X509_GENERATED" }
23 |
24 |
--------------------------------------------------------------------------------
/samples/java-tokenclient-usage/manifest.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Configuration:
5 | # configured for EU10. For other landscapes, please adopt the destination
6 | # If the routes are occupied, you might need to change the host in java-tokenclient-usage and the url in the destination
7 | applications:
8 | - name: java-tokenclient-usage
9 | instances: 1
10 | memory: 896M
11 | routes:
12 | - route: java-tokenclient-usage-((ID)).((LANDSCAPE_APPS_DOMAIN))
13 | host:
14 | path: target/java-tokenclient-usage.war
15 | buildpacks:
16 | - https://github.com/cloudfoundry/java-buildpack.git
17 | env:
18 | JBP_CONFIG_OPEN_JDK_JRE: '{ jre: { version: 17.0.+ } }'
19 | JBP_CONFIG_TOMCAT: '{ tomcat: { version: 10.0.+ } }'
20 | services:
21 | - xsuaa-token-client
22 | ...
23 |
--------------------------------------------------------------------------------
/java-security-it/src/test/resources/xsa-simple/token.json:
--------------------------------------------------------------------------------
1 | {
2 | "header": {
3 | "alg": "RS256",
4 | "typ": "JWT"
5 | },
6 | "payload": {
7 | "aud": [
8 | "sb-java-hello-world!i1",
9 | "openid"
10 | ],
11 | "auth_time": 1579526840,
12 | "azp": "sb-java-hello-world!i1",
13 | "client_id": "sb-java-hello-world!i1",
14 | "email": "XSA_ADMIN@XS1",
15 | "exp": 1579570287,
16 | "ext_attr": {
17 | "enhancer": "XSUAA"
18 | },
19 | "grant_type": "authorization_code",
20 | "iat": 1579527087,
21 | "iss": "http://xsa-a272d86a-0f74-448c-93d1-6b78903d1543/UAA/oauth/token",
22 | "jti": "52a3356fddc44a359583b0f84bbb49ed",
23 | "origin": "uaa",
24 | "rev_sig": "eea1cc5e",
25 | "scope": [
26 | "openid"
27 | ],
28 | "sub": "160497",
29 | "user_id": "160497",
30 | "user_name": "XSA_ADMIN",
31 | "xs.user.attributes": {},
32 | "zid": "uaa"
33 | }
34 | }
--------------------------------------------------------------------------------
/spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SapSecurityProperties.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | * SPDX-License-Identifier: Apache-2.0
4 | */
5 | package com.sap.cloud.security.spring.autoconfig;
6 |
7 | public class SapSecurityProperties {
8 |
9 | static final String SAP_SECURITY_SERVICES_IDENTITY_DOMAINS = "sap.security.services.identity.domains";
10 | static final String SAP_SECURITY_SERVICES_XSUAA_UAADOMAIN = "sap.security.services.xsuaa.uaadomain";
11 | static final String SAP_SECURITY_SERVICES_XSUAA_0_UAADOMAIN = "sap.security.services.xsuaa[0].uaadomain";
12 | static final String SAP_SPRING_SECURITY_IDENTITY_PROOFTOKEN = "sap.spring.security.identity.prooftoken";
13 | static final String SAP_SPRING_SECURITY_HYBRID = "sap.spring.security.hybrid.auto";
14 | private SapSecurityProperties() {
15 | }
16 | }
17 |
--------------------------------------------------------------------------------
/samples/spring-security-hybrid-usage/src/test/java/sample/spring/security/junitjupiter/ApplicationTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.security.junitjupiter;
7 |
8 | import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows;
9 | import org.junit.jupiter.api.Test;
10 | import org.springframework.beans.factory.annotation.Autowired;
11 | import org.springframework.boot.test.context.SpringBootTest;
12 |
13 | import static org.junit.jupiter.api.Assertions.assertNotNull;
14 |
15 | @SpringBootTest
16 | @java.lang.SuppressWarnings("squid:S2699")
17 | class ApplicationTest {
18 | @Autowired
19 | XsuaaTokenFlows tokenflows;
20 |
21 | @Test
22 | void whenSpringContextIsBootstrapped_thenNoExceptions() {
23 | assertNotNull(tokenflows.clientCredentialsTokenFlow());
24 | }
25 | }
26 |
--------------------------------------------------------------------------------
/spring-xsuaa-it/src/test/resources/mockServer/otherdomain_token_keys.json:
--------------------------------------------------------------------------------
1 | {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"legacy-token-key-otherdomain","alg":"RS256","value":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2G5MUF7szUMJfiaghYeb\nwB+BgaG4wkbIDZ5fJU8Zm0/WnaupCCKX0fguLC21FtHATC6SOpOuVClXe9GY9AVJ\nq3nyqAsiUil66jH9Y+kmeLeRVoBp8KXMQ15+W69GNU7/sYv+0k5PLUaxJPmcwb+W\nCq9hw76zRXeEijnZ41YlVC9jcnZ7IjHjp2BASoznImmGJDW6F30FRbP/MLtfv5fM\npj17OziVNE+eacuIygSH0IZZ+wvV7AcJAZlEwkCFqzzbVx2cLvRIpacHz2ci4seI\nIxdPRj8O7i4y29hdSsHqTRFLtQiwCgIr7YItA5voVY/bS+CYy8a1MSckdXvFa5jY\newIDAQAB\n-----END PUBLIC KEY-----","n":"ANhuTFBe7M1DCX4moIWHm8AfgYGhuMJGyA2eXyVPGZtP1p2rqQgil9H4LiwttRbRwEwukjqTrlQpV3vRmPQFSat58qgLIlIpeuox_WPpJni3kVaAafClzENefluvRjVO_7GL_tJOTy1GsST5nMG_lgqvYcO-s0V3hIo52eNWJVQvY3J2eyIx46dgQEqM5yJphiQ1uhd9BUWz_zC7X7-XzKY9ezs4lTRPnmnLiMoEh9CGWfsL1ewHCQGZRMJAhas821cdnC70SKWnB89nIuLHiCMXT0Y_Du4uMtvYXUrB6k0RS7UIsAoCK-2CLQOb6FWP20vgmMvGtTEnJHV7xWuY2Hs"}]}
--------------------------------------------------------------------------------
/samples/spring-security-basic-auth/xs-security.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsappname": "spring-security-basic-auth",
3 | "description": "SAP BTP Spring Security Client Library with Basic Auth sample application",
4 | "tenant-mode": "dedicated",
5 | "oauth2-configuration": {
6 | "credential-types": ["x509"]
7 | },
8 | "scopes": [
9 | {
10 | "name": "$XSAPPNAME.Read",
11 | "description": "Scope for spring-security-basic-auth sample application"
12 | }
13 | ],
14 | "role-templates": [
15 | {
16 | "name": "Viewer",
17 | "description": "Role for spring-security-basic-auth sample application",
18 | "scope-references": [
19 | "$XSAPPNAME.Read"
20 | ]
21 | }
22 | ],
23 | "role-collections": [
24 | {
25 | "name": "Sample Viewer (spring-security-basic-auth)",
26 | "description": "Role collection for spring-security-basic-auth sample application",
27 | "role-template-references": [
28 | "$XSAPPNAME.Viewer"
29 | ]
30 | }
31 | ]
32 | }
33 |
--------------------------------------------------------------------------------
/token-client/src/main/java/com/sap/cloud/security/xsuaa/Assertions.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa;
7 |
8 | import java.util.List;
9 |
10 | public class Assertions {
11 |
12 | private Assertions() {
13 | }
14 |
15 | public static void assertNotNull(Object object, String message) {
16 | if (object == null) {
17 | throw new IllegalArgumentException(message);
18 | }
19 | }
20 |
21 | public static void assertHasText(String string, String message) {
22 | if (string == null || string.trim().isEmpty()) {
23 | throw new IllegalArgumentException(message);
24 | }
25 | }
26 |
27 | public static void assertNotEmpty(List list, String message) {
28 | if (list == null || list.isEmpty()) {
29 | throw new IllegalArgumentException(message);
30 | }
31 | }
32 | }
33 |
--------------------------------------------------------------------------------
/spring-xsuaa/src/test/resources/jwks.json:
--------------------------------------------------------------------------------
1 | {
2 | "keys": [
3 | {
4 | "kty": "RSA",
5 | "e": "AQAB",
6 | "use": "sig",
7 | "kid": "default-kid",
8 | "alg": "RS256",
9 | "value": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTNVTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9YoU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GPn38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4oQIDAQAB",
10 | "n": "AJtUGmczI7RHx3Ypqxz9_9mK_tc-vOXojlJcMm0VRvYvMLIDlIfj1BrkC_IYLpS2Vl1OTG8AS0xAgBDEG3EUzVU6JZKuIuuxD-iXrBySBQA2ytTYtCrjHD7osji7wyogxDJ2BtVz9191gjX7AlU_WKFPpViK2a_2bCL0K4vI3M6-EZMp20wbD2gDsoD1JYqag66WnTDtZqJjQm3mv6Ohj59_C8RMOtPSLX4AxoS-n_8lYneaRc2UFm_vZepgricMNIZ4TuoLekb_fDlg7cvRtH61gD8hH7iFvQfpkf9rxoclPSG21qbxV4svUVW27DOd_Ewo3eSRdnSb8ctuGnXQuKE="
11 | }
12 | ]
13 | }
--------------------------------------------------------------------------------
/java-security/images/xsuaaApplication.puml:
--------------------------------------------------------------------------------
1 | @startuml
2 | -> TokenAuthenticator: setup()
3 | TokenAuthenticator --> Environments: getCurrent().getXsuaaConfiguration()
4 | TokenAuthenticator --> Environments: getCurrent().getIasConfiguration()
5 |
6 | Environments -> TokenAuthenticator: OAuth2ServiceConfiguration
7 |
8 | TokenAuthenticator --> HttpClientFactory: create(OAuth2ServiceConfiguration.getClientIdentity())
9 | HttpClientFactory -> TokenAuthenticator: CloseableHttpClient
10 |
11 | TokenAuthenticator --> JwtValidatorBuilder: getInstance(OAuth2ServiceConfiguration).withHttpClient(CloseableHttpClient).build()
12 | JwtValidatorBuilder -> TokenAuthenticator: CombiningValidator
13 |
14 | -> TokenAuthenticator: anyProtectedServlet()
15 |
16 |
17 | TokenAuthenticator --> Token: create("eyJhdW...")
18 | Token -> TokenAuthenticator: Token
19 |
20 | TokenAuthenticator --> CombiningValidator: validate(Token)
21 | CombiningValidator -> TokenAuthenticator: ValidationResult
22 | @enduml
23 |
24 |
25 |
--------------------------------------------------------------------------------
/spring-xsuaa-it/src/test/java/testservice/api/MockXsuaaServerConfiguration.java:
--------------------------------------------------------------------------------
1 | package testservice.api;
2 |
3 | import okhttp3.mockwebserver.MockWebServer;
4 | import org.junit.jupiter.api.BeforeAll;
5 | import org.springframework.test.context.TestPropertySource;
6 |
7 | import java.io.IOException;
8 |
9 | @TestPropertySource(properties = { "xsuaa.xsappname=java-hello-world", "xsuaa.clientid=sb-java-hello-world",
10 | "xsuaa.url=http://localhost:33195", "xsuaa.uaadomain=http://localhost:33195" })
11 | public class MockXsuaaServerConfiguration {
12 | private static final int DEFAULT_PORT = 33195;
13 | private static MockWebServer server;
14 |
15 | @BeforeAll
16 | static void beforeAll() throws IOException {
17 | initServer();
18 | }
19 |
20 | private static void initServer() throws IOException {
21 | if (server == null) {
22 | server = new MockWebServer();
23 | server.setDispatcher(new XsuaaRequestDispatcher());
24 | server.start(DEFAULT_PORT);
25 | }
26 | }
27 |
28 | }
29 |
--------------------------------------------------------------------------------
/token-client/src/main/java/com/sap/cloud/security/xsuaa/util/HttpClientUtil.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.util;
7 |
8 | import java.io.IOException;
9 | import java.io.InputStream;
10 | import java.util.Properties;
11 |
12 | public class HttpClientUtil {
13 |
14 | private HttpClientUtil() {
15 | // use static fields and methods
16 | }
17 |
18 | public static String getUserAgent() {
19 | Properties props = new Properties();
20 | InputStream stream = HttpClientUtil.class.getResourceAsStream("/token-client.properties");
21 | try {
22 | props.load(stream);
23 | return props.getProperty("artifactId") + "/" + props.getProperty("version");
24 | } catch (IOException | NullPointerException | IllegalArgumentException e) {
25 | return "token-client/0.0.0";
26 | }
27 | }
28 |
29 | }
30 |
--------------------------------------------------------------------------------
/spring-security/src/main/java/com/sap/cloud/security/spring/config/XsuaaServiceConfigurations.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.spring.config;
7 |
8 | import org.springframework.boot.context.properties.ConfigurationProperties;
9 | import org.springframework.boot.context.properties.NestedConfigurationProperty;
10 |
11 | import java.util.ArrayList;
12 | import java.util.List;
13 |
14 | @ConfigurationProperties("sap.security.services")
15 | public class XsuaaServiceConfigurations {
16 | @NestedConfigurationProperty
17 | private List
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.client;
7 |
8 | import java.net.URI;
9 |
10 | public interface OAuth2ServiceEndpointsProvider {
11 |
12 | /**
13 | * Returns token endpoint URI.
14 | *
15 | * @return token endpoint, e.g. {@code https://oauth.server.com/oauth/token}
16 | */
17 | URI getTokenEndpoint();
18 |
19 | /**
20 | * Returns authorize endpoint URI.
21 | *
22 | * @return authorize endpoint, e.g. {@code https://oauth.server.com/oauth/authorize}
23 | */
24 | URI getAuthorizeEndpoint();
25 |
26 | /**
27 | * Returns Jwt Key Set URI (JWKS) as specified in /.well-known/openid-configuration.
28 | *
29 | * @return jwks_uri , e.g. {@code https://oauth.server.com/token_keys}
30 | */
31 | URI getJwksUri();
32 | }
33 |
--------------------------------------------------------------------------------
/token-client/src/main/java/com/sap/cloud/security/xsuaa/client/OidcConfigurationService.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.client;
7 |
8 | import javax.annotation.Nonnull;
9 | import java.net.URI;
10 |
11 | @SuppressWarnings("squid:S1214")
12 | public interface OidcConfigurationService {
13 | String DISCOVERY_ENDPOINT_DEFAULT = "/.well-known/openid-configuration"; // NOSONAR
14 |
15 | /**
16 | * Requests an OpenID Provider Configuration Document from OAuth Server.
17 | *
18 | * @param discoveryEndpointUri
19 | * the discovery endpoint URI.
20 | * @return an object with access endpoints.
21 | * @throws OAuth2ServiceException
22 | * in case of an error during the http request.
23 | */
24 | OAuth2ServiceEndpointsProvider retrieveEndpoints(@Nonnull URI discoveryEndpointUri) throws OAuth2ServiceException;
25 |
26 | }
27 |
--------------------------------------------------------------------------------
/samples/spring-security-hybrid-usage/xs-security.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsappname": "spring-security-hybrid-usage",
3 | "description": "SAP BTP Spring Security Client Library Hybrid sample application",
4 | "tenant-mode": "dedicated",
5 | "oauth2-configuration": {
6 | "credential-types": ["x509"]
7 | },
8 | "scopes": [
9 | {
10 | "name": "$XSAPPNAME.Read",
11 | "description": "Scope for spring-security-hybrid-usage sample application"
12 | }
13 | ],
14 | "role-templates": [
15 | {
16 | "name": "Viewer",
17 | "description": "Role for spring-security-hybrid-usage sample application",
18 | "scope-references": [
19 | "$XSAPPNAME.Read"
20 | ]
21 | }
22 | ],
23 | "role-collections": [
24 | {
25 | "name": "Sample Viewer (spring-security-hybrid-usage)",
26 | "description": "Role collection for spring-security-hybrid-usage sample application",
27 | "role-template-references": [
28 | "$XSAPPNAME.Viewer"
29 | ]
30 | }
31 | ]
32 | }
33 |
--------------------------------------------------------------------------------
/spring-xsuaa-it/src/main/java/com/sap/cloud/security/xsuaa/mock/JWTUtil.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.mock;
7 |
8 | import com.sap.cloud.security.xsuaa.test.JwtGenerator;
9 |
10 | import java.io.IOException;
11 |
12 | public class JWTUtil {
13 |
14 | private JWTUtil() {
15 | // hide public one
16 | }
17 |
18 | public static String createJWT(String pathToTemplate, String subdomain) throws IOException {
19 | return JWTUtil.createJWT(pathToTemplate, subdomain, "legacy-token-key-" + subdomain);
20 | }
21 |
22 | public static String createJWT(String pathToTemplate, String subdomain, String keyId) throws IOException {
23 | JwtGenerator jwtGenerator = new JwtGenerator("sb-java-hello-world", subdomain)
24 | .setJwtHeaderKeyId(keyId);
25 | return jwtGenerator.createFromTemplate(pathToTemplate).getTokenValue();
26 | }
27 |
28 | }
29 |
--------------------------------------------------------------------------------
/samples/java-security-usage-ias/manifest.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Configuration:
5 | # configured for EU10. For other landscapes, please adopt the destination in ../vars.yml
6 | # If the routes are occupied, you might need to change the host
7 | applications:
8 | - name: java-security-usage-ias
9 | instances: 1
10 | memory: 896M
11 | routes:
12 | - route: java-security-usage-ias-((ID)).((LANDSCAPE_APPS_DOMAIN))
13 | - route: java-security-usage-ias-((ID)).cert.((LANDSCAPE_APPS_DOMAIN))
14 | host:
15 | path: target/java-security-usage-ias.war
16 | buildpacks:
17 | - https://github.com/cloudfoundry/java-buildpack.git
18 | env:
19 | JBP_CONFIG_OPEN_JDK_JRE: '{ jre: { version: 17.0.+ } }'
20 | JBP_CONFIG_TOMCAT: '{ tomcat: { version: 10.0.+ } }'
21 | services:
22 | - name: ias-java-security
23 | parameters: { "credential-type": "X509_GENERATED" }
24 | ...
25 |
--------------------------------------------------------------------------------
/samples/spring-security-hybrid-usage/xs-security-broker.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsappname": "spring-security-hybrid-usage",
3 | "description": "SAP BTP Spring Security Client Library Hybrid sample application",
4 | "tenant-mode": "dedicated",
5 | "oauth2-configuration": {
6 | "credential-types": ["x509"]
7 | },
8 | "scopes": [
9 | {
10 | "name": "$XSAPPNAME.Read",
11 | "description": "Scope for spring-security-hybrid-usage sample application"
12 | }
13 | ],
14 | "role-templates": [
15 | {
16 | "name": "Viewer",
17 | "description": "Role for spring-security-hybrid-usage sample application",
18 | "scope-references": [
19 | "$XSAPPNAME.Read"
20 | ]
21 | }
22 | ],
23 | "role-collections": [
24 | {
25 | "name": "Sample Viewer via broker (spring-security-hybrid-usage)",
26 | "description": "Role collection for spring-security-hybrid-usage broker access",
27 | "role-template-references": [
28 | "$XSAPPNAME.Viewer"
29 | ]
30 | }
31 | ]
32 | }
33 |
--------------------------------------------------------------------------------
/java-security/src/test/resources/iasJsonWebTokenKeys.json:
--------------------------------------------------------------------------------
1 | {
2 | "keys": [
3 | {
4 | "kty": "RSA",
5 | "kid": "default-kid-ias",
6 | "e": "AQAB",
7 | "use": "sig",
8 | "n": "AJtUGmczI7RHx3Ypqxz9_9mK_tc-vOXojlJcMm0VRvYvMLIDlIfj1BrkC_IYLpS2Vl1OTG8AS0xAgBDEG3EUzVU6JZKuIuuxD-iXrBySBQA2ytTYtCrjHD7osji7wyogxDJ2BtVz9191gjX7AlU_WKFPpViK2a_2bCL0K4vI3M6-EZMp20wbD2gDsoD1JYqag66WnTDtZqJjQm3mv6Ohj59_C8RMOtPSLX4AxoS-n_8lYneaRc2UFm_vZepgricMNIZ4TuoLekb_fDlg7cvRtH61gD8hH7iFvQfpkf9rxoclPSG21qbxV4svUVW27DOd_Ewo3eSRdnSb8ctuGnXQuKE="
9 | },
10 | {
11 | "kty": "RSA",
12 | "kid": "default-kid",
13 | "e": "AQAB",
14 | "use": "sig",
15 | "n": "AJtUGmczI7RHx3Ypqxz9_9mK_tc-vOXojlJcMm0VRvYvMLIDlIfj1BrkC_IYLpS2Vl1OTG8AS0xAgBDEG3EUzVU6JZKuIuuxD-iXrBySBQA2ytTYtCrjHD7osji7wyogxDJ2BtVz9191gjX7AlU_WKFPpViK2a_2bCL0K4vI3M6-EZMp20wbD2gDsoD1JYqag66WnTDtZqJjQm3mv6Ohj59_C8RMOtPSLX4AxoS-n_8lYneaRc2UFm_vZepgricMNIZ4TuoLekb_fDlg7cvRtH61gD8hH7iFvQfpkf9rxoclPSG21qbxV4svUVW27DOd_Ewo3eSRdnSb8ctuGnXQuKE="
16 | }
17 | ]
18 | }
--------------------------------------------------------------------------------
/token-client/src/test/java/com/sap/cloud/security/client/HttpClientFactoryTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.client;
7 |
8 | import com.sap.cloud.security.config.ClientCredentials;
9 | import org.apache.http.impl.client.CloseableHttpClient;
10 | import org.junit.Test;
11 |
12 | import static org.junit.Assert.*;
13 |
14 | public class HttpClientFactoryTest {
15 |
16 | @Test
17 | public void create() {
18 | CloseableHttpClient cut = HttpClientFactory.create(new ClientCredentials("clientId", "secret"));
19 | assertNotNull(cut);
20 |
21 | // Assert that custom HttpClientFactory factory has a priority over default
22 | // com.sap.cloud.security.client.DefaultHttpClientFactory
23 | assertFalse(cut.getClass().getName().contains("InternalHttpClient"));
24 | assertTrue(cut.getClass().getName().contains("CloseableHttpClient$MockitoMock"));
25 | }
26 |
27 | }
--------------------------------------------------------------------------------
/samples/spring-webflux-security-hybrid-usage/xs-security.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsappname": "spring-webflux-security-hybrid-usage",
3 | "description": "SAP BTP Spring Security Client Library Webflux sample application",
4 | "tenant-mode": "dedicated",
5 | "oauth2-configuration": {
6 | "credential-types": ["x509"]
7 | },
8 | "scopes": [
9 | {
10 | "name": "$XSAPPNAME.Read",
11 | "description": "Scope for spring-webflux-security-hybrid-usage sample application"
12 | }
13 | ],
14 | "role-templates": [
15 | {
16 | "name": "Viewer",
17 | "description": "Role for spring-webflux-security-hybrid-usage sample application",
18 | "scope-references": [
19 | "$XSAPPNAME.Read"
20 | ]
21 | }
22 | ],
23 | "role-collections": [
24 | {
25 | "name": "Sample Viewer (spring-webflux-security-hybrid-usage)",
26 | "description": "Role collection for spring-webflux-security-hybrid-usage sample application",
27 | "role-template-references": [
28 | "$XSAPPNAME.Viewer"
29 | ]
30 | }
31 | ]
32 | }
33 |
--------------------------------------------------------------------------------
/java-security-test/src/main/java/com/sap/cloud/security/test/SecurityFilter.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.test;
7 |
8 | import jakarta.servlet.*;
9 | import jakarta.servlet.http.HttpServletRequest;
10 | import jakarta.servlet.http.HttpServletResponse;
11 |
12 | import java.io.IOException;
13 |
14 | class SecurityFilter implements Filter {
15 |
16 | @Override
17 | public void init(FilterConfig filterConfig) {
18 | }
19 |
20 | @Override
21 | public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
22 | throws IOException, ServletException {
23 | if (request instanceof HttpServletRequest) {
24 | if (((HttpServletResponse) response).getStatus() < 400) {
25 | chain.doFilter(request, response);
26 | }
27 | } else {
28 | chain.doFilter(request, response);
29 | }
30 | }
31 |
32 | @Override
33 | public void destroy() {
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/java-security/src/test/resources/xsuaaCCAccessTokenRSA256.txt:
--------------------------------------------------------------------------------
1 | eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vYXV0aGVudGljYXRpb24uc3RhZ2luZ2F3cy5oYW5hdmxhYi5vbmRlbWFuZC5jb20vdG9rZW5fa2V5cyIsImtpZCI6ImtleS1pZC0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiIyYTZiNDcxODJjZTM0YzgzYTNjNDY0MWI1NTZiOTQ2YyIsImV4dF9hdHRyIjp7ImVuaGFuY2VyIjoiWFNVQUEifSwic3ViIjoic2FwX29zYiIsImF1dGhvcml0aWVzIjpbInVhYS5yZXNvdXJjZSIsIlJPTEVfU0VSVklDRUJST0tFUiJdLCJzY29wZSI6WyJST0xFX1NFUlZJQ0VCUk9LRVIiLCJ1YWEucmVzb3VyY2UiXSwiY2xpZW50X2lkIjoic2FwX29zYiIsImNpZCI6InNhcF9vc2IiLCJhenAiOiJzYXBfb3NiIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiJiMjNhNzJkYyIsImlhdCI6MTU3MjAxNzU2OSwiZXhwIjoxNTcyMDYwNzY5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInVhYSIsInNhcF9vc2IiXX0.OLDZiMerzH4gNELQEHCPUy7aD681L-twKYyfRSuNQAvlEeQeMaQm7_ZX3WrQ7HF04PASSocBkebG4PmFcbzX5uRSxoxUPbPB1JFsdbb_MU5o0P-xbYStY_lL0UVcZsSy2QrZwcNgtdTbHXpme2xn3jjW6KdwfO6Zd19fcPpPdstlmp34uUFBGfSkXek5sRDCw3ZklEStYIQG9dYsxEq-AmtEqsgPjVdFWv6_bfe8HqOoNfx1QC31DNNQQiAZBFFuZ3iX7IQWRHMdVjWw5GF7tvxM8al-wt8flaZ6gBvHTGzwGKBlDZYtKMDO57L5SyFCgwedoRdzE2NHIHvvp3CKEw
--------------------------------------------------------------------------------
/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/AuthoritiesExtractor.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.extractor;
7 |
8 | import com.sap.cloud.security.xsuaa.token.XsuaaToken;
9 | import org.springframework.security.core.GrantedAuthority;
10 |
11 | import java.util.Collection;
12 |
13 | /**
14 | * Extracts the authorities from the Jwt token. Can use this method to map / manipulate scopes, e.g. by changing their
15 | * prefix, etc.
16 | */
17 | public interface AuthoritiesExtractor {
18 | /**
19 | * Returns the granted authorities based on the information in the Jwt. A standard implementation will base the
20 | * granted authorities on the scopes.
21 | *
22 | * @param jwt
23 | * the Jwt to extract the authorities from.
24 | * @return the collection of granted authorities.
25 | */
26 | Collection
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.test;
7 |
8 | import org.junit.Test;
9 |
10 | import java.io.IOException;
11 | import java.security.NoSuchAlgorithmException;
12 | import java.security.spec.InvalidKeySpecException;
13 |
14 | import static org.assertj.core.api.Assertions.assertThat;
15 |
16 | public class RSAKeysTest {
17 |
18 | @Test
19 | public void generate() {
20 | RSAKeys keys = RSAKeys.generate();
21 |
22 | assertThat(keys.getPrivate()).isNotNull();
23 | assertThat(keys.getPublic()).isNotNull();
24 | }
25 |
26 | @Test
27 | public void fromKeyFiles() throws IOException, InvalidKeySpecException,
28 | NoSuchAlgorithmException {
29 | RSAKeys keys = RSAKeys.fromKeyFiles("/publicKey.txt", "/privateKey.txt");
30 |
31 | assertThat(keys.getPrivate()).isNotNull();
32 | assertThat(keys.getPublic()).isNotNull();
33 | }
34 | }
--------------------------------------------------------------------------------
/java-security/src/test/java/com/sap/cloud/security/token/MockTokenBuilder.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token;
7 |
8 | import org.mockito.Mockito;
9 |
10 | import java.time.Instant;
11 | import java.util.GregorianCalendar;
12 |
13 | import static org.mockito.Mockito.when;
14 |
15 | public class MockTokenBuilder {
16 | public static final Instant NO_EXPIRE_DATE = new GregorianCalendar(2190, 11, 31).getTime().toInstant();
17 |
18 | private final AbstractToken token = Mockito.mock(AbstractToken.class);
19 |
20 | public MockTokenBuilder withExpiration(Instant expirationDate) {
21 | when(token.getExpiration()).thenReturn(expirationDate);
22 | return this;
23 | }
24 |
25 | public MockTokenBuilder withNotBefore(Instant notBeforeDate) {
26 | when(token.getNotBefore()).thenReturn(notBeforeDate);
27 | return this;
28 | }
29 |
30 | public AbstractToken build() {
31 | return token;
32 | }
33 | }
34 |
--------------------------------------------------------------------------------
/samples/spring-security-xsuaa-usage/src/main/java/sample/spring/xsuaa/DataService.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.xsuaa;
7 |
8 | import org.slf4j.Logger;
9 | import org.slf4j.LoggerFactory;
10 | import org.springframework.security.access.prepost.PreAuthorize;
11 | import org.springframework.stereotype.Service;
12 |
13 | /**
14 | * Simple DataLayer interface that shows how Spring global message security can be used to control access to data
15 | * objects on a method level.
16 | */
17 | @Service
18 | public class DataService {
19 | private final Logger logger = LoggerFactory.getLogger(this.getClass());
20 |
21 | /**
22 | * Reads sensitive data from the data layer. User requires scope {@code Admin} for this to succeed.
23 | */
24 | @PreAuthorize("hasAuthority('Admin')")
25 | String readSensitiveData() {
26 | logger.info("Reading sensitive data.");
27 | return "You got the sensitive data";
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/samples/spring-webflux-security-hybrid-usage/src/test/resources/mockServer/jwks.json:
--------------------------------------------------------------------------------
1 | {
2 | "keys": [
3 | {
4 | "kty": "RSA",
5 | "e": "AQAB",
6 | "use": "sig",
7 | "kid": "legacy-token-key",
8 | "alg": "RS256",
9 | "value": "-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2G5MUF7szUMJfiaghYeb\\nwB+BgaG4wkbIDZ5fJU8Zm0/WnaupCCKX0fguLC21FtHATC6SOpOuVClXe9GY9AVJ\\nq3nyqAsiUil66jH9Y+kmeLeRVoBp8KXMQ15+W69GNU7/sYv+0k5PLUaxJPmcwb+W\\nCq9hw76zRXeEijnZ41YlVC9jcnZ7IjHjp2BASoznImmGJDW6F30FRbP/MLtfv5fM\\npj17OziVNE+eacuIygSH0IZZ+wvV7AcJAZlEwkCFqzzbVx2cLvRIpacHz2ci4seI\\nIxdPRj8O7i4y29hdSsHqTRFLtQiwCgIr7YItA5voVY/bS+CYy8a1MSckdXvFa5jY\\newIDAQAB\\n-----END PUBLIC KEY-----",
10 | "n": "ANhuTFBe7M1DCX4moIWHm8AfgYGhuMJGyA2eXyVPGZtP1p2rqQgil9H4LiwttRbRwEwukjqTrlQpV3vRmPQFSat58qgLIlIpeuox_WPpJni3kVaAafClzENefluvRjVO_7GL_tJOTy1GsST5nMG_lgqvYcO-s0V3hIo52eNWJVQvY3J2eyIx46dgQEqM5yJphiQ1uhd9BUWz_zC7X7-XzKY9ezs4lTRPnmnLiMoEh9CGWfsL1ewHCQGZRMJAhas821cdnC70SKWnB89nIuLHiCMXT0Y_Du4uMtvYXUrB6k0RS7UIsAoCK-2CLQOb6FWP20vgmMvGtTEnJHV7xWuY2Hs"
11 | }
12 | ]
13 | }
--------------------------------------------------------------------------------
/java-api/src/test/java/com/sap/cloud/security/config/CredentialTypeTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.config;
7 |
8 | import org.junit.Assert;
9 | import org.junit.Test;
10 |
11 | public class CredentialTypeTest {
12 |
13 | @Test
14 | public void from() {
15 | Assert.assertEquals(CredentialType.X509, CredentialType.from("x509"));
16 | Assert.assertEquals(CredentialType.X509_GENERATED, CredentialType.from("X509_GENERATED"));
17 | Assert.assertEquals(CredentialType.X509_PROVIDED, CredentialType.from("X509_PROVIDED"));
18 | Assert.assertEquals(CredentialType.X509_ATTESTED, CredentialType.from("X509_ATTESTED"));
19 | Assert.assertEquals(CredentialType.X509_ATTESTED, CredentialType.from("x509_attested"));
20 | Assert.assertEquals(CredentialType.INSTANCE_SECRET, CredentialType.from("instance-secret"));
21 | Assert.assertEquals(CredentialType.BINDING_SECRET, CredentialType.from("binding-secret"));
22 | }
23 | }
--------------------------------------------------------------------------------
/token-client/src/test/java/com/sap/cloud/security/xsuaa/tokenflows/TestConstants.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.tokenflows;
7 |
8 | import com.sap.cloud.security.config.ClientCredentials;
9 |
10 | import java.net.URI;
11 |
12 | //@formatter:off
13 | interface TestConstants {
14 | URI XSUAA_BASE_URI = URI.create("https://subdomain.authentication.eu10.hana.ondemand.com/");
15 | URI TOKEN_ENDPOINT_URI = URI.create("https://subdomain.authentication.eu10.hana.ondemand.com/oauth/token");
16 | ClientCredentials CLIENT_CREDENTIALS = new ClientCredentials("sb-spring-netflix-demo!t12291",
17 | "2Tc2Xz7DNy4KiACwvunulmxF32w=");
18 | String USERNAME = "Bob";
19 | String PASSWORD = "qwerty";
20 | String ACCESS_TOKEN = "8fea5fdea005417d8c7104a5a4165da2";
21 | String REFRESH_TOKEN = "c9336d3de6b7450b8b14cc61362d595d";
22 | String JWT_BEARER_TOKEN = "cabb9a945e43f5d9d7eb5aa7c";
23 | long EXPIRED_IN = 4223;
24 | }
25 | //@formatter:on
--------------------------------------------------------------------------------
/spring-security/src/test/resources/xsuaaBindingsTwoApplicationsNoBroker.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsuaa": [
3 | {
4 | "credentials": {
5 | "clientid": "client-id2",
6 | "clientsecret": "client-secret2",
7 | "url": "http://domain.xsuaadomain",
8 | "uaadomain": "xsuaadomain",
9 | "xsappname": "xsappname2"
10 | },
11 | "name": "xsuaaInstance0",
12 | "plan": "application"
13 | },
14 | {
15 | "credentials": {
16 | "clientid": "client-id",
17 | "clientsecret": "client-secret",
18 | "url": "http://domain.xsuaadomain",
19 | "uaadomain": "xsuaadomain",
20 | "xsappname": "xsappname"
21 | },
22 | "name": "xsuaaInstance1",
23 | "plan": "application"
24 | }
25 | ],
26 | "identity": [
27 | {
28 | "credentials": {
29 | "clientid": "client-id-ias",
30 | "clientsecret": "client-secret-ias",
31 | "url": "http://domain.iasdomain",
32 | "domains": ["iasdomain", "iasdomain.com"]
33 | },
34 | "name": "identityInstance0",
35 | "plan": "broker"
36 | }
37 | ]
38 | }
39 |
--------------------------------------------------------------------------------
/java-security-it/src/test/resources/vcap_services-multiple.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsuaa": [
3 | {
4 | "binding_name": null,
5 | "credentials": {
6 | "clientid": "sb-clientId!t0815",
7 | "clientsecret": "secret",
8 | "identityzone": "uaa",
9 | "identityzoneid": "uaa",
10 | "tenantmode": "dedicated",
11 | "uaadomain": "localhost",
12 | "url": "http://localhost",
13 | "xsappname": "clientId!t0815"
14 | },
15 | "instance_name": "my-xsuaa",
16 | "label": "xsuaa",
17 | "name": "example-xsuaa",
18 | "plan": "application",
19 | "tags": [
20 | "xsuaa"
21 | ],
22 | "volume_mounts": []
23 | }
24 | ],
25 | "identity": [
26 | {
27 | "binding_name": null,
28 | "credentials": {
29 | "clientsecret": "secret",
30 | "clientid": "T000310",
31 | "url": "http://localhost",
32 | "domains": ["localhost"]
33 | },
34 | "instance_name": "myservice",
35 | "label": "identity",
36 | "name": "myservice",
37 | "plan": "application",
38 | "provider": null,
39 | "syslog_drain_url": null,
40 | "tags": [],
41 | "volume_mounts": []
42 | }
43 | ]
44 | }
--------------------------------------------------------------------------------
/env/src/test/resources/vcapXsuaaXsaSingleBinding.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsuaa": [
3 | {
4 | "name": "java-uaa",
5 | "label": "xsuaa",
6 | "tags": [
7 | "xsuaa"
8 | ],
9 | "plan": "space",
10 | "credentials": {
11 | "tenantmode": "dedicated",
12 | "clientid": "sb-java-hello-world!i1",
13 | "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOzNGEDK6jNrJcl3L2wstY8SnX9KNo4ic/JtrEQX4U/+749b9y6JlSGOXSKBFJ6alNGHVyPK66SfSgeWHwPjVekdnHYM7bQTyYX1NoSOxqUgvsktIpxeYJLC+J5qJTtnFcjFTRUovKwtCYxlTP4b63b7dWixwc+iSnkuvl4IkZjVTcstK73eTlmVtJDC5DIisPyYOK06qxTPrLC8KlgFA6a0FdPJF9G8s/ElxPHFu7mw6UKn2LTmDlDbADQZLMXGKBw/zg3l5scjxkOCVGTkGvv1ooccqCfYgZAsmsPbQdoZxznSdQTPfaWULnYLo8i5hFXiS1q8agvXHjWpUmWcMwIDAQAB-----END PUBLIC KEY-----",
14 | "xsappname": "java-hello-world!i1",
15 | "identityzone": "uaa",
16 | "identityzoneid": "uaa",
17 | "clientsecret": "fxnWLHqLh6KC0Wp/bbv8Gwbu50OEbpSvVYTiI/kZILsR/dYH8YL2V5tP1buzke9QmqK9AruntTAI\nKu4enzCTNw==",
18 | "url": "https://xsa-test.c.eu-de-2.cloud.sap:30132/uaa-security"
19 | }
20 | }
21 | ]
22 | }
--------------------------------------------------------------------------------
/spring-security/src/test/java/com/sap/cloud/security/spring/config/ConfigurationAssertions.java:
--------------------------------------------------------------------------------
1 | package com.sap.cloud.security.spring.config;
2 |
3 | import com.sap.cloud.security.config.OAuth2ServiceConfiguration;
4 | import com.sap.cloud.security.config.ServiceConstants;
5 |
6 | import static org.junit.jupiter.api.Assertions.assertEquals;
7 |
8 | public class ConfigurationAssertions {
9 | static void assertXsuaaConfigsAreEqual(XsuaaServiceConfiguration xsuaaConfig,
10 | OAuth2ServiceConfiguration oauthConfig) {
11 | assertEquals(oauthConfig.getClientId(), xsuaaConfig.getClientId());
12 | assertEquals(oauthConfig.getClientSecret(), xsuaaConfig.getClientSecret());
13 | assertEquals(oauthConfig.getProperty(ServiceConstants.XSUAA.UAA_DOMAIN),
14 | xsuaaConfig.getProperty(ServiceConstants.XSUAA.UAA_DOMAIN));
15 | assertEquals(oauthConfig.getProperty(ServiceConstants.XSUAA.APP_ID),
16 | xsuaaConfig.getProperty(ServiceConstants.XSUAA.APP_ID));
17 | assertEquals(oauthConfig.getProperty(ServiceConstants.NAME), xsuaaConfig.getName());
18 | assertEquals(oauthConfig.getProperty(ServiceConstants.SERVICE_PLAN), xsuaaConfig.getPlan());
19 | }
20 | }
21 |
--------------------------------------------------------------------------------
/java-api/src/main/java/com/sap/cloud/security/config/CredentialType.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.config;
7 |
8 | import javax.annotation.Nullable;
9 |
10 | /**
11 | * Constants denoting the credential types of identity OAuth2 configuration
12 | */
13 | public enum CredentialType {
14 | X509("x509"), INSTANCE_SECRET("instance-secret"), BINDING_SECRET("binding-secret"),
15 | X509_GENERATED("X509_GENERATED"), X509_PROVIDED("X509_PROVIDED"), X509_ATTESTED("X509_ATTESTED");
16 |
17 | private final String typeName;
18 |
19 | CredentialType(String typeName) {
20 | this.typeName = typeName;
21 | }
22 |
23 | @Override
24 | public String toString() {
25 | return typeName;
26 | }
27 |
28 | @Nullable
29 | public static CredentialType from(String claimValue) {
30 | for (CredentialType credentialType : values()) {
31 | if (credentialType.typeName.equalsIgnoreCase(claimValue)) {
32 | return credentialType;
33 | }
34 | }
35 | return null;
36 | }
37 |
38 | }
39 |
--------------------------------------------------------------------------------
/java-security/src/test/resources/xsuaaXsaAccessTokenRSA256_signedWithVerificationKey.txt:
--------------------------------------------------------------------------------
1 | eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0.eyJqdGkiOiI1MmEzMzU2ZmRkYzQ0YTM1OTU4M2IwZjg0YmJiNDllZCIsInhzLnVzZXIuYXR0cmlidXRlcyI6e30sImV4dF9hdHRyIjp7ImVuaGFuY2VyIjoiWFNVQUEifSwic3ViIjoiMTYwNDk3Iiwic2NvcGUiOlsib3BlbmlkIl0sImNsaWVudF9pZCI6InNiLWphdmEtaGVsbG8td29ybGQhaTEiLCJjaWQiOiJzYi1qYXZhLWhlbGxvLXdvcmxkIWkxIiwiYXpwIjoic2ItamF2YS1oZWxsby13b3JsZCFpMSIsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJ1c2VyX2lkIjoiMTYwNDk3Iiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoiWFNBX0FETUlOIiwiZW1haWwiOiJYU0FfQURNSU5AWFMxIiwiYXV0aF90aW1lIjoxNTc5NTI2ODQwLCJyZXZfc2lnIjoiZWVhMWNjNWUiLCJpYXQiOjE1Nzk1MjcwODcsImV4cCI6MTU3OTU3MDI4NywiaXNzIjoiaHR0cDovL3hzYS1hMjcyZDg2YS0wZjc0LTQ0OGMtOTNkMS02Yjc4OTAzZDE1NDMvVUFBL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNiLWphdmEtaGVsbG8td29ybGQhaTEiLCJvcGVuaWQiXX0.EY4Xh2ExTa07C6dkyjm5fwCxAsrV1rv1DfwVfaM0i5BjybVyfVa5F3PnNnSKCwmIMzpVWJ0vQgKJi_3GYTTRfC4UtxRNPIsFLovgyIQ9VbWLJGr0PCcv7-dt0ZXxRQ3mcQQ3NFl2PNVfFz2kk_5hMZZhOIxH00fyc_-BWE1yYndWPHSCJhynbje_RudG7x9McJMNAkcNY9O1wK3pOAnAFUNjM_CEV2Su6AZ6SLSq29o8OR5brI83RXGFPaxudNyTH1pyG4T-JrD8HJAf0KGxRdqDyteGo-bxnorZ57idxE6dBiKr8lBMCv6hJ2Lb0tOEVE66YSBz2BCNrfMZ02ct7Q
--------------------------------------------------------------------------------
/samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/DataService.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.security;
7 |
8 | import com.sap.cloud.security.spring.config.XsuaaServiceConfiguration;
9 | import com.sap.cloud.security.spring.token.SpringSecurityContext;
10 | import org.springframework.beans.factory.annotation.Autowired;
11 | import org.springframework.stereotype.Service;
12 |
13 | /**
14 | * Simple DataLayer interface that shows how Spring global message security can be used to control access to data
15 | * objects on a method level.
16 | */
17 | @Service
18 | public class DataService {
19 | @Autowired
20 | XsuaaServiceConfiguration xsuaaConfig;
21 |
22 | /**
23 | * Reads sensitive data from the data layer. User requires scope {@code Admin} for this to succeed.
24 | */
25 | String readSensitiveData() {
26 | String appTid = SpringSecurityContext.getToken().getAppTid();
27 | return "You got the sensitive data for tenant '" + appTid + "'.";
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/java-security-it/src/test/resources/uaa/vcap_services.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsuaa": [
3 | {
4 | "binding_name": null,
5 | "credentials": {
6 | "clientid": "dashboard_client-Id",
7 | "clientsecret": "",
8 | "identityzone": "uaa",
9 | "identityzoneid": "uaa",
10 | "tenantmode": "dedicated",
11 | "uaadomain": "auth.com",
12 | "url": "http://auth.com",
13 | "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTNVTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9YoU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GPn38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4oQIDAQAB-----END PUBLIC KEY-----",
14 | "xsappname": "dashboard_client"
15 | },
16 | "instance_name": "user-provided",
17 | "label": "xsuaa",
18 | "name": "example-xsuaa",
19 | "plan": "broker",
20 | "provider": null,
21 | "syslog_drain_url": null,
22 | "tags": [
23 | "xsuaa"
24 | ],
25 | "volume_mounts": []
26 | }
27 | ]
28 | }
--------------------------------------------------------------------------------
/java-security-test/src/main/java/com/sap/cloud/security/token/validation/XsuaaLocalhostJkuFactory.java:
--------------------------------------------------------------------------------
1 | package com.sap.cloud.security.token.validation;
2 |
3 | import com.sap.cloud.security.token.Token;
4 | import com.sap.cloud.security.token.TokenHeader;
5 |
6 | /**
7 | * XsuaaLocalhostJkuFactory brings backward-compatibility for test credentials in consumer applications written before
8 | * 2.17.0 that are used to validate java-security-test tokens. This is necessary for successful JKU construction when
9 | * 'localhost' is defined as uaadomain in the service credentials. This class MUST NOT be loaded outside test scope and
10 | * MUST be the ONLY implementation of {@link XsuaaJkuFactory}.
11 | */
12 | public class XsuaaLocalhostJkuFactory implements XsuaaJkuFactory {
13 |
14 | @Override
15 | public String create(String jwt) {
16 | Token token = Token.create(jwt);
17 | String tokenJku = (String) token.getHeaders().get(TokenHeader.JWKS_URL);
18 |
19 | if (tokenJku.contains("localhost") || tokenJku.contains("127.0.0.1")) {
20 | return tokenJku;
21 | }
22 |
23 | throw new IllegalArgumentException("JKU is not trusted because it does not target localhost.");
24 | }
25 | }
--------------------------------------------------------------------------------
/spring-xsuaa-it/src/main/resources/claims_template.txt:
--------------------------------------------------------------------------------
1 | {
2 | "jti": "37587e8c45b84a85820744c1459910b5",
3 | "ext_attr": {
4 | "enhancer": "XSUAA",
5 | "serviceinstanceid": "brokerCloneServiceInstanceId",
6 | "acl": ["app1!t23"]
7 | },
8 | "xs.system.attributes": {
9 | "xs.saml.groups": [
10 | "g1"
11 | ],
12 | "xs.rolecollections": []
13 | },
14 | "given_name": "TestUser",
15 | "xs.user.attributes": {"usrAttr": ["test"]},
16 | "family_name": "unknown.org",
17 | "sub": "d21f5de9-d761-47a2-b6d4-2d83161584d9",
18 | "scope": [
19 | "openid", "testScope", "testApp.localScope"
20 | ],
21 | "client_id": "$clientid",
22 | "cid": "sb-clone1!b5|LR-master!b5",
23 | "azp": "sb-clone1!b5|LR-master!b5",
24 | "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
25 | "user_id": "d21f5de9-d761-47a2-b6d4-2d83161584d9",
26 | "origin": "useridp",
27 | "user_name": "TestUser",
28 | "email": "TestUser@uaa.org",
29 | "rev_sig": "b850756a",
30 | "iat": 1532416849,
31 | "exp": $exp,
32 | "iss": "http://paas.localhost:8080/uaa/oauth/token",
33 | "zid": "$zid",
34 | "aud": [],
35 | "az_attr": {"external_id":"abcd1234"}
36 | }
--------------------------------------------------------------------------------
/samples/spring-security-hybrid-usage/src/test/resources/application.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | sap:
5 | security:
6 | services:
7 | xsuaa[0]:
8 | xsappname: xsapp!t0815
9 | uaadomain: localhost
10 | clientid: sb-clientId!t0815
11 | clientsecret: pwd
12 | url: http://localhost
13 | plan: application
14 | xsuaa[1]:
15 | xsappname: xsapp!b04711
16 | clientid: sb-clientId!b04711
17 | plan: broker
18 |
19 | identity:
20 | clientid: sb-clientId!t0815
21 | domains: localhost
22 |
23 | #Single xsuaa service configuration
24 | # xsuaa:
25 | # xsappname: xsapp!t0815
26 | # uaadomain: localhost
27 | # clientid: sb-clientId!t0815
28 | # clientsecret: pwd
29 | # url: http://localhost
30 | #
31 | # identity:
32 | # clientid: sb-clientId!t0815
33 | # domains: localhost
34 |
35 | logging.level:
36 | com.sap: DEBUG # set SAP-class loggers to DEBUG.
37 | org.springframework: DEBUG
--------------------------------------------------------------------------------
/spring-xsuaa-it/src/main/resources/password.txt:
--------------------------------------------------------------------------------
1 | {
2 | "jti": "8e7b3b00-7751-4b46-9b1a-5a46a2a1d5b8",
3 | "xs.user.attributes": {
4 | "cost-center": [
5 | "0815",
6 | "4711"
7 | ],
8 | "country": [
9 | "Germany"
10 | ]
11 | },
12 | "xs.system.attributes": {
13 | "xs.saml.groups": [
14 | "g1"
15 | ],
16 | "xs.rolecollections": ["rc1"]
17 | },
18 | "sub": "1002191",
19 | "scope": [
20 | "java-hello-world.Display",
21 | "openid",
22 | "java-hello-world.Delete",
23 | "java-hello-world.Create"
24 | ],
25 | "client_id": "sb-java-hello-world",
26 | "cid": "sb-java-hello-world",
27 | "azp": "sb-java-hello-world",
28 | "grant_type": "password",
29 | "user_id": "1002191",
30 | "user_name": "Mustermann",
31 | "origin": "useridp",
32 | "email": "max@example.com",
33 | "iat": 1442912244,
34 | "exp": $exp,
35 | "iss": "http://localhost:8080/uaa/oauth/token",
36 | "zid": "11-22-33-$zdn",
37 | "aud": [
38 | ],
39 | "az_attr": {
40 | "external_group": "domain\\group1",
41 | "external_id": "abcd1234"
42 | },
43 | "ext_attr": {
44 | "serviceinstanceid": "abcd1234",
45 | "zdn": "$zdn"
46 | }
47 | }
--------------------------------------------------------------------------------
/spring-xsuaa/src/test/resources/claims_templateMultiTenancy.txt:
--------------------------------------------------------------------------------
1 | {
2 | "jti": "37587e8c45b84a85820744c1459910b5",
3 | "ext_attr": {
4 | "enhancer": "XSUAA",
5 | "serviceinstanceid": "brokerCloneServiceInstanceId",
6 | "zdn": "paas",
7 | "acl": ["app1!t23"]
8 | },
9 | "xs.system.attributes": {
10 | "xs.saml.groups": [
11 | "g1"
12 | ],
13 | "xs.rolecollections": []
14 | },
15 | "given_name": "TestUser",
16 | "xs.user.attributes": {"usrAttr": ["test"]},
17 | "family_name": "unknown.org",
18 | "sub": "d21f5de9-d761-47a2-b6d4-2d83161584d9",
19 | "scope": [
20 | "openid", "testScope", "testApp.localScope"
21 | ],
22 | "client_id": "$clientid",
23 | "cid": "sb-clone1!b5|LR-master!b5",
24 | "azp": "sb-clone1!b5|LR-master!b5",
25 | "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
26 | "user_id": "d21f5de9-d761-47a2-b6d4-2d83161584d9",
27 | "origin": "useridp",
28 | "user_name": "TestUser",
29 | "email": "TestUser@uaa.org",
30 | "rev_sig": "b850756a",
31 | "iat": 1532416849,
32 | "exp": $exp,
33 | "iss": "http://paas.localhost:8080/uaa/oauth/token",
34 | "zid": "paas",
35 | "aud": [],
36 | "az_attr": {"external_id":"abcd1234"}
37 | }
--------------------------------------------------------------------------------
/spring-xsuaa-it/src/main/resources/claims_templateMultiTenancy.txt:
--------------------------------------------------------------------------------
1 | {
2 | "jti": "37587e8c45b84a85820744c1459910b5",
3 | "ext_attr": {
4 | "enhancer": "XSUAA",
5 | "serviceinstanceid": "brokerCloneServiceInstanceId",
6 | "zdn": "paas",
7 | "acl": ["app1!t23"]
8 | },
9 | "xs.system.attributes": {
10 | "xs.saml.groups": [
11 | "g1"
12 | ],
13 | "xs.rolecollections": []
14 | },
15 | "given_name": "TestUser",
16 | "xs.user.attributes": {"usrAttr": ["test"]},
17 | "family_name": "unknown.org",
18 | "sub": "d21f5de9-d761-47a2-b6d4-2d83161584d9",
19 | "scope": [
20 | "openid", "testScope", "testApp.localScope"
21 | ],
22 | "client_id": "$clientid",
23 | "cid": "sb-clone1!b5|LR-master!b5",
24 | "azp": "sb-clone1!b5|LR-master!b5",
25 | "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
26 | "user_id": "d21f5de9-d761-47a2-b6d4-2d83161584d9",
27 | "origin": "useridp",
28 | "user_name": "TestUser",
29 | "email": "TestUser@uaa.org",
30 | "rev_sig": "b850756a",
31 | "iat": 1532416849,
32 | "exp": $exp,
33 | "iss": "http://paas.localhost:8080/uaa/oauth/token",
34 | "zid": "paas",
35 | "aud": [],
36 | "az_attr": {"external_id":"abcd1234"}
37 | }
--------------------------------------------------------------------------------
/java-api/src/main/java/com/sap/cloud/security/servlet/TokenAuthenticator.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.servlet;
7 |
8 | import jakarta.servlet.ServletRequest;
9 | import jakarta.servlet.ServletResponse;
10 |
11 | /**
12 | * TokenAuthenticator is used to authenticate a user sending servlet requests to a service via token. It produces a
13 | * {@link TokenAuthenticationResult}. The result contains the necessary information to perform container specific
14 | * authentication.
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token.validation;
7 |
8 | import javax.annotation.Nullable;
9 |
10 | /**
11 | * Captures the result of a validation. Normally created by validators that implement the {@link Validator} interface.
12 | */
13 | public interface ValidationResult {
14 |
15 | /**
16 | * Returns true if there is no validation error, false otherwise.
17 | *
18 | * @return true if there is no validation error.
19 | */
20 | default boolean isValid() {
21 | return getErrorDescription() == null;
22 | }
23 |
24 | /**
25 | * Returns true if there is a validation error, false otherwise.
26 | *
27 | * @return true if there is a validation error.
28 | */
29 | default boolean isErroneous() {
30 | return !isValid();
31 | }
32 |
33 | /**
34 | * The validation error that have been found.
35 | *
36 | * @return the error description or null in case the validation was valid.
37 | */
38 | @Nullable
39 | String getErrorDescription();
40 | }
--------------------------------------------------------------------------------
/java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JsonWebKeyConstants.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token.validation.validators;
7 |
8 | class JsonWebKeyConstants {
9 |
10 | private JsonWebKeyConstants() {
11 | }
12 |
13 | static final String RSA_KEY_MODULUS_PARAMETER_NAME = "n";
14 | static final String RSA_KEY_PUBLIC_EXPONENT_PARAMETER_NAME = "e";
15 |
16 | // Parameter names as defined in https://tools.ietf.org/html/rfc7517
17 | static final String KEYS_PARAMETER_NAME = "keys";
18 | static final String KEY_TYPE_PARAMETER_NAME = "kty";
19 | static final String ALG_PARAMETER_NAME = "alg";
20 | static final String VALUE_PARAMETER_NAME = "value";
21 | static final String JKU_PARAMETER_NAME = "jku";
22 | static final String KID_PARAMETER_NAME = "kid";
23 |
24 | // Legacy Token Key ID
25 | static final String KEY_ID_VALUE_LEGACY = "legacy-token-key";
26 |
27 | static final String BEGIN_PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----";
28 | static final String END_PUBLIC_KEY = "-----END PUBLIC KEY-----";
29 | }
30 |
--------------------------------------------------------------------------------
/samples/spring-security-xsuaa-usage/xs-security-deprecated.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsappname": "spring-xsuaa-usage",
3 | "tenant-mode": "dedicated",
4 | "scopes": [
5 | {
6 | "name": "$XSAPPNAME.Read",
7 | "description": "Read Permissions."
8 | },
9 | {
10 | "name": "$XSAPPNAME.Admin",
11 | "description": "Admin permissions."
12 | }
13 | ],
14 | "role-templates": [
15 | {
16 | "name": "Viewer",
17 | "description": "View Data",
18 | "scope-references": [
19 | "$XSAPPNAME.Read",
20 | "uaa.user"
21 | ]
22 | },
23 | {
24 | "name": "Administrator",
25 | "description": "View Sensitive Data",
26 | "scope-references": [
27 | "$XSAPPNAME.Read",
28 | "$XSAPPNAME.Admin"
29 | ]
30 | }
31 | ],
32 | "role-collections": [
33 | {
34 | "name": "Viewer",
35 | "description": "Viewer (read)",
36 | "role-template-references": [
37 | "$XSAPPNAME.Viewer"
38 | ]
39 | },
40 | {
41 | "name": "Administrator",
42 | "description": "Administrator (read all)",
43 | "role-template-references": [
44 | "$XSAPPNAME.Administrator"
45 | ]
46 | }
47 | ]
48 | }
49 |
--------------------------------------------------------------------------------
/.github/workflows/codeql.yml:
--------------------------------------------------------------------------------
1 | name: "CodeQL"
2 |
3 | on:
4 | push:
5 | branches: [ "main", "fosstars-report", "rel-2.0.1" ]
6 | pull_request:
7 | branches: [ "main" ]
8 | schedule:
9 | - cron: "10 8 * * 3"
10 |
11 | jobs:
12 | analyze:
13 | name: Analyze
14 | runs-on: ubuntu-latest
15 | permissions:
16 | actions: read
17 | contents: read
18 | security-events: write
19 |
20 | strategy:
21 | fail-fast: false
22 | matrix:
23 | language: [ java ]
24 |
25 | steps:
26 | - name: Set Java Version 17
27 | uses: actions/setup-java@v1
28 | with:
29 | java-version: 17
30 |
31 | - name: Checkout
32 | uses: actions/checkout@v3
33 |
34 | - name: Initialize CodeQL
35 | uses: github/codeql-action/init@v2
36 | with:
37 | languages: ${{ matrix.language }}
38 | queries: +security-and-quality
39 |
40 | - name: Autobuild
41 | uses: github/codeql-action/autobuild@v2
42 | if: ${{ matrix.language == 'java' }}
43 |
44 | - name: Perform CodeQL Analysis
45 | uses: github/codeql-action/analyze@v2
46 | with:
47 | category: "/language:${{ matrix.language }}"
48 |
--------------------------------------------------------------------------------
/token-client/src/main/java/com/sap/cloud/security/xsuaa/http/HttpHeader.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.http;
7 |
8 | import java.util.Objects;
9 |
10 | public class HttpHeader {
11 |
12 | private final String name;
13 | private final String value;
14 |
15 | public HttpHeader(String name, String value) {
16 | this.name = name;
17 | this.value = value;
18 | }
19 |
20 | public String getValue() {
21 | return value;
22 | }
23 |
24 | public String getName() {
25 | return name;
26 | }
27 |
28 | @Override
29 | public boolean equals(Object o) {
30 | if (this == o)
31 | return true;
32 | if (o == null || getClass() != o.getClass())
33 | return false;
34 | final HttpHeader that = (HttpHeader) o;
35 | return Objects.equals(getName(), that.getName()) &&
36 | Objects.equals(getValue(), that.getValue());
37 | }
38 |
39 | @Override
40 | public int hashCode() {
41 | return Objects.hash(getName(), getValue());
42 | }
43 |
44 | @Override
45 | public String toString() {
46 | return "\"" + name + ": " + value + "\"";
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/spring-xsuaa-test/src/main/java/com/sap/cloud/security/xsuaa/test/jwt/DecodedJwt.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.test.jwt;
7 |
8 | /**
9 | * A Jwt token consists of three parts, separated by ".": header.payload.signature
10 | *
11 | * Use {@code Base64JwtDecoder.getInstance().decode(token)} to get a {@link DecodedJwt} instance.
12 | */
13 |
14 | public interface DecodedJwt {
15 |
16 | /**
17 | * Get the base64 decoded header of the jwt as UTF-8 String.
18 | *
19 | * @return the decoded header.
20 | */
21 | String getHeader();
22 |
23 | /**
24 | * Get the base64 decoded payload of the jwt as UTF-8 String.
25 | *
26 | * @return the decoded payload.
27 | */
28 | String getPayload();
29 |
30 | /**
31 | * Get the encoded signature of the jwt.
32 | *
33 | * @return the decoded signature.
34 | */
35 | String getSignature();
36 |
37 | /**
38 | * Get the original encoded access token.
39 | *
40 | *
41 | * Never expose this token via log or via HTTP.
42 | *
43 | * @return jwt token
44 | */
45 | String getEncodedToken();
46 |
47 | }
48 |
--------------------------------------------------------------------------------
/samples/spring-security-basic-auth/src/main/java/sample/spring/xsuaa/config/TokenBrokerConfiguration.java:
--------------------------------------------------------------------------------
1 | package sample.spring.xsuaa.config;
2 |
3 | import com.github.benmanes.caffeine.cache.Caffeine;
4 | import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows;
5 | import org.springframework.beans.factory.annotation.Qualifier;
6 | import org.springframework.cache.Cache;
7 | import org.springframework.cache.caffeine.CaffeineCache;
8 | import org.springframework.context.annotation.Bean;
9 | import org.springframework.context.annotation.Configuration;
10 | import sample.spring.xsuaa.TokenBrokerResolver;
11 |
12 | import java.util.concurrent.TimeUnit;
13 |
14 | @Configuration
15 | public class TokenBrokerConfiguration {
16 |
17 | @Bean
18 | public Cache tokenBrokerCache() {
19 | return new CaffeineCache("TokenBrokerResolverCache",
20 | Caffeine.newBuilder().expireAfterWrite(15, TimeUnit.MINUTES).maximumSize(100).build(), false);
21 | }
22 |
23 | /** Configures a TokenBrokerResolver with the default XsuaaTokenFlows and the specific cache configured for it. */
24 | @Bean
25 | public TokenBrokerResolver tokenBrokerResolver(XsuaaTokenFlows tokenFlows,
26 | @Qualifier("tokenBrokerCache") Cache cache) {
27 | return new TokenBrokerResolver(tokenFlows, cache);
28 | }
29 | }
30 |
--------------------------------------------------------------------------------
/env/src/test/resources/vcapXsuaaServiceSingleBinding.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsuaa": [
3 | {
4 | "name": "example-xsuaa",
5 | "label": "xsuaa",
6 | "binding_name": null,
7 | "instance_name": "my-xsuaa",
8 | "plan": "application",
9 | "provider": null,
10 | "syslog_drain_url": null,
11 | "tags": [
12 | "xsuaa"
13 | ],
14 | "volume_mounts": [],
15 | "credentials": {
16 | "clientid": "clientId",
17 | "clientsecret": "secret",
18 | "identityzone": "uaa",
19 | "identityzoneid": "uaa",
20 | "sburl": "http://localhost/uaa",
21 | "tenantmode": "dedicated",
22 | "uaadomain": "auth.com",
23 | "url": "https://paastenant.auth.com",
24 | "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTNVTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9YoU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GPn38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4oQIDAQAB-----END PUBLIC KEY-----",
25 | "xsappname": "java-hello-world"
26 | }
27 | }
28 | ]
29 | }
--------------------------------------------------------------------------------
/samples/spring-security-basic-auth/src/test/java/sample/spring/xsuaa/config/TokenBrokerTestConfiguration.java:
--------------------------------------------------------------------------------
1 | package sample.spring.xsuaa.config;
2 |
3 | import com.sap.cloud.security.config.ClientIdentity;
4 | import com.sap.cloud.security.spring.config.XsuaaServiceConfiguration;
5 | import com.sap.cloud.security.xsuaa.client.OAuth2ServiceEndpointsProvider;
6 | import com.sap.cloud.security.xsuaa.client.XsuaaDefaultEndpoints;
7 | import com.sap.cloud.security.xsuaa.client.XsuaaOAuth2TokenService;
8 | import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows;
9 | import org.springframework.context.annotation.Bean;
10 | import sample.spring.xsuaa.TokenBrokerResolver;
11 |
12 | public class TokenBrokerTestConfiguration {
13 |
14 | /**
15 | * Makes {@link TokenBrokerResolver} use the stubbed XsuaaOAuth2TokenService prepared in
16 | * {@link sample.spring.xsuaa.SecurityConfigurationTest} for testing.
17 | */
18 | @Bean
19 | public XsuaaTokenFlows tokenFlows(XsuaaServiceConfiguration xsuaaConfig, XsuaaOAuth2TokenService tokenService) {
20 | OAuth2ServiceEndpointsProvider endpointsProvider = new XsuaaDefaultEndpoints(xsuaaConfig);
21 | ClientIdentity clientIdentity = xsuaaConfig.getClientIdentity();
22 | return new XsuaaTokenFlows(tokenService, endpointsProvider, clientIdentity);
23 | }
24 | }
25 |
--------------------------------------------------------------------------------
/java-security/src/test/java/com/sap/cloud/security/token/validation/TokenTestValidator.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token.validation;
7 |
8 | import com.sap.cloud.security.token.Token;
9 |
10 | public final class TokenTestValidator implements Validator
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.jwt;
7 |
8 | import java.io.Serializable;
9 |
10 | /**
11 | * A Jwt token consists of three parts, separated by ".": header.payload.signature
12 | *
13 | * Use {@code Base64JwtDecoder.getInstance().decode(token)} to get a {@link DecodedJwt} instance.
14 | */
15 |
16 | public interface DecodedJwt extends Serializable {
17 |
18 | /**
19 | * Get the base64 decoded header of the jwt as UTF-8 String.
20 | *
21 | * @return the decoded header.
22 | */
23 | String getHeader();
24 |
25 | /**
26 | * Get the base64 decoded payload of the jwt as UTF-8 String.
27 | *
28 | * @return the decoded payload.
29 | */
30 | String getPayload();
31 |
32 | /**
33 | * Get the encoded signature of the jwt.
34 | *
35 | * @return the decoded signature.
36 | */
37 | String getSignature();
38 |
39 | /**
40 | * Get the original encoded access token.
41 | *
42 | *
43 | * Never expose this token via log or via HTTP.
44 | *
45 | * @return jwt token
46 | */
47 | String getEncodedToken();
48 |
49 | }
50 |
--------------------------------------------------------------------------------
/java-security/src/test/java/com/sap/cloud/security/util/HttpClientTestFactory.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.util;
7 |
8 | import org.apache.http.HttpStatus;
9 | import org.apache.http.HttpVersion;
10 | import org.apache.http.client.methods.CloseableHttpResponse;
11 | import org.apache.http.entity.ContentType;
12 | import org.apache.http.entity.StringEntity;
13 | import org.apache.http.message.BasicStatusLine;
14 | import org.mockito.Mockito;
15 |
16 | import static org.mockito.Mockito.when;
17 |
18 | public class HttpClientTestFactory {
19 |
20 | public static CloseableHttpResponse createHttpResponse(String responseAsJson, int statusCode) {
21 | CloseableHttpResponse response = Mockito.mock(CloseableHttpResponse.class);
22 | when(response.getStatusLine()).thenReturn(new BasicStatusLine(HttpVersion.HTTP_1_1, statusCode, null));
23 | when(response.getEntity()).thenReturn(new StringEntity(responseAsJson, ContentType.APPLICATION_JSON));
24 | return response;
25 | }
26 |
27 | public static CloseableHttpResponse createHttpResponse(String responseAsJson) {
28 | return createHttpResponse(responseAsJson, HttpStatus.SC_OK);
29 | }
30 | }
--------------------------------------------------------------------------------
/java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JsonWebKeyTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token.validation.validators;
7 |
8 | import org.junit.Before;
9 | import org.junit.Test;
10 |
11 | import static org.hamcrest.CoreMatchers.equalTo;
12 | import static org.hamcrest.CoreMatchers.not;
13 | import static org.hamcrest.MatcherAssert.assertThat;
14 |
15 | public class JsonWebKeyTest {
16 | private JsonWebKey cut;
17 |
18 | @Before
19 | public void setup() {
20 | cut = JsonWebKeyTestFactory.create();
21 | }
22 |
23 | @Test
24 | public void equalsByInstance() {
25 | assertThat(cut.equals(cut), equalTo(true));
26 | }
27 |
28 | @Test
29 | public void equalsByFields() {
30 | assertThat(cut.equals(JsonWebKeyTestFactory.create()), equalTo(true));
31 | assertThat(cut.hashCode(), equalTo(JsonWebKeyTestFactory.create().hashCode()));
32 | }
33 |
34 | @Test
35 | public void notEqualsByFields() {
36 | assertThat(cut.equals(JsonWebKeyTestFactory.createDefault()), equalTo(false));
37 | assertThat(cut.hashCode(), not(equalTo(JsonWebKeyTestFactory.createDefault().hashCode())));
38 | }
39 |
40 | }
41 |
--------------------------------------------------------------------------------
/samples/spring-webflux-security-hybrid-usage/src/main/java/sample/spring/webflux/hybrid/TestController.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.webflux.hybrid;
7 |
8 | import com.sap.cloud.security.spring.token.ReactiveSecurityContext;
9 | import com.sap.cloud.security.xsuaa.jwt.Base64JwtDecoder;
10 | import org.springframework.http.HttpStatus;
11 | import org.springframework.http.MediaType;
12 | import org.springframework.http.ResponseEntity;
13 | import org.springframework.web.bind.annotation.GetMapping;
14 | import org.springframework.web.bind.annotation.RestController;
15 | import reactor.core.publisher.Mono;
16 |
17 | @RestController
18 | public class TestController {
19 |
20 | @GetMapping("/v1/sayHello")
21 | public Mono
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.x509;
7 |
8 | import java.util.Map;
9 |
10 | /**
11 | * Represents mTLS certificate.
12 | */
13 | public interface Certificate {
14 |
15 | /**
16 | * Gets certificate 'x5t' thumbprint which is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER
17 | * encoding of an X.509 certificate.
18 | *
19 | * @return the thumbprint
20 | * @throws InvalidCertificateException
21 | * if error occurs while encoding X509 certificate or when a particular cryptographic algorithm is not supported
22 | * @see x5t
23 | */
24 | String getThumbprint() throws InvalidCertificateException;
25 |
26 | /**
27 | * Gets certificate subject DN.
28 | *
29 | * @return the subject DN string without blanks
30 | */
31 | String getSubjectDN();
32 |
33 | /**
34 | * Gets certificate subject DN map.
35 | *
36 | * @return the subject DN map with entries such as ["CN"]["common name"], or ["OU"]["1234-5678"]
37 | */
38 | Map
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.tokenflows;
7 |
8 | import com.sap.cloud.security.config.CacheConfiguration;
9 |
10 | import javax.annotation.Nonnull;
11 | import javax.annotation.Nullable;
12 |
13 | /**
14 | * Interface for components that manage a cache configured with {@link CacheConfiguration}.
15 | */
16 | public interface Cacheable {
17 |
18 | /**
19 | * Provides the cache configuration of the component. Must not be null.
20 | *
21 | * @return the cache configuration
22 | */
23 | @Nonnull
24 | CacheConfiguration getCacheConfiguration();
25 |
26 | /**
27 | * Clears the cache of the component.
28 | */
29 | void clearCache();
30 |
31 | /**
32 | * This returns an implementation specific statistics object if the underlying cache supports it and cache
33 | * statistics have been enabled in the {@link CacheConfiguration}.
34 | *
35 | * Use with care. The type of the statistics object might change in later versions.
36 | *
37 | * @return the cache statistics object.
38 | */
39 | @Nullable
40 | Object getCacheStatistics();
41 | }
42 |
--------------------------------------------------------------------------------
/token-client/src/test/resources/oidcConfiguration.json:
--------------------------------------------------------------------------------
1 | {
2 | "issuer" : "http://localhost:8080/uaa/oauth/token",
3 | "authorization_endpoint" : "http://localhost/oauth/authorize",
4 | "token_endpoint" : "http://localhost/oauth/token",
5 | "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ],
6 | "token_endpoint_auth_signing_alg_values_supported" : [ "RS256", "HS256" ],
7 | "userinfo_endpoint" : "http://localhost/userinfo",
8 | "jwks_uri" : "http://localhost/token_keys",
9 | "scopes_supported" : [ "openid", "profile", "email", "phone", "roles", "user_attributes" ],
10 | "response_types_supported" : [ "code", "code id_token", "id_token", "token id_token" ],
11 | "subject_types_supported" : [ "public" ],
12 | "id_token_signing_alg_values_supported" : [ "RS256", "HS256" ],
13 | "id_token_encryption_alg_values_supported" : [ "none" ],
14 | "claim_types_supported" : [ "normal" ],
15 | "claims_supported" : [ "sub", "user_name", "origin", "iss", "auth_time", "amr", "acr", "client_id", "aud", "zid", "grant_type", "user_id", "azp", "scope", "exp", "iat", "jti", "rev_sig", "cid", "given_name", "family_name", "phone_number", "email" ],
16 | "claims_parameter_supported" : false,
17 | "service_documentation" : "http://docs.cloudfoundry.org/api/uaa/",
18 | "ui_locales_supported" : [ "en-US" ]
19 | }
--------------------------------------------------------------------------------
/java-security-test/src/main/java/com/sap/cloud/security/test/api/ServiceMockConfiguration.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.test.api;
7 |
8 | public interface ServiceMockConfiguration {
9 |
10 | /**
11 | * Overwrites the port on which the identity service mock server runs (WireMock). It needs to be configured before
12 | * the test execution has started. If the port is not specified or is set to 0, a free random port is chosen.
13 | *
14 | * @param port
15 | * the port on which the wire mock service is started.
16 | * @return the rule itself.
17 | */
18 | ServiceMockConfiguration setPort(int port);
19 |
20 | /**
21 | * Overwrites the private/public key pair to be used. The private key is used to sign the jwt token. The public key
22 | * is provided by jwks endpoint (on behalf of WireMock). Checked exceptions are caught and rethrown as runtime
23 | * exceptions for test convenience.
24 | *
25 | * @param publicKeyPath
26 | * resource path to public key file.
27 | * @param privateKeyPath
28 | * resource path to private key file.
29 | * @return the rule itself.
30 | */
31 | ServiceMockConfiguration setKeys(String publicKeyPath, String privateKeyPath);
32 | }
33 |
--------------------------------------------------------------------------------
/samples/spring-security-hybrid-usage/src/test/java/sample/spring/security/util/MockBearerTokenRequestPostProcessor.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.security.util;
7 |
8 | import org.springframework.http.HttpHeaders;
9 | import org.springframework.mock.web.MockHttpServletRequest;
10 | import org.springframework.test.web.servlet.request.RequestPostProcessor;
11 |
12 | // https://docs.spring.io/autorepo/docs/spring-security/4.0.0.RELEASE/reference/html/test-mockmvc.html#test-mockmvc-smmrpp
13 | public final class MockBearerTokenRequestPostProcessor {
14 |
15 | private MockBearerTokenRequestPostProcessor() {
16 | }
17 |
18 | public static RequestPostProcessor bearerToken(String token) {
19 | return new BearerTokenRequestPostProcessor(token);
20 | }
21 |
22 | static class BearerTokenRequestPostProcessor implements RequestPostProcessor {
23 | private final String token;
24 |
25 | public BearerTokenRequestPostProcessor(String token) {
26 | this.token = token;
27 | }
28 |
29 | @Override
30 | public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) {
31 | request.addHeader(HttpHeaders.AUTHORIZATION, "Bearer " + this.token);
32 | return request;
33 | }
34 | }
35 | }
36 |
--------------------------------------------------------------------------------
/samples/spring-security-xsuaa-usage/manifest.yml:
--------------------------------------------------------------------------------
1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
2 | # SPDX-License-Identifier: Apache-2.0
3 | ---
4 | # Configuration:
5 | # configured for EU10. For other landscapes, please adopt LANDSCAPE_APPS_DOMAIN in ../vars.yml
6 | # If the route is occupied, you might need to change ID in ../vars.yml
7 | applications:
8 | # The sample application.
9 | - name: spring-security-xsuaa-usage
10 | instances: 1
11 | memory: 896M
12 | routes:
13 | - route: spring-security-xsuaa-usage-((ID)).((LANDSCAPE_APPS_DOMAIN))
14 | path: target/spring-security-xsuaa-usage.jar
15 | services:
16 | - xsuaa-authentication
17 | buildpacks:
18 | - java_buildpack
19 | env:
20 | JBP_CONFIG_OPEN_JDK_JRE: '{jre: { version: 17.0.+ }}'
21 |
22 | # Application Router as web server
23 | - name: approuter-spring-security-xsuaa-usage
24 | path: approuter
25 | buildpacks:
26 | - nodejs_buildpack
27 | memory: 128M
28 | routes:
29 | - route: spring-security-xsuaa-usage-web-((ID)).((LANDSCAPE_APPS_DOMAIN))
30 | services:
31 | - xsuaa-authentication
32 | env:
33 | destinations: >
34 | [
35 | {"name":"token-destination",
36 | "url":"https://spring-security-xsuaa-usage-((ID)).((LANDSCAPE_APPS_DOMAIN))",
37 | "forwardAuthToken": true}
38 | ]
39 | ...
40 |
--------------------------------------------------------------------------------
/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/OAuth2Principal.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.token;
7 |
8 | import org.springframework.security.core.GrantedAuthority;
9 | import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal;
10 |
11 | import java.util.Collection;
12 | import java.util.Map;
13 |
14 | class OAuth2Principal extends XsuaaToken implements OAuth2AuthenticatedPrincipal {
15 |
16 | private final Collection
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.samples;
7 |
8 | import com.sap.cloud.security.token.SecurityContext;
9 | import jakarta.servlet.annotation.WebServlet;
10 | import jakarta.servlet.http.HttpServlet;
11 | import jakarta.servlet.http.HttpServletRequest;
12 | import jakarta.servlet.http.HttpServletResponse;
13 |
14 | import java.io.IOException;
15 |
16 | @WebServlet(HelloJavaServletScopeProtected.ENDPOINT)
17 | public class HelloJavaServletScopeProtected extends HttpServlet {
18 |
19 | static final String ENDPOINT = "/hello-java-security-authz";
20 |
21 | /**
22 | * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
23 | */
24 | @Override
25 | protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException {
26 | if (!SecurityContext.getAccessToken().hasLocalScope("Read")) {
27 | XsuaaSecurityFilter.sendUnauthorizedResponse(response, "Read");
28 | return;
29 | }
30 | response.setContentType("text/plain");
31 | response.getWriter().write("Read-protected method called!");
32 | response.setStatus(HttpServletResponse.SC_OK);
33 | }
34 |
35 | }
36 |
--------------------------------------------------------------------------------
/samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/Application.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.security;
7 |
8 | import com.sap.hcp.cf.logging.servlet.filter.RequestLoggingFilter;
9 | import jakarta.servlet.DispatcherType;
10 | import org.springframework.boot.SpringApplication;
11 | import org.springframework.boot.autoconfigure.SpringBootApplication;
12 | import org.springframework.boot.web.servlet.FilterRegistrationBean;
13 | import org.springframework.context.annotation.Bean;
14 | import org.springframework.core.Ordered;
15 |
16 | @SpringBootApplication
17 | public class Application {
18 |
19 | public static void main(String[] args) {
20 | SpringApplication.run(Application.class, args);
21 | }
22 |
23 | @Bean
24 | public FilterRegistrationBean
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.config;
7 |
8 | import java.time.Duration;
9 |
10 | /**
11 | * Interface used for the configuration of caches.
12 | */
13 | public interface CacheConfiguration {
14 |
15 | /**
16 | * Returns the duration of the expire after write property of the cache. Cached elements are automatically
17 | * invalidated after this fixed duration has elapsed.
18 | *
19 | * @return duration of expire after write.
20 | */
21 | Duration getCacheDuration();
22 |
23 | /**
24 | * Returns the number of elements the cache can hold.
25 | *
26 | * @return the size of the cache.
27 | */
28 | int getCacheSize();
29 |
30 | /**
31 | * Caching is disabled when this returns {@code true}.
32 | *
33 | * @return {@code true} if cache is disabled
34 | */
35 | default boolean isCacheDisabled() {
36 | return false;
37 | }
38 |
39 | /**
40 | * Returns {@code true} if cache statistics recording has been enabled. If it is enabled, cache statistics might be
41 | * obtained from the {@code Cacheable}.
42 | *
43 | * @return {@code true} if cache statistics is enabled
44 | */
45 | default boolean isCacheStatisticsEnabled() {
46 | return false;
47 | }
48 | }
49 |
--------------------------------------------------------------------------------
/token-client/src/main/java/com/sap/cloud/security/xsuaa/tokenflows/TokenFlowException.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.tokenflows;
7 |
8 | import java.io.IOException;
9 | import java.io.Serial;
10 |
11 | /**
12 | * Exception thrown to signal issues during a token flow execution.
13 | */
14 | public class TokenFlowException extends IOException {
15 | @Serial
16 | private static final long serialVersionUID = 1452898292676860358L;
17 |
18 | /**
19 | * Creates a new exception instances.
20 | */
21 | public TokenFlowException() {
22 | super();
23 | }
24 |
25 | /**
26 | * Creates a new exception instances.
27 | *
28 | * @param message
29 | * - the error message.
30 | * @param cause
31 | * - the error cause.
32 | */
33 | public TokenFlowException(String message, Throwable cause) {
34 | super(message, cause);
35 | }
36 |
37 | /**
38 | * Creates a new exception instances.
39 | *
40 | * @param message
41 | * - the error message.
42 | */
43 | public TokenFlowException(String message) {
44 | super(message);
45 | }
46 |
47 | /**
48 | * Creates a new exception instances.
49 | *
50 | * @param cause
51 | * - the error cause.
52 | */
53 | public TokenFlowException(Throwable cause) {
54 | super(cause);
55 | }
56 | }
57 |
--------------------------------------------------------------------------------
/token-client/src/main/java/com/sap/cloud/security/xsuaa/tokenflows/XsuaaTokenFlowsUtils.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | * SPDX-License-Identifier: Apache-2.0
4 | */
5 | package com.sap.cloud.security.xsuaa.tokenflows;
6 |
7 | import org.json.JSONObject;
8 |
9 | import java.util.HashMap;
10 | import java.util.Map;
11 |
12 | /**
13 | * A utilities class providing static functions required to build the XSUAA token flow REST requests.
14 | */
15 | class XsuaaTokenFlowsUtils {
16 |
17 | static final String CLAIM_ADDITIONAL_AZ_ATTR = "az_attr";
18 |
19 | /**
20 | * Builds the additional authorities claim 'az_attr' for the JWT.
21 | *
22 | * @param additionalAuthorities
23 | * to be added to az_attr claim.
24 | * @return the additional authorities az_attr claim as a String or null if additional authorities were null
25 | */
26 | static String buildAdditionalAuthoritiesJson(Map
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.extractor;
7 |
8 | import com.sap.cloud.security.xsuaa.token.XsuaaToken;
9 | import org.junit.Before;
10 | import org.junit.Test;
11 | import org.mockito.Mockito;
12 | import org.springframework.security.core.authority.SimpleGrantedAuthority;
13 |
14 | import java.util.Collection;
15 | import java.util.HashSet;
16 |
17 | import static org.assertj.core.api.Assertions.assertThat;
18 |
19 | public class LocalAuthoritiesExtractorTest {
20 | LocalAuthoritiesExtractor cut;
21 | XsuaaToken token;
22 | Collection
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.servlet;
7 |
8 | import org.slf4j.Logger;
9 | import org.slf4j.LoggerFactory;
10 | import org.slf4j.MDC;
11 |
12 | import java.util.UUID;
13 |
14 | /**
15 | * The Mapped Diagnostic Context helper class.
16 | */
17 | public final class MDCHelper {
18 |
19 | public static final String CORRELATION_ID = "correlation_id";
20 | public static final String CORRELATION_HEADER = "X-CorrelationID";
21 | private static final Logger LOGGER = LoggerFactory.getLogger(MDCHelper.class);
22 |
23 | private MDCHelper() {
24 | }
25 |
26 | /**
27 | * Gets correlation_id from MDC, if it is missing, new correlation_id will be created.
28 | *
29 | * @return the string of correlation_id
30 | */
31 | public static String getOrCreateCorrelationId() {
32 | String correlationId = MDC.get(CORRELATION_ID);
33 | if (correlationId == null || correlationId.isEmpty()) {
34 | correlationId = String.valueOf(UUID.randomUUID());
35 | LOGGER.info("Correlation id (key={}) was not found in the MDC, generating a new one: {}", CORRELATION_ID,
36 | correlationId);
37 | } else {
38 | LOGGER.debug("Correlation id (key={}) from MDC: {}", CORRELATION_ID, correlationId);
39 | }
40 | return correlationId;
41 | }
42 | }
43 |
--------------------------------------------------------------------------------
/token-client/src/test/java/com/sap/cloud/security/xsuaa/tokenflows/TokenFlowExceptionTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.tokenflows;
7 |
8 | import org.junit.Test;
9 |
10 | import static org.junit.Assert.assertNotNull;
11 | import static org.junit.Assert.assertNull;
12 |
13 | public class TokenFlowExceptionTest {
14 |
15 | static final String MESSAGE = "Message";
16 | static final Exception CAUSE = new Exception();
17 |
18 | @Test
19 | public void constructors() {
20 |
21 | TokenFlowException ex = new TokenFlowException();
22 | assertNull("Exception should not have any message.", ex.getMessage());
23 | assertNull("Exception should not have any cause.", ex.getCause());
24 |
25 | ex = new TokenFlowException(MESSAGE);
26 | assertNotNull("Exception should have a message.", ex.getMessage());
27 | assertNull("Exception should not have any cause.", ex.getCause());
28 |
29 | ex = new TokenFlowException(CAUSE);
30 | assertNotNull("Exception should not have a default message.", ex.getMessage());
31 | assertNotNull("Exception should have a cause.", ex.getCause());
32 |
33 | ex = new TokenFlowException(MESSAGE, CAUSE);
34 | assertNotNull("Exception should have a message.", ex.getMessage());
35 | assertNotNull("Exception should have a cause.", ex.getCause());
36 | }
37 |
38 | }
39 |
--------------------------------------------------------------------------------
/samples/spring-security-basic-auth/src/main/java/sample/spring/xsuaa/TestController.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package sample.spring.xsuaa;
7 |
8 | import com.sap.cloud.security.token.Token;
9 | import org.springframework.security.core.annotation.AuthenticationPrincipal;
10 | import org.springframework.web.bind.annotation.GetMapping;
11 | import org.springframework.web.bind.annotation.RestController;
12 |
13 | @RestController
14 | public class TestController {
15 |
16 | /**
17 | * Returns the access token to the caller that was fetched by {@link TokenBrokerResolver} using the Basic auth
18 | * information from the request header with a {@link com.sap.cloud.security.token.GrantType#PASSWORD} grant type
19 | * flow.
20 | *
21 | * @param token
22 | * validated and processed access token
23 | * @return the access token
24 | */
25 | @GetMapping("/fetchToken")
26 | public Token returnToken(@AuthenticationPrincipal Token token) {
27 | /* access to token claims is available via token object, e.g.
28 | String userName = token.getPrincipal().getName();
29 | String zoneId = token.getZoneId()
30 | List
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.extractor;
7 |
8 | import com.sap.cloud.security.xsuaa.token.TokenClaims;
9 | import com.sap.cloud.security.xsuaa.token.XsuaaToken;
10 | import org.springframework.security.core.GrantedAuthority;
11 | import org.springframework.security.core.authority.SimpleGrantedAuthority;
12 | import org.springframework.security.oauth2.jwt.Jwt;
13 | import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
14 |
15 | import java.util.Collection;
16 | import java.util.Collections;
17 | import java.util.List;
18 | import java.util.stream.Collectors;
19 |
20 | public class DefaultAuthoritiesExtractor extends JwtAuthenticationConverter implements AuthoritiesExtractor {
21 |
22 | public Collection
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token;
7 |
8 | import javax.annotation.Nullable;
9 |
10 | /**
11 | * Constants denoting the grant type of a Jwt access token as specified here:
12 | *
13 | */
14 | public enum GrantType {
15 | // @formatter:off
16 | CLIENT_CREDENTIALS("client_credentials"),
17 | REFRESH_TOKEN("refresh_token"),
18 | PASSWORD("password"),
19 | JWT_BEARER("urn:ietf:params:oauth:grant-type:jwt-bearer"),
20 | SAML2_BEARER("urn:ietf:params:oauth:grant-type:saml2-bearer"),
21 | /**
22 | * @deprecated in favor of {@link #JWT_BEARER}.
23 | */
24 | @Deprecated
25 | USER_TOKEN("user_token"),
26 | /**
27 | * @deprecated SAP proprietary grant type.
28 | */
29 | @Deprecated
30 | CLIENT_X509("client_x509"),
31 | AUTHORIZATION_CODE("authorization_code");
32 | // @formatter:on
33 | private final String claimName;
34 |
35 | GrantType(String claimName) {
36 | this.claimName = claimName;
37 | }
38 |
39 | @Override
40 | public String toString() {
41 | return claimName;
42 | }
43 |
44 | @Nullable
45 | public static GrantType from(String claimName) {
46 | for (GrantType grantType : values()) {
47 | if (grantType.claimName.equals(claimName)) {
48 | return grantType;
49 | }
50 | }
51 | return null;
52 | }
53 |
54 | }
55 |
--------------------------------------------------------------------------------
/spring-security/src/test/resources/fourXsuaaBindingsAndOneIasBinding.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsuaa": [
3 | {
4 | "credentials": {
5 | "clientid": "client-id-broker",
6 | "clientsecret": "client-secret-broker"
7 | },
8 | "name": "xsuaaInstance0",
9 | "plan": "broker"
10 | },
11 | {
12 | "credentials": {
13 | "clientid": "client-id-broker2",
14 | "clientsecret": "client-secret-broker2"
15 | },
16 | "name": "xsuaaInstance1",
17 | "plan": "broker"
18 | },
19 | {
20 | "credentials": {
21 | "clientid": "client-id2",
22 | "clientsecret": "client-secret2",
23 | "url": "http://domain.xsuaadomain",
24 | "uaadomain": "xsuaadomain",
25 | "xsappname": "xsappname2"
26 | },
27 | "name": "xsuaaInstance2",
28 | "plan": "application"
29 | },
30 | {
31 | "credentials": {
32 | "clientid": "client-id",
33 | "clientsecret": "client-secret",
34 | "url": "http://domain.xsuaadomain",
35 | "uaadomain": "xsuaadomain",
36 | "xsappname": "xsappname"
37 | },
38 | "name": "xsuaaInstance3",
39 | "plan": "application"
40 | }
41 | ],
42 | "identity": [
43 | {
44 | "credentials": {
45 | "clientid": "client-id-ias",
46 | "clientsecret": "client-secret-ias",
47 | "url": "http://domain.iasdomain",
48 | "domains": ["iasdomain", "iasdomain.com"]
49 | },
50 | "name": "identityInstance0",
51 | "plan": "broker"
52 | }
53 | ]
54 | }
55 |
--------------------------------------------------------------------------------
/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/AuthenticationToken.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.token;
7 |
8 | import org.springframework.security.core.GrantedAuthority;
9 | import org.springframework.security.oauth2.jwt.Jwt;
10 | import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
11 |
12 | import java.io.Serial;
13 | import java.util.Collection;
14 |
15 | /**
16 | * Internal class used to expose the {@link Token} implementation as the standard Principal for Spring Security Jwt
17 | * handling.
18 | *
19 | * @see TokenAuthenticationConverter
20 | * @see XsuaaToken
21 | */
22 | public class AuthenticationToken extends JwtAuthenticationToken {
23 |
24 | @Serial
25 | private static final long serialVersionUID = -3779129534612771294L;
26 |
27 | private final Token token;
28 |
29 | public AuthenticationToken(Jwt jwt, Collection
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.config;
7 |
8 | import org.slf4j.Logger;
9 | import org.slf4j.LoggerFactory;
10 |
11 | import javax.annotation.Nullable;
12 |
13 | /**
14 | * Represents a supported identity service.
15 | */
16 | public enum Service {
17 |
18 | XSUAA("xsuaa"), IAS(getIasServiceName());
19 |
20 | private static String getIasServiceName() {
21 | Logger logger = LoggerFactory.getLogger(Service.class);
22 | if (System.getenv("IAS_SERVICE_NAME") != null) {
23 | logger.warn(
24 | "As of version 2.8.0 IAS_SERVICE_NAME system environment variable is no longer needed. Service 'identity' is available with plan 'application'.");
25 | }
26 | return "identity";
27 | }
28 |
29 | private final String cloudFoundryName;
30 |
31 | Service(String cloudFoundryName) {
32 | this.cloudFoundryName = cloudFoundryName;
33 | }
34 |
35 | /**
36 | * Returns the name of the identity service as it appears on Cloud Foundry marketplace.
37 | *
38 | * @return name of the identity service in context of Cloud Foundry environment.
39 | */
40 | public String getCFName() {
41 | return cloudFoundryName;
42 | }
43 |
44 | @Nullable
45 | public static Service from(String cloudFoundryName) {
46 | for (Service service : values()) {
47 | if (service.cloudFoundryName.equalsIgnoreCase(cloudFoundryName)) {
48 | return service;
49 | }
50 | }
51 | return null;
52 | }
53 | }
54 |
--------------------------------------------------------------------------------
/spring-security/src/test/java/com/sap/cloud/security/spring/config/XsuaaServiceConfigurationTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.spring.config;
7 |
8 | import org.junit.jupiter.api.Test;
9 | import org.springframework.boot.context.properties.EnableConfigurationProperties;
10 | import org.springframework.boot.test.context.runner.ApplicationContextRunner;
11 |
12 | import static org.junit.jupiter.api.Assertions.assertEquals;
13 |
14 | class XsuaaServiceConfigurationTest {
15 |
16 | private final ApplicationContextRunner runner = new ApplicationContextRunner();
17 |
18 | @EnableConfigurationProperties(XsuaaServiceConfiguration.class)
19 | static class EnablePropertiesConfiguration {
20 | }
21 |
22 | @Test
23 | void configuresXsuaaServiceConfiguration() {
24 | runner.withUserConfiguration(EnablePropertiesConfiguration.class)
25 | .withPropertyValues(
26 | "sap.security.services.xsuaa.url:http://localhost",
27 | "sap.security.services.xsuaa.uaadomain:localhost",
28 | "sap.security.services.xsuaa.clientid:cid",
29 | "sap.security.services.xsuaa.name:xsuaaInstance0",
30 | "sap.security.services.xsuaa.plan:broker")
31 | .run(context -> {
32 | XsuaaServiceConfiguration config = context.getBean(XsuaaServiceConfiguration.class);
33 | assertEquals("http://localhost", config.getUrl().toString());
34 | assertEquals("xsuaaInstance0", config.getName());
35 | assertEquals("broker", config.getPlan());
36 | });
37 | }
38 | }
39 |
--------------------------------------------------------------------------------
/java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JsonWebKeySet.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token.validation.validators;
7 |
8 | import javax.annotation.Nonnull;
9 | import javax.annotation.Nullable;
10 | import java.util.HashSet;
11 | import java.util.Set;
12 | import java.util.stream.Collectors;
13 | import java.util.stream.Stream;
14 |
15 | class JsonWebKeySet {
16 |
17 | private final Set
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.samples.ias;
7 |
8 | import com.sap.cloud.security.token.SecurityContext;
9 | import com.sap.cloud.security.token.Token;
10 | import com.sap.cloud.security.token.TokenClaims;
11 | import jakarta.servlet.annotation.WebServlet;
12 | import jakarta.servlet.http.HttpServlet;
13 | import jakarta.servlet.http.HttpServletRequest;
14 | import jakarta.servlet.http.HttpServletResponse;
15 | import org.slf4j.Logger;
16 | import org.slf4j.LoggerFactory;
17 |
18 | import java.io.IOException;
19 | import java.io.Serial;
20 |
21 | @WebServlet(HelloJavaServlet.ENDPOINT)
22 | public class HelloJavaServlet extends HttpServlet {
23 |
24 | static final String ENDPOINT = "/hello-java-security-ias";
25 | private static final Logger logger = LoggerFactory.getLogger(HelloJavaServlet.class);
26 |
27 | /**
28 | * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response)
29 | */
30 | @Override
31 | protected void doGet(HttpServletRequest request, HttpServletResponse response) {
32 | response.setContentType("text/plain");
33 | Token token = SecurityContext.getToken();
34 | try {
35 | response.getWriter().write("You ('"
36 | + token.getClaimAsString(TokenClaims.EMAIL) + "') "
37 | + "are authenticated and can access the application.");
38 | } catch (final IOException e) {
39 | logger.error("Failed to write error response: " + e.getMessage() + ".", e);
40 | }
41 | }
42 |
43 | }
44 |
--------------------------------------------------------------------------------
/java-security/src/test/java/com/sap/cloud/security/core/AssertionsTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.core;
7 |
8 | import org.junit.Test;
9 |
10 | import static com.sap.cloud.security.xsuaa.Assertions.assertHasText;
11 | import static com.sap.cloud.security.xsuaa.Assertions.assertNotNull;
12 | import static org.assertj.core.api.Assertions.assertThatThrownBy;
13 |
14 | public class AssertionsTest {
15 |
16 | @Test
17 | public void assertNotNull_throwsIllegalArgumentExceptionContainingMessage() {
18 | String message = "A message";
19 | assertThatThrownBy(() -> {
20 | assertNotNull(null, message);
21 | }).isInstanceOf(IllegalArgumentException.class).hasMessage(message);
22 | }
23 |
24 | @Test
25 | public void assertNotNull_doesNotThrow() {
26 | assertNotNull(new Object(), "Should not be thrown");
27 | }
28 |
29 | @Test
30 | public void assertNotEmpty_throwsIllegalArgumentExceptionContainingMessage() {
31 | String message = "A message";
32 | assertThatThrownBy(() -> {
33 | assertHasText(null, message);
34 | }).isInstanceOf(IllegalArgumentException.class).hasMessage(message);
35 |
36 | assertThatThrownBy(() -> {
37 | assertHasText("", message);
38 | }).isInstanceOf(IllegalArgumentException.class).hasMessage(message);
39 |
40 | assertThatThrownBy(() -> {
41 | assertHasText(" ", message);
42 | }).isInstanceOf(IllegalArgumentException.class).hasMessage(message);
43 | }
44 |
45 | @Test
46 | public void assertNotEmpty_doesNotThrow() {
47 | assertHasText(" s ", "Should not be thrown");
48 | }
49 | }
50 |
--------------------------------------------------------------------------------
/spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/LocalAuthoritiesExtractor.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.xsuaa.extractor;
7 |
8 | import com.sap.cloud.security.xsuaa.token.XsuaaToken;
9 | import org.springframework.security.core.GrantedAuthority;
10 | import org.springframework.security.core.authority.SimpleGrantedAuthority;
11 |
12 | import java.util.Collection;
13 | import java.util.Collections;
14 | import java.util.HashSet;
15 | import java.util.Set;
16 | import java.util.stream.Collectors;
17 | import java.util.stream.Stream;
18 |
19 | public class LocalAuthoritiesExtractor implements AuthoritiesExtractor {
20 |
21 | protected final String appId;
22 |
23 | public LocalAuthoritiesExtractor(String appId) {
24 | this.appId = appId;
25 | }
26 |
27 | @Override
28 | public Collection
4 | * SPDX-License-Identifier: Apache-2.0
5 | */
6 | package com.sap.cloud.security.token.validation.validators;
7 |
8 | import javax.annotation.Nullable;
9 | import java.security.NoSuchAlgorithmException;
10 | import java.security.PublicKey;
11 | import java.security.spec.InvalidKeySpecException;
12 |
13 | /**
14 | * See also JSON Web Key (JWK) specification: tools.ietf.org/html/rfc7517"
16 | */
17 | interface JsonWebKey {
18 | @java.lang.SuppressWarnings("squid:S1214")
19 | String DEFAULT_KEY_ID = "default-kid";
20 |
21 | /**
22 | * Returns the key algorithm a JWT is/can be signed with, e.g. {@link JwtSignatureAlgorithm#RS256}.
23 | *
24 | * @return the key algorithm.
25 | */
26 | JwtSignatureAlgorithm getKeyAlgorithm();
27 |
28 | /**
29 | * Returns the key id. This is used, for instance, to choose among a set of keys within a JWK Set during key
30 | * rollover.
31 | *
32 | * @return unique key identifier.
33 | */
34 | @Nullable
35 | String getId();
36 |
37 | /**
38 | * Returns the public key representation.
39 | *
40 | * @return the public key.
41 | * @throws InvalidKeySpecException
42 | * in case the a PublicKey can not be created for this JSON web key.
43 | * @throws NoSuchAlgorithmException
44 | * in case the algorithm specified as part of the JSON web key is not supported.
45 | */
46 | @Nullable
47 | PublicKey getPublicKey() throws NoSuchAlgorithmException, InvalidKeySpecException;
48 |
49 | }
50 |
--------------------------------------------------------------------------------
11 | *
12 | * This might be relevant for writing Audit logs.
13 | */
14 | public interface ValidationListener {
15 |
16 | void onValidationError(ValidationResult result);
17 |
18 | void onValidationSuccess();
19 |
20 | }
21 |
--------------------------------------------------------------------------------
/java-security/src/test/resources/uaaAccessTokenRSA256.txt:
--------------------------------------------------------------------------------
1 | eyJqa3UiOiJodHRwOi8vYXV0aC5jb20vdG9rZW5fa2V5cyIsImtpZCI6ImtleS1pZC0wIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOlsiZGFzaGJvYXJkX2NsaWVudC1JZCJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6InRlc3RVc2VySWQiLCJhenAiOiJkYXNoYm9hcmRfY2xpZW50LUlkIiwidXNlcl9uYW1lIjoidGVzdFVzZXIiLCJvcmlnaW4iOiJzYXAuaWRzIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo2MjcwMCIsImV4cCI6Njk3NDAzMTYwMH0.dA9gjVpX3G099gtRwIQDvppLyIaO5WsxAfmq71CTNKJv2J6LXgQOyhOk0NKgmQHxCvL-UEqnAImRXK1EF9ewgI_MD6Bn0N9mSGV0HmroM3es9go8t4f5DWNPllgTTgaiO34dIGEuFXkhn3uFVy34ErRhjAxuhknGg571jW2hg0jncDwMuC1mK_h7gvH-bb1ENmxG7NXSNZAQiJ0IlIZxixGmo1cJZP9V1oNugnE4mLJmB0I_7fRm9iYm0kBfLbOV_NgJ32AQ7I44SDoRlO1k5HvxKOPWwn2ZlSEoFiPnfsO9N4wrK1TZ-5kH8y6NpSI6R4hnJbmomZruEXnQ0MitpQ
--------------------------------------------------------------------------------
/java-security/src/main/java/com/sap/cloud/security/token/validation/Validator.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
6 |
13 |
14 |
--------------------------------------------------------------------------------
/java-security-test/src/test/java/com/sap/cloud/security/test/RSAKeysTest.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *
15 | *
16 | * See {@code JettyTokenAuthenticator} in the java-security-test library on how this is used with jetty to perform
17 | * authentication.
18 | */
19 | public interface TokenAuthenticator {
20 |
21 | /**
22 | * Performs the authentication for the given request.
23 | *
24 | * @param request
25 | * servlet request.
26 | * @param response
27 | * servlet response.
28 | * @return a {@link TokenAuthenticationResult}.
29 | */
30 | TokenAuthenticationResult validateRequest(ServletRequest request, ServletResponse response);
31 | }
32 |
--------------------------------------------------------------------------------
/spring-xsuaa-test/src/test/resources/claims_template.txt:
--------------------------------------------------------------------------------
1 | {
2 | "jti": "37587e8c45b84a85820744c1459910b5",
3 | "ext_attr": {
4 | "enhancer": "XSUAA",
5 | "serviceinstanceid": "brokerCloneServiceInstanceId",
6 | "zdn": "$zdn",
7 | "acl": ["app1!t23"]
8 | },
9 | "xs.system.attributes": {
10 | "xs.saml.groups": [
11 | "g1"
12 | ],
13 | "xs.rolecollections": []
14 | },
15 | "given_name": "$username",
16 | "xs.user.attributes": {"usrAttr": ["value_1", "value_2"]},
17 | "family_name": "unknown.org",
18 | "sub": "d21f5de9-d761-47a2-b6d4-2d83161584d9",
19 | "scope": [
20 | "openid", "testScope", "testApp.localScope"
21 | ],
22 | "client_id": "$clientid",
23 | "cid": "sb-clone1!b5|LR-master!b5",
24 | "azp": "sb-clone1!b5|LR-master!b5",
25 | "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer",
26 | "user_id": "d21f5de9-d761-47a2-b6d4-2d83161584d9",
27 | "origin": "useridp",
28 | "user_name": "$username",
29 | "email": "$username@uaa.org",
30 | "rev_sig": "b850756a",
31 | "iat": 1532416849,
32 | "exp": $exp,
33 | "iss": "http://paas.localhost:8080/uaa/oauth/token",
34 | "zid": "$zid",
35 | "aud": [],
36 | "az_attr": {"external_id":"abcd1234"}
37 | }
--------------------------------------------------------------------------------
/java-security-it/src/test/resources/xsuaa/vcap_services-single.json:
--------------------------------------------------------------------------------
1 | {
2 | "xsuaa": [
3 | {
4 | "binding_name": null,
5 | "credentials": {
6 | "clientid": "clientId",
7 | "clientsecret": "",
8 | "identityzone": "uaa",
9 | "identityzoneid": "uaa",
10 | "sburl": "http://localhost/uaa",
11 | "tenantmode": "dedicated",
12 | "uaadomain": "auth.com",
13 | "url": "https://paastenant.auth.com",
14 | "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTNVTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9YoU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GPn38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4oQIDAQAB-----END PUBLIC KEY-----",
15 | "xsappname": "java-hello-world"
16 | },
17 | "instance_name": "my-xsuaa",
18 | "label": "xsuaa",
19 | "name": "example-xsuaa",
20 | "plan": "broker",
21 | "provider": null,
22 | "syslog_drain_url": null,
23 | "tags": [
24 | "xsuaa"
25 | ],
26 | "volume_mounts": []
27 | }
28 | ]
29 | }
--------------------------------------------------------------------------------
/java-security/src/main/java/com/sap/cloud/security/token/validation/ValidationResult.java:
--------------------------------------------------------------------------------
1 | /**
2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors
3 | *