├── .git-blame-ignore-revs ├── .github ├── ISSUE_TEMPLATE │ └── support.md ├── dependabot.yml └── workflows │ ├── codeql.yml │ ├── fosstars-project-report.yml │ └── maven-build.yml ├── .gitignore ├── CHANGELOG.md ├── CONTRIBUTING.md ├── CONTRIBUTING_USING_GENAI.md ├── LICENSE ├── LICENSES └── Apache-2.0.txt ├── README.md ├── REUSE.toml ├── bom └── pom.xml ├── docs ├── HowToFetchToken.md ├── IAS_XSUAA_token_fetch.postman_collection.json ├── Troubleshooting_JsonClasspathIssues.md ├── cloud-security-integration-java-spring.png ├── images.rd ├── images │ └── HttpClient.drawio.svg ├── java-security.svg ├── oauth.png ├── postman-mtls.png ├── postman-variables.png └── spring-xsuaa.svg ├── env ├── pom.xml └── src │ ├── main │ └── java │ │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ ├── config │ │ ├── Environments.java │ │ ├── OAuth2ServiceConfigurationBuilder.java │ │ ├── ServiceBindingEnvironment.java │ │ └── ServiceBindingMapper.java │ │ └── json │ │ └── DefaultJsonObject.java │ └── test │ ├── java │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ ├── config │ │ ├── EnvironmentsTest.java │ │ ├── OAuth2ServiceConfigurationBuilderTest.java │ │ ├── ServiceBindingEnvironmentTest.java │ │ └── ServiceBindingMapperDomainsTest.java │ │ └── json │ │ └── DefaultJsonObjectTest.java │ └── resources │ ├── simplelogger.properties │ ├── vcapIasServiceDomainsMissing.json │ ├── vcapIasServiceSingleBinding.json │ ├── vcapUnknownServicePlan.json │ ├── vcapXsuaaServiceMultipleApplicationPlanBindings.json │ ├── vcapXsuaaServiceMultipleBindings.json │ ├── vcapXsuaaServiceSingleBinding.json │ └── vcapXsuaaXsaSingleBinding.json ├── etc ├── JavaLibFormatting.xml └── suppression.xml ├── java-api ├── README.md ├── pom.xml └── src │ ├── main │ └── java │ │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ ├── annotation │ │ └── Beta.java │ │ ├── config │ │ ├── CacheConfiguration.java │ │ ├── ClientCertificate.java │ │ ├── ClientCredentials.java │ │ ├── ClientIdentity.java │ │ ├── CredentialType.java │ │ ├── Environment.java │ │ ├── OAuth2ServiceConfiguration.java │ │ ├── Service.java │ │ └── ServiceConstants.java │ │ ├── json │ │ ├── JsonObject.java │ │ └── JsonParsingException.java │ │ ├── servlet │ │ ├── MDCHelper.java │ │ ├── TokenAuthenticationResult.java │ │ └── TokenAuthenticator.java │ │ ├── token │ │ ├── AccessToken.java │ │ ├── GrantType.java │ │ ├── InvalidTokenException.java │ │ ├── ProviderNotFoundException.java │ │ ├── SecurityContext.java │ │ ├── Token.java │ │ ├── TokenClaims.java │ │ ├── TokenFactory.java │ │ ├── TokenHeader.java │ │ └── validation │ │ │ ├── TestIssuerValidator.java │ │ │ └── XsuaaJkuFactory.java │ │ └── x509 │ │ ├── Certificate.java │ │ ├── InvalidCertificateException.java │ │ ├── X509Constants.java │ │ └── X509Parser.java │ └── test │ ├── java │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ ├── config │ │ ├── ClientCredentialsTest.java │ │ ├── ClientIdentityTest.java │ │ ├── CredentialTypeTest.java │ │ └── ServiceTest.java │ │ ├── servlet │ │ └── HybridTokenFactory.java │ │ ├── token │ │ ├── TokenTest.java │ │ └── test │ │ │ └── CustomTokenFactory.java │ │ └── x509 │ │ └── X509ParserTest.java │ └── resources │ ├── META-INF │ └── services │ │ └── com.sap.cloud.security.token.TokenFactory │ ├── cf-forwarded-client-cert-base64.txt │ └── k8s-forwarded-client-cert-pem.txt ├── java-security-it ├── pom.xml └── src │ └── test │ ├── java │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ └── test │ │ ├── integration │ │ ├── IasIntegrationTest.java │ │ ├── XsuaaIntegrationTest.java │ │ ├── XsuaaMultipleBindingsIntegrationTest.java │ │ └── ssrf │ │ │ ├── JavaSSRFAttackTest.java │ │ │ └── SpringSSRFAttackTest.java │ │ └── performance │ │ ├── JavaSecurityPerformanceIT.java │ │ ├── SpringSecurityPerformanceIT.java │ │ ├── SpringXsuaaPerformanceIT.java │ │ └── util │ │ └── BenchmarkUtil.java │ └── resources │ ├── certificates.txt │ ├── ias-simple │ ├── token.json │ └── vcap_services-single.json │ ├── privateRSAKey.txt │ ├── random_private_key.txt │ ├── simplelogger.properties │ ├── uaa │ ├── token.json │ └── vcap_services.json │ ├── vcap_services-multiple.json │ ├── xsa-simple │ ├── token.json │ └── vcap_services-single.json │ └── xsuaa │ ├── token.json │ └── vcap_services-single.json ├── java-security-test ├── README.md ├── pom.xml └── src │ ├── main │ ├── java │ │ └── com │ │ │ └── sap │ │ │ └── cloud │ │ │ └── security │ │ │ ├── test │ │ │ ├── ApplicationServerOptions.java │ │ │ ├── JwtGenerator.java │ │ │ ├── RSAKeys.java │ │ │ ├── SecurityFilter.java │ │ │ ├── SecurityTest.java │ │ │ ├── SecurityTestRule.java │ │ │ ├── api │ │ │ │ ├── ApplicationServerConfiguration.java │ │ │ │ ├── SecurityTestContext.java │ │ │ │ └── ServiceMockConfiguration.java │ │ │ ├── extension │ │ │ │ ├── IasExtension.java │ │ │ │ ├── SecurityTestExtension.java │ │ │ │ └── XsuaaExtension.java │ │ │ └── jetty │ │ │ │ └── JettyTokenAuthenticator.java │ │ │ └── token │ │ │ └── validation │ │ │ ├── LocalhostIssuerValidator.java │ │ │ └── XsuaaLocalhostJkuFactory.java │ └── resources │ │ ├── META-INF │ │ └── services │ │ │ ├── com.sap.cloud.security.token.validation.TestIssuerValidator │ │ │ └── com.sap.cloud.security.token.validation.XsuaaJkuFactory │ │ ├── oidcConfigurationTemplate.json │ │ ├── privateKey.txt │ │ ├── publicKey.txt │ │ └── token_keys_template.json │ └── test │ ├── java │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ └── test │ │ ├── JwtGeneratorTest.java │ │ ├── RSAKeysTest.java │ │ ├── SecurityTestRuleTest.java │ │ ├── SecurityTestTest.java │ │ └── extension │ │ ├── IasExtensionTest.java │ │ ├── SecurityTestExtensionTest.java │ │ └── XsuaaExtensionTest.java │ └── resources │ ├── claims.json │ ├── token.json │ ├── token_client.json │ ├── token_invalid_alg.json │ ├── token_no_header.json │ └── vcapServices │ └── vcapSimple.json ├── java-security ├── Migration_SAPJavaBuildpackProjects.md ├── Migration_SAPJavaBuildpackProjects_V2.md ├── README.md ├── images │ ├── TokenAuthenticator.png │ ├── iasApplication.png │ ├── iasApplication.puml │ ├── xsuaaApplication.png │ ├── xsuaaApplication.puml │ ├── xsuaaFilter.png │ └── xsuaaFilter.puml ├── pom.xml └── src │ ├── main │ ├── java │ │ └── com │ │ │ └── sap │ │ │ └── cloud │ │ │ └── security │ │ │ ├── adapter │ │ │ └── spring │ │ │ │ └── SpringSecurityContext.java │ │ │ ├── servlet │ │ │ ├── AbstractTokenAuthenticator.java │ │ │ ├── HybridTokenFactory.java │ │ │ ├── IasTokenAuthenticator.java │ │ │ ├── TokenAuthenticatorResult.java │ │ │ └── XsuaaTokenAuthenticator.java │ │ │ ├── token │ │ │ ├── AbstractToken.java │ │ │ ├── SapIdToken.java │ │ │ ├── ScopeConverter.java │ │ │ ├── XsuaaScopeConverter.java │ │ │ ├── XsuaaToken.java │ │ │ └── validation │ │ │ │ ├── CombiningValidator.java │ │ │ │ ├── ValidationListener.java │ │ │ │ ├── ValidationResult.java │ │ │ │ ├── ValidationResults.java │ │ │ │ ├── Validator.java │ │ │ │ └── validators │ │ │ │ ├── JsonWebKey.java │ │ │ │ ├── JsonWebKeyConstants.java │ │ │ │ ├── JsonWebKeyImpl.java │ │ │ │ ├── JsonWebKeySet.java │ │ │ │ ├── JsonWebKeySetFactory.java │ │ │ │ ├── JwtAudienceValidator.java │ │ │ │ ├── JwtIssuerValidator.java │ │ │ │ ├── JwtSignatureAlgorithm.java │ │ │ │ ├── JwtSignatureValidator.java │ │ │ │ ├── JwtTimestampValidator.java │ │ │ │ ├── JwtValidatorBuilder.java │ │ │ │ ├── JwtX5tValidator.java │ │ │ │ ├── OAuth2TokenKeyServiceWithCache.java │ │ │ │ ├── OidcConfigurationServiceWithCache.java │ │ │ │ ├── SapIdJwtSignatureValidator.java │ │ │ │ ├── TokenKeyCacheConfiguration.java │ │ │ │ └── XsuaaJwtSignatureValidator.java │ │ │ └── x509 │ │ │ └── X509Certificate.java │ └── resources │ │ └── META-INF │ │ └── services │ │ └── com.sap.cloud.security.token.TokenFactory │ └── test │ ├── java │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ ├── TestConstants.java │ │ ├── adapter │ │ └── spring │ │ │ └── SpringSecurityContextTest.java │ │ ├── core │ │ └── AssertionsTest.java │ │ ├── servlet │ │ ├── HybridTokenFactoryTest.java │ │ ├── IasTokenAuthenticatorTest.java │ │ ├── IasTokenAuthenticatorX509Test.java │ │ └── XsuaaTokenAuthenticatorTest.java │ │ ├── token │ │ ├── AbstractTokenTest.java │ │ ├── MockTokenBuilder.java │ │ ├── SapIdTokenTest.java │ │ ├── SecurityContextTest.java │ │ ├── XsuaaScopeConverterTest.java │ │ ├── XsuaaTokenTest.java │ │ └── validation │ │ │ ├── CombiningValidatorTest.java │ │ │ ├── TokenTestValidator.java │ │ │ ├── ValidationResultsTest.java │ │ │ └── validators │ │ │ ├── IdTokenSignatureValidatorTest.java │ │ │ ├── JsonWebKeySetFactoryTest.java │ │ │ ├── JsonWebKeySetTest.java │ │ │ ├── JsonWebKeyTest.java │ │ │ ├── JsonWebKeyTestFactory.java │ │ │ ├── JwtAudienceValidatorTest.java │ │ │ ├── JwtIssuerValidatorTest.java │ │ │ ├── JwtTimestampValidatorTest.java │ │ │ ├── JwtValidatorBuilderTest.java │ │ │ ├── JwtX5tValidatorTest.java │ │ │ ├── OAuth2TokenKeyServiceWithCacheTest.java │ │ │ ├── OidcConfigurationServiceWithCacheTest.java │ │ │ ├── SapIdJwtSignatureValidatorTest.java │ │ │ ├── XsaJwtSignatureValidatorTest.java │ │ │ └── XsuaaJwtSignatureValidatorTest.java │ │ ├── util │ │ └── HttpClientTestFactory.java │ │ └── x509 │ │ ├── X509CertificateTest.java │ │ └── XfccCertificateTest.java │ └── resources │ ├── cf-forwarded-client-cert-base64.txt │ ├── cf-forwarded-client-cert.txt │ ├── iasJsonWebTokenKeys.json │ ├── iasJsonWebTokenKeys_noKid.json │ ├── iasOidcTokenRSA256.txt │ ├── iasTokenInvalidCnfRSA256.txt │ ├── iasTokenWithCnfRSA256.txt │ ├── jsonWebTokenKeys.json │ ├── mockito-extensions │ └── org.mockito.plugins.MockMaker │ ├── simplelogger.properties │ ├── uaaAccessTokenRSA256.txt │ ├── xsuaaAccessTokenRSA256_signedWithVerificationKey.txt │ ├── xsuaaCCAccessTokenRSA256.txt │ ├── xsuaaJwtBearerTokenRSA256.txt │ └── xsuaaXsaAccessTokenRSA256_signedWithVerificationKey.txt ├── pom.xml ├── samples ├── .gitignore ├── README.md ├── deploy_and_test.py ├── images │ ├── SAP_CP_Cockpit_AssignRoleCollectionToUser.png │ └── postman-ssl.png ├── java-security-usage-ias │ ├── Dockerfile │ ├── README.md │ ├── k8s │ │ └── deployment.yml │ ├── manifest.yml │ ├── pom.xml │ └── src │ │ ├── main │ │ └── java │ │ │ └── com │ │ │ └── sap │ │ │ └── cloud │ │ │ └── security │ │ │ └── samples │ │ │ └── ias │ │ │ ├── HealthServlet.java │ │ │ ├── HelloJavaServlet.java │ │ │ └── IasSecurityFilter.java │ │ └── test │ │ └── java │ │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ └── samples │ │ └── ias │ │ └── HelloJavaServletIntegrationTest.java ├── java-security-usage │ ├── Dockerfile │ ├── README.md │ ├── k8s │ │ └── deployment.yml │ ├── manifest.yml │ ├── pom.xml │ ├── src │ │ ├── main │ │ │ ├── java │ │ │ │ └── com │ │ │ │ │ └── sap │ │ │ │ │ └── cloud │ │ │ │ │ └── security │ │ │ │ │ └── samples │ │ │ │ │ ├── HealthServlet.java │ │ │ │ │ ├── HelloJavaServlet.java │ │ │ │ │ ├── HelloJavaServletScopeProtected.java │ │ │ │ │ └── XsuaaSecurityFilter.java │ │ │ └── resources │ │ │ │ └── simplelogger.properties │ │ └── test │ │ │ └── java │ │ │ └── com │ │ │ └── sap │ │ │ └── cloud │ │ │ └── security │ │ │ └── samples │ │ │ └── HelloJavaServletIntegrationTest.java │ └── xs-security.json ├── java-tokenclient-usage │ ├── Dockerfile │ ├── README.md │ ├── k8s │ │ └── deployment.yml │ ├── manifest.yml │ ├── pom.xml │ ├── src │ │ └── main │ │ │ ├── java │ │ │ └── com │ │ │ │ └── sap │ │ │ │ └── cloud │ │ │ │ └── security │ │ │ │ └── xssec │ │ │ │ └── samples │ │ │ │ └── tokenflow │ │ │ │ └── usage │ │ │ │ └── HelloTokenClientServlet.java │ │ │ └── resources │ │ │ └── simplelogger.properties │ └── xs-security.json ├── k8s-deploy-and-test.sh ├── localEnvironmentSetup.sh ├── sap-java-buildpack-api-usage │ ├── README.md │ ├── approuter │ │ ├── package.json │ │ ├── sap-developer-license.txt │ │ └── xs-app.json │ ├── manifest.yml │ ├── pom.xml │ ├── src │ │ └── main │ │ │ ├── java │ │ │ └── sample │ │ │ │ └── sapbuildpack │ │ │ │ └── xsuaa │ │ │ │ └── HelloTokenServlet.java │ │ │ └── webapp │ │ │ └── WEB-INF │ │ │ └── web.xml │ └── xs-security.json ├── spring-security-basic-auth │ ├── README.md │ ├── k8s │ │ └── deployment.yml │ ├── manifest.yml │ ├── pom.xml │ ├── src │ │ ├── main │ │ │ ├── java │ │ │ │ └── sample │ │ │ │ │ └── spring │ │ │ │ │ └── xsuaa │ │ │ │ │ ├── Application.java │ │ │ │ │ ├── TestController.java │ │ │ │ │ ├── TokenBrokerResolver.java │ │ │ │ │ └── config │ │ │ │ │ ├── SecurityConfiguration.java │ │ │ │ │ └── TokenBrokerConfiguration.java │ │ │ └── resources │ │ │ │ └── application.yml │ │ └── test │ │ │ ├── java │ │ │ └── sample │ │ │ │ └── spring │ │ │ │ └── xsuaa │ │ │ │ ├── ApplicationTest.java │ │ │ │ ├── SecurityConfigurationTest.java │ │ │ │ └── config │ │ │ │ ├── TokenBrokerTestConfiguration.java │ │ │ │ └── XsuaaExtensionFixedPort.java │ │ │ └── resources │ │ │ └── application.yml │ └── xs-security.json ├── spring-security-hybrid-usage │ ├── Dockerfile │ ├── README.md │ ├── k8s │ │ └── deployment.yml │ ├── manifest.yml │ ├── pom.xml │ ├── src │ │ ├── main │ │ │ ├── java │ │ │ │ └── sample │ │ │ │ │ └── spring │ │ │ │ │ └── security │ │ │ │ │ ├── Application.java │ │ │ │ │ ├── DataService.java │ │ │ │ │ ├── SecurityConfiguration.java │ │ │ │ │ ├── TestController.java │ │ │ │ │ └── XsuaaAuthzConverter.java │ │ │ └── resources │ │ │ │ └── application.yml │ │ └── test │ │ │ ├── java │ │ │ └── sample │ │ │ │ └── spring │ │ │ │ └── security │ │ │ │ ├── ApplicationTest.java │ │ │ │ ├── TestControllerTest.java │ │ │ │ ├── junitjupiter │ │ │ │ ├── ApplicationTest.java │ │ │ │ ├── TestControllerIasTest.java │ │ │ │ └── TestControllerXsuaaTest.java │ │ │ │ └── util │ │ │ │ └── MockBearerTokenRequestPostProcessor.java │ │ │ └── resources │ │ │ ├── application.yml │ │ │ ├── broker-token.json │ │ │ └── iasClaims.json │ ├── xs-security-broker.json │ └── xs-security.json ├── spring-security-xsuaa-usage │ ├── README.md │ ├── approuter │ │ ├── package.json │ │ ├── resources │ │ │ └── index.html │ │ ├── sap-developer-license.txt │ │ └── xs-app.json │ ├── manifest.yml │ ├── pom.xml │ ├── src │ │ ├── main │ │ │ ├── java │ │ │ │ └── sample │ │ │ │ │ └── spring │ │ │ │ │ └── xsuaa │ │ │ │ │ ├── Application.java │ │ │ │ │ ├── DataService.java │ │ │ │ │ ├── SecurityConfiguration.java │ │ │ │ │ └── TestController.java │ │ │ └── resources │ │ │ │ └── application.yml │ │ └── test │ │ │ └── java │ │ │ └── sample │ │ │ └── spring │ │ │ └── xsuaa │ │ │ ├── ApplicationTest.java │ │ │ ├── TestControllerTest.java │ │ │ └── junitjupiter │ │ │ ├── ApplicationTest.java │ │ │ └── TestControllerTest.java │ ├── xs-security-deprecated.json │ └── xs-security.json ├── spring-webflux-security-hybrid-usage │ ├── README.md │ ├── approuter │ │ ├── package.json │ │ ├── resources │ │ │ └── index.html │ │ ├── sap-developer-license.txt │ │ └── xs-app.json │ ├── ias-security.json │ ├── manifest.yml │ ├── pom.xml │ ├── src │ │ ├── main │ │ │ ├── java │ │ │ │ └── sample │ │ │ │ │ └── spring │ │ │ │ │ └── webflux │ │ │ │ │ └── hybrid │ │ │ │ │ ├── Application.java │ │ │ │ │ ├── SecurityConfiguration.java │ │ │ │ │ └── TestController.java │ │ │ └── resources │ │ │ │ └── application.yml │ │ └── test │ │ │ ├── java │ │ │ └── sample │ │ │ │ └── spring │ │ │ │ └── webflux │ │ │ │ └── hybrid │ │ │ │ ├── ApplicationTest.java │ │ │ │ ├── TestControllerTestIas.java │ │ │ │ └── TestControllerTestXsuaa.java │ │ │ └── resources │ │ │ ├── application.yml │ │ │ ├── iasClaims.json │ │ │ └── mockServer │ │ │ └── jwks.json │ └── xs-security.json └── vars.yml ├── spring-security-compatibility ├── pom.xml └── src │ ├── main │ └── java │ │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ └── comp │ │ └── XsuaaTokenComp.java │ └── test │ ├── java │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ └── comp │ │ └── XsuaaTokenCompTest.java │ └── resources │ ├── saml.json │ └── token_cc.txt ├── spring-security-starter ├── pom.xml └── src │ └── main │ └── resources │ └── META-INF │ ├── spring.factories │ └── spring │ └── org.springframework.boot.autoconfigure.AutoConfiguration.imports ├── spring-security ├── Migration_SpringXsuaaProjects.md ├── README.md ├── images │ └── TokenInterfaces.drawio.svg ├── pom.xml └── src │ ├── main │ └── java │ │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ └── spring │ │ ├── autoconfig │ │ ├── Conditions.java │ │ ├── HybridAuthorizationAutoConfiguration.java │ │ ├── HybridIdentityServicesAutoConfiguration.java │ │ ├── HybridIdentityServicesProofTokenAutoConfiguration.java │ │ ├── SapSecurityProperties.java │ │ ├── SecurityContextEnvironmentPostProcessor.java │ │ └── XsuaaTokenFlowAutoConfiguration.java │ │ ├── config │ │ ├── IdentityServiceConfiguration.java │ │ ├── IdentityServicesPropertySourceFactory.java │ │ ├── OAuth2ServiceConfigurationProperties.java │ │ ├── SpringTokenClientConfiguration.java │ │ ├── XsuaaServiceConfiguration.java │ │ └── XsuaaServiceConfigurations.java │ │ └── token │ │ ├── ReactiveSecurityContext.java │ │ ├── SpringSecurityContext.java │ │ └── authentication │ │ ├── AuthenticationToken.java │ │ ├── HybridJwtDecoder.java │ │ ├── IasJwtDecoder.java │ │ ├── JavaSecurityContextHolderStrategy.java │ │ ├── JwtDecoderBuilder.java │ │ ├── ReactiveHybridJwtDecoder.java │ │ └── XsuaaTokenAuthorizationConverter.java │ └── test │ ├── java │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ └── spring │ │ ├── autoconfig │ │ ├── HybridAuthorizationAutoConfigurationTest.java │ │ ├── HybridIdentityServicesAutoConfigurationTest.java │ │ ├── SecurityContextEnvironmentPostProcessorTest.java │ │ └── XsuaaTokenFlowAutoConfigurationTest.java │ │ ├── config │ │ ├── ConfigurationAssertions.java │ │ ├── IdentityServiceConfigurationTest.java │ │ ├── IdentityServicesPropertySourceFactoryBrokerNoHoleTest.java │ │ ├── IdentityServicesPropertySourceFactoryFourXsuaaOneIasTest.java │ │ ├── IdentityServicesPropertySourceFactoryTest.java │ │ ├── OAuth2ServiceConfigurationPropertiesTest.java │ │ ├── SpringTokenClientConfigurationTest.java │ │ ├── XsuaaServiceConfigurationLoadingIntegrationTest.java │ │ ├── XsuaaServiceConfigurationTest.java │ │ ├── XsuaaServiceConfigurationsLoadingIntegrationTest.java │ │ └── XsuaaServiceConfigurationsTest.java │ │ └── token │ │ ├── ReactiveSecurityContextTest.java │ │ ├── SpringSecurityContextTest.java │ │ └── authentication │ │ ├── AuthenticationTokenTest.java │ │ ├── HybridJwtDecoderTest.java │ │ ├── IasJwtDecoderTest.java │ │ ├── JwtDecoderBuilderTest.java │ │ ├── ReactiveHybridJwtDecoderTest.java │ │ └── XsuaaTokenAuthorizationConverterTest.java │ └── resources │ ├── certificate.txt │ ├── fourXsuaaBindingsAndOneIasBinding.json │ ├── key.txt │ ├── saml.json │ ├── singleXsuaaAndIasBinding.json │ ├── token_cc.txt │ └── xsuaaBindingsTwoApplicationsNoBroker.json ├── spring-xsuaa-it ├── pom.xml └── src │ ├── main │ ├── java │ │ ├── com │ │ │ └── sap │ │ │ │ └── cloud │ │ │ │ └── security │ │ │ │ └── xsuaa │ │ │ │ └── mock │ │ │ │ └── JWTUtil.java │ │ └── testservice │ │ │ └── api │ │ │ ├── XsuaaITApplication.java │ │ │ ├── nohttp │ │ │ ├── MyEventHandler.java │ │ │ └── SecurityConfiguration.java │ │ │ └── v1 │ │ │ ├── SecurityConfiguration.java │ │ │ └── TestController.java │ └── resources │ │ ├── application.yml │ │ ├── cc.txt │ │ ├── claims_template.txt │ │ ├── claims_templateMultiTenancy.txt │ │ ├── expired.txt │ │ ├── insufficient_scoped.txt │ │ ├── password.txt │ │ └── saml.txt │ └── test │ ├── java │ └── testservice │ │ └── api │ │ ├── MockXsuaaServerConfiguration.java │ │ ├── XsuaaRequestDispatcher.java │ │ ├── nohttp │ │ ├── InitializeSpringSecurityContextTest.java │ │ └── XsuaaJwtDecoderTest.java │ │ └── v1 │ │ └── XsuaaTokenValidationTest.java │ └── resources │ └── mockServer │ ├── otherdomain_token_keys.json │ ├── publicKey.txt │ └── testdomain_token_keys.json ├── spring-xsuaa-starter ├── pom.xml └── src │ └── main │ └── resources │ └── META-INF │ └── spring │ └── org.springframework.boot.autoconfigure.AutoConfiguration.imports ├── spring-xsuaa-test ├── README.md ├── pom.xml └── src │ ├── main │ ├── java │ │ └── com │ │ │ └── sap │ │ │ └── cloud │ │ │ └── security │ │ │ └── xsuaa │ │ │ └── test │ │ │ ├── JwtGenerator.java │ │ │ └── jwt │ │ │ ├── Base64JwtDecoder.java │ │ │ └── DecodedJwt.java │ └── resources │ │ ├── spring-xsuaa-privateKey.txt │ │ └── spring-xsuaa-publicKey.txt │ └── test │ ├── java │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ └── xsuaa │ │ └── test │ │ ├── JwtGeneratorTest.java │ │ └── TestConstants.java │ └── resources │ ├── claims_template.txt │ └── token_cc.txt ├── spring-xsuaa ├── Migration_JavaContainerSecurityProjects.md ├── README.md ├── pom.xml └── src │ ├── main │ ├── java │ │ └── com │ │ │ └── sap │ │ │ └── cloud │ │ │ └── security │ │ │ └── xsuaa │ │ │ ├── XsuaaCredentials.java │ │ │ ├── XsuaaServiceConfiguration.java │ │ │ ├── XsuaaServiceConfigurationCustom.java │ │ │ ├── XsuaaServiceConfigurationDefault.java │ │ │ ├── XsuaaServicePropertySourceFactory.java │ │ │ ├── autoconfiguration │ │ │ ├── XsuaaAutoConfiguration.java │ │ │ ├── XsuaaResourceServerJwkAutoConfiguration.java │ │ │ └── XsuaaTokenFlowAutoConfiguration.java │ │ │ ├── extractor │ │ │ ├── AuthoritiesExtractor.java │ │ │ ├── DefaultAuthoritiesExtractor.java │ │ │ ├── IasToken.java │ │ │ ├── LocalAuthoritiesExtractor.java │ │ │ └── TokenUtil.java │ │ │ └── token │ │ │ ├── AuthenticationToken.java │ │ │ ├── OAuth2Principal.java │ │ │ ├── ReactiveSecurityContext.java │ │ │ ├── ReactiveTokenAuthenticationConverter.java │ │ │ ├── SpringSecurityContext.java │ │ │ ├── Token.java │ │ │ ├── TokenAuthenticationConverter.java │ │ │ ├── TokenClaims.java │ │ │ ├── XsuaaToken.java │ │ │ └── authentication │ │ │ ├── PostValidationAction.java │ │ │ ├── ReactiveXsuaaJwtDecoder.java │ │ │ ├── TokenInfoExtractor.java │ │ │ ├── XsuaaAudienceValidator.java │ │ │ ├── XsuaaJwtDecoder.java │ │ │ ├── XsuaaJwtDecoderBuilder.java │ │ │ └── httpclient │ │ │ ├── DefaultSpringHttpClientFactory.java │ │ │ └── SpringHttpClientFactory.java │ └── resources │ │ └── META-INF │ │ └── services │ │ └── com.sap.cloud.security.xsuaa.token.authentication.httpclient.SpringHttpClientFactory │ └── test │ ├── java │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ └── xsuaa │ │ ├── CustomPropertySourceFactoryTest.java │ │ ├── DummyXsuaaServiceConfiguration.java │ │ ├── XsuaaServiceConfigurationCustomTest.java │ │ ├── XsuaaServiceConfigurationDefaultTest.java │ │ ├── XsuaaServiceConfigurationFromEnvTest.java │ │ ├── XsuaaServicePropertySourceFactoryMultipleBindingsTest.java │ │ ├── XsuaaServicePropertySourceFactoryTest.java │ │ ├── autoconfiguration │ │ ├── XsuaaAutoConfigurationTest.java │ │ ├── XsuaaResourceServerJwkAutoConfigurationTest.java │ │ └── XsuaaTokenFlowAutoConfigurationTest.java │ │ ├── extractor │ │ ├── IasTokenTest.java │ │ ├── LocalAuthoritiesExtractorTest.java │ │ └── TokenUtilTest.java │ │ └── token │ │ ├── ReactiveSecurityContextTest.java │ │ ├── SpringSecurityContextTest.java │ │ ├── TokenAuthenticationConverterTest.java │ │ ├── XsuaaLocalhostJkuFactory.java │ │ ├── XsuaaTokenTest.java │ │ └── authentication │ │ ├── XsuaaAudienceValidatorForCloneTokenTest.java │ │ ├── XsuaaAudienceValidatorTest.java │ │ └── XsuaaJwtDecoderTest.java │ └── resources │ ├── META-INF │ └── services │ │ └── com.sap.cloud.security.token.validation.XsuaaJkuFactory │ ├── XsuaaJwtDecoderTest.properties │ ├── accessTokenRSA256WithVerificationKey.txt │ ├── audience_1.txt │ ├── audience_2.txt │ ├── audience_3.txt │ ├── audience_4.txt │ ├── certificate.txt │ ├── claims_template.txt │ ├── claims_templateMultiTenancy.txt │ ├── correctEndUserToken.txt │ ├── correctEndUserTokenUaaUser.txt │ ├── jwks.json │ ├── key.txt │ ├── saml.txt │ ├── token_cc.txt │ ├── token_cc_noattr.txt │ ├── token_user.txt │ ├── token_user_noattr.txt │ ├── token_xsuaa.txt │ ├── vcap.json │ └── vcap_multipleBindings.json ├── token-client ├── Migration_XSUserInfoRequestToken.md ├── README.md ├── pom.xml └── src │ ├── main │ ├── java │ │ └── com │ │ │ └── sap │ │ │ └── cloud │ │ │ └── security │ │ │ ├── client │ │ │ ├── DefaultHttpClientFactory.java │ │ │ ├── DefaultTokenClientConfiguration.java │ │ │ ├── HttpClientException.java │ │ │ └── HttpClientFactory.java │ │ │ ├── mtls │ │ │ ├── MinimalDERParser.java │ │ │ └── SSLContextFactory.java │ │ │ └── xsuaa │ │ │ ├── Assertions.java │ │ │ ├── client │ │ │ ├── AbstractOAuth2TokenService.java │ │ │ ├── DefaultOAuth2TokenKeyService.java │ │ │ ├── DefaultOAuth2TokenService.java │ │ │ ├── DefaultOidcConfigurationService.java │ │ │ ├── OAuth2ServiceEndpointsProvider.java │ │ │ ├── OAuth2ServiceException.java │ │ │ ├── OAuth2TokenKeyService.java │ │ │ ├── OAuth2TokenResponse.java │ │ │ ├── OAuth2TokenService.java │ │ │ ├── OAuth2TokenServiceConstants.java │ │ │ ├── OidcConfigurationService.java │ │ │ ├── RequestParameterBuilder.java │ │ │ ├── SpringOAuth2TokenKeyService.java │ │ │ ├── SpringOidcConfigurationService.java │ │ │ ├── XsuaaDefaultEndpoints.java │ │ │ └── XsuaaOAuth2TokenService.java │ │ │ ├── http │ │ │ ├── HttpHeader.java │ │ │ ├── HttpHeaders.java │ │ │ ├── HttpHeadersFactory.java │ │ │ └── MediaType.java │ │ │ ├── jwt │ │ │ ├── Base64JwtDecoder.java │ │ │ └── DecodedJwt.java │ │ │ ├── tokenflows │ │ │ ├── Cacheable.java │ │ │ ├── ClientCredentialsTokenFlow.java │ │ │ ├── JwtBearerTokenFlow.java │ │ │ ├── PasswordTokenFlow.java │ │ │ ├── RefreshTokenFlow.java │ │ │ ├── TokenCacheConfiguration.java │ │ │ ├── TokenFlowException.java │ │ │ ├── XsuaaTokenFlows.java │ │ │ └── XsuaaTokenFlowsUtils.java │ │ │ └── util │ │ │ ├── HttpClientUtil.java │ │ │ └── UriUtil.java │ └── resources │ │ ├── META-INF │ │ └── services │ │ │ └── com.sap.cloud.security.client.HttpClientFactory │ │ └── token-client.properties │ └── test │ ├── java │ └── com │ │ └── sap │ │ └── cloud │ │ └── security │ │ ├── client │ │ ├── DefaultHttpClientFactoryTest.java │ │ ├── DefaultTokenClientConfigurationTest.java │ │ ├── HttpClientFactoryTest.java │ │ └── TestHttpClientFactory.java │ │ ├── mtls │ │ └── SSLContextFactoryTest.java │ │ └── xsuaa │ │ ├── AssertionsTest.java │ │ ├── client │ │ ├── AbstractOAuth2TokenServiceTest.java │ │ ├── DefaultOAuth2TokenKeyServiceTest.java │ │ ├── DefaultOAuth2TokenServiceTest.java │ │ ├── DefaultOidcConfigurationServiceTest.java │ │ ├── OAuth2ServiceExceptionTest.java │ │ ├── OAuth2TokenResponseTest.java │ │ ├── SpringOAuth2TokenKeyServiceTest.java │ │ ├── SpringOidcConfigurationServiceTest.java │ │ ├── TokenServiceHttpEntityMatcher.java │ │ ├── XsuaaDefaultEndpointsTest.java │ │ ├── XsuaaOAuth2TokenServiceClientCredentialsTest.java │ │ ├── XsuaaOAuth2TokenServiceJwtBearerTokenTest.java │ │ ├── XsuaaOAuth2TokenServicePasswordTest.java │ │ ├── XsuaaOAuth2TokenServiceRefreshTokenTest.java │ │ └── XsuaaOAuth2TokenServiceTest.java │ │ ├── http │ │ ├── HttpHeadersFactoryTest.java │ │ └── HttpHeadersTest.java │ │ ├── jwt │ │ └── Base64JwtDecoderTest.java │ │ ├── tokenflows │ │ ├── ClientCredentialsTokenFlowTest.java │ │ ├── JwtBearerTokenFlowTest.java │ │ ├── PasswordTokenFlowTest.java │ │ ├── RefreshTokenFlowTest.java │ │ ├── TestConstants.java │ │ ├── TokenFlowExceptionTest.java │ │ └── XsuaaTokenFlowsTest.java │ │ └── util │ │ ├── HttpClientTestFactory.java │ │ └── UriUtilTest.java │ └── resources │ ├── META-INF │ └── services │ │ └── com.sap.cloud.security.client.HttpClientFactory │ ├── cert-ztis.pem │ ├── certificates.txt │ ├── iasJsonWebTokenKeys.json │ ├── jsonWebTokenKeys.json │ ├── key-ztis.pem │ ├── mockito-extensions │ └── org.mockito.plugins.MockMaker │ ├── oidcConfiguration.json │ ├── privateRSAKey.txt │ └── privateRSAKeyCorrupt.txt └── troubleshooting ├── README.md └── logcollector ├── README.md ├── cf-logcollector.ps1 └── cf-logcollector.sh /.git-blame-ignore-revs: -------------------------------------------------------------------------------- 1 | # Run this command to always ignore formatting commits in `git blame` 2 | # git config blame.ignoreRevsFile .git-blame-ignore-revs 3 | 4 | 5 | # formatting 6 | a0c280842680242b40220087833031052aefa319 7 | c93dfaebaa65f3dd5b2913f102ec8eda1d62ccb7 8 | 7b4bd5a145d5bf0ef5331ab69bbd84253f7dd1ba 9 | -------------------------------------------------------------------------------- /.github/ISSUE_TEMPLATE/support.md: -------------------------------------------------------------------------------- 1 | --- 2 | name: How to get Support 3 | about: Learn how to get support via SAP official channels 4 | title: "--- DO NOT CREATE THIS ISSUE ---" 5 | labels: invalid 6 | assignees: '' 7 | 8 | --- 9 | 10 | **Support is no longer provided via the Issues feature in this Github repository.** 11 | 12 | Please use SAP official support channels to get support under component BC-CP-CF-SEC-LIB or Security Client Libraries. 13 | 14 | Before opening support tickets, please check the Troubleshooting and Common Pitfalls sections first in addition to the READMEs of the modules that you are using from this repository. 15 | 16 | Make sure to include the following mandatory information to get a response: 17 | 18 | - List of module(s) of this library used by your application (java-security, spring-security, spring-xsuaa etc...) and version of this library installed in your application.\ 19 | *Alternative*: maven dependency tree 20 | - Auth service set-up of your application (XSUAA, IAS, XSUAA+IAS, IAS+AMS, etc.) 21 | - For exceptions: Stack trace that includes the executed code locations of this library that lead to the exception 22 | - For unexpected 401 / 403 response codes: relevant log output of this library with active DEBUG flag (see module READMEs for a guide how to enable it) 23 | - Steps you have tried to fix the problem 24 | - Reason why you believe a bug in this library is causing your problem 25 | 26 | Unfortunately, we can **NOT** offer consulting via support channels. 27 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: maven 4 | directory: "/" 5 | schedule: 6 | interval: daily 7 | time: "06:00" 8 | timezone: Etc/UTC 9 | reviewers: 10 | - "kuntzed" 11 | - "NiklasHerrmann21" 12 | open-pull-requests-limit: 10 13 | -------------------------------------------------------------------------------- /.github/workflows/codeql.yml: -------------------------------------------------------------------------------- 1 | name: "CodeQL" 2 | 3 | on: 4 | push: 5 | branches: [ "main", "fosstars-report", "rel-2.0.1" ] 6 | pull_request: 7 | branches: [ "main" ] 8 | schedule: 9 | - cron: "10 8 * * 3" 10 | 11 | jobs: 12 | analyze: 13 | name: Analyze 14 | runs-on: ubuntu-latest 15 | permissions: 16 | actions: read 17 | contents: read 18 | security-events: write 19 | 20 | strategy: 21 | fail-fast: false 22 | matrix: 23 | language: [ java ] 24 | 25 | steps: 26 | - name: Set Java Version 17 27 | uses: actions/setup-java@v1 28 | with: 29 | java-version: 17 30 | 31 | - name: Checkout 32 | uses: actions/checkout@v3 33 | 34 | - name: Initialize CodeQL 35 | uses: github/codeql-action/init@v2 36 | with: 37 | languages: ${{ matrix.language }} 38 | queries: +security-and-quality 39 | 40 | - name: Autobuild 41 | uses: github/codeql-action/autobuild@v2 42 | if: ${{ matrix.language == 'java' }} 43 | 44 | - name: Perform CodeQL Analysis 45 | uses: github/codeql-action/analyze@v2 46 | with: 47 | category: "/language:${{ matrix.language }}" 48 | -------------------------------------------------------------------------------- /.github/workflows/fosstars-project-report.yml: -------------------------------------------------------------------------------- 1 | name: "Fosstars (Security)" 2 | on: 3 | workflow_dispatch: 4 | schedule: 5 | - cron: "0 0 * * *" 6 | 7 | jobs: 8 | create_fosstars_report: 9 | runs-on: ubuntu-latest 10 | name: "Security rating" 11 | steps: 12 | - uses: actions/checkout@v2.3.4 13 | - uses: SAP/fosstars-rating-core-action@v1.10.0 14 | with: 15 | report-branch: fosstars-report 16 | token: "${{ secrets.GITHUB_TOKEN }}" 17 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | # Compiled class file 2 | *.class 3 | 4 | # Log file 5 | *.log 6 | 7 | # BlueJ files 8 | *.ctxt 9 | 10 | # Mobile Tools for Java (J2ME) 11 | .mtj.tmp/ 12 | 13 | # Package Files # 14 | *.jar 15 | *.war 16 | *.ear 17 | *.zip 18 | *.tar.gz 19 | *.rar 20 | 21 | # OS generated files 22 | .DS_Store 23 | 24 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 25 | hs_err_pid* 26 | 27 | target 28 | .project 29 | .settings 30 | .classpath 31 | *.iml 32 | bin 33 | 34 | ### IntelliJ IDEA ### 35 | .idea 36 | *.iws 37 | *.ipr 38 | /venv/ 39 | vim.exe.stackdump 40 | 41 | __pycache__/ 42 | /.metadata/ 43 | 44 | ### Misc ### 45 | samples/vars.yml 46 | -------------------------------------------------------------------------------- /REUSE.toml: -------------------------------------------------------------------------------- 1 | version = 1 2 | SPDX-PackageName = "Cloud Security Client Java" 3 | SPDX-PackageSupplier = "SAP SE " 4 | SPDX-PackageDownloadLocation = "https://github.com/SAP/cloud-security-services-integration-library" 5 | 6 | [[annotations]] 7 | path = ["README.md", "CHANGELOG.md", "CONTRIBUTING.md", "CONTRIBUTING_USING_GENAI.md", "**/**.md", "docs/**", ".gitignore", ".git-blame-ignore-revs", "**/.gitignore", "**/src/**", "**/**.png", "**/**.puml", "**/**.svg", "samples/**/index.html", "samples/**/sap-developer-license.txt", "samples/**/**.json", "samples/**/Dockerfile", "samples/**/deployment.yml", "etc/**", ".github/**"] 8 | precedence = "aggregate" 9 | SPDX-FileCopyrightText = "2020-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors" 10 | SPDX-License-Identifier = "Apache-2.0" 11 | -------------------------------------------------------------------------------- /docs/cloud-security-integration-java-spring.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/cloud-security-services-integration-library/fa63ed4d7764b88e09801ef2c7b02fe863eda55f/docs/cloud-security-integration-java-spring.png -------------------------------------------------------------------------------- /docs/images.rd: -------------------------------------------------------------------------------- 1 | 2 | -------------------------------------------------------------------------------- /docs/oauth.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/cloud-security-services-integration-library/fa63ed4d7764b88e09801ef2c7b02fe863eda55f/docs/oauth.png -------------------------------------------------------------------------------- /docs/postman-mtls.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/cloud-security-services-integration-library/fa63ed4d7764b88e09801ef2c7b02fe863eda55f/docs/postman-mtls.png -------------------------------------------------------------------------------- /docs/postman-variables.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/cloud-security-services-integration-library/fa63ed4d7764b88e09801ef2c7b02fe863eda55f/docs/postman-variables.png -------------------------------------------------------------------------------- /env/src/test/resources/simplelogger.properties: -------------------------------------------------------------------------------- 1 | org.slf4j.simpleLogger.defaultLogLevel: WARN 2 | org.slf4j.simpleLogger.log.com.sap.cloud.environment.servicebinding: DEBUG -------------------------------------------------------------------------------- /env/src/test/resources/vcapIasServiceDomainsMissing.json: -------------------------------------------------------------------------------- 1 | { 2 | "identity": [ 3 | { 4 | "binding_name": null, 5 | "credentials": { 6 | "clientsecret": "clientsecret", 7 | "clientid": "clientid", 8 | "url": "https://myauth.com" 9 | }, 10 | "instance_name": "myservice", 11 | "label": "identity", 12 | "name": "myservice", 13 | "plan": "application", 14 | "provider": null, 15 | "syslog_drain_url": null, 16 | "tags": [], 17 | "volume_mounts": [] 18 | } 19 | ] 20 | } -------------------------------------------------------------------------------- /env/src/test/resources/vcapIasServiceSingleBinding.json: -------------------------------------------------------------------------------- 1 | { 2 | "identity": [ 3 | { 4 | "binding_name": null, 5 | "credentials": { 6 | "clientsecret": "pCghfbrLudwzXM2fPq7YSIhujAmpHj_I0DeMKHKRAqs=", 7 | "clientid": "T000310", 8 | "url": "https://myauth.com", 9 | "domains": ["myauth.com", "my.auth.com"] 10 | }, 11 | "instance_name": "myservice", 12 | "label": "identity", 13 | "name": "myservice", 14 | "plan": "application", 15 | "provider": null, 16 | "syslog_drain_url": null, 17 | "tags": [], 18 | "volume_mounts": [] 19 | } 20 | ] 21 | } -------------------------------------------------------------------------------- /env/src/test/resources/vcapUnknownServicePlan.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "binding_name": null, 5 | "credentials": { 6 | "apiurl": "https://api.uaadomain.org", 7 | "certificate": "", 8 | "key": "", 9 | "clientid": "sb-xsuaa-unknown!b8066", 10 | "clientsecret": "sppEXArNzp3tccATO99CZsRKESY=", 11 | "identityzone": "id-test-zone", 12 | "identityzoneid": "a179bf0f-5a57-2276-a3f0-94c6d79bd05b", 13 | "sburl": "https://internal-xsuaa.uaadomain.org", 14 | "tenantid": "a179bf0f-5a57-2276-a3f0-94c6d79bd05b", 15 | "tenantmode": "dedicated", 16 | "trustedclientidsuffix": "|xsuaa-unknown!b8066", 17 | "uaadomain": "uaadomain.org", 18 | "url": "https://id-test-zone.uaadomain.org", 19 | "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAABBBQ8AMIIBCgKCAQEAx/jN5v1mp/TVn9nTQoYVIUfCsUDHa3Upr5tDZC7mzlTrN2PnwruzyS7w1Jd+StqwW4/vn87ua2YlZzU8Ob0jR4lbOPCKaHIi0kyNtJXQvQ7LZPG8epQLbx0IIP/WLVVVtB8bL5OWuHma3pUnibbmATtbOh5LksQ2zLMngEjUF52JQyzTpjoQkahp0BNe/drlAqO253keiY63FL6belKjJGmSqdnotSXxB2ym+HQ0ShaNvTFLEvi2+ObkyjGWgFpQaoCcGq0KX0y0mPzOvdFsNT+rBFdkHiK+Jl638Sbim1z9fItFbH9hiVwY37R9rLtH1YKi3PuATMjf/DJ7mUluDQIDAQAB-----END PUBLIC KEY-----", 20 | "xsappname": "xsuaa-unknown!b8066" 21 | }, 22 | "instance_name": "xsuaa-broker", 23 | "label": "xsuaa", 24 | "name": "xsuaa-unknown", 25 | "plan": "unknown", 26 | "provider": null, 27 | "syslog_drain_url": null, 28 | "tags": [ 29 | "xsuaa" 30 | ], 31 | "volume_mounts": [] 32 | } 33 | ] 34 | } -------------------------------------------------------------------------------- /env/src/test/resources/vcapXsuaaServiceSingleBinding.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "name": "example-xsuaa", 5 | "label": "xsuaa", 6 | "binding_name": null, 7 | "instance_name": "my-xsuaa", 8 | "plan": "application", 9 | "provider": null, 10 | "syslog_drain_url": null, 11 | "tags": [ 12 | "xsuaa" 13 | ], 14 | "volume_mounts": [], 15 | "credentials": { 16 | "clientid": "clientId", 17 | "clientsecret": "secret", 18 | "identityzone": "uaa", 19 | "identityzoneid": "uaa", 20 | "sburl": "http://localhost/uaa", 21 | "tenantmode": "dedicated", 22 | "uaadomain": "auth.com", 23 | "url": "https://paastenant.auth.com", 24 | "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTNVTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9YoU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GPn38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4oQIDAQAB-----END PUBLIC KEY-----", 25 | "xsappname": "java-hello-world" 26 | } 27 | } 28 | ] 29 | } -------------------------------------------------------------------------------- /env/src/test/resources/vcapXsuaaXsaSingleBinding.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "name": "java-uaa", 5 | "label": "xsuaa", 6 | "tags": [ 7 | "xsuaa" 8 | ], 9 | "plan": "space", 10 | "credentials": { 11 | "tenantmode": "dedicated", 12 | "clientid": "sb-java-hello-world!i1", 13 | "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwOzNGEDK6jNrJcl3L2wstY8SnX9KNo4ic/JtrEQX4U/+749b9y6JlSGOXSKBFJ6alNGHVyPK66SfSgeWHwPjVekdnHYM7bQTyYX1NoSOxqUgvsktIpxeYJLC+J5qJTtnFcjFTRUovKwtCYxlTP4b63b7dWixwc+iSnkuvl4IkZjVTcstK73eTlmVtJDC5DIisPyYOK06qxTPrLC8KlgFA6a0FdPJF9G8s/ElxPHFu7mw6UKn2LTmDlDbADQZLMXGKBw/zg3l5scjxkOCVGTkGvv1ooccqCfYgZAsmsPbQdoZxznSdQTPfaWULnYLo8i5hFXiS1q8agvXHjWpUmWcMwIDAQAB-----END PUBLIC KEY-----", 14 | "xsappname": "java-hello-world!i1", 15 | "identityzone": "uaa", 16 | "identityzoneid": "uaa", 17 | "clientsecret": "fxnWLHqLh6KC0Wp/bbv8Gwbu50OEbpSvVYTiI/kZILsR/dYH8YL2V5tP1buzke9QmqK9AruntTAI\nKu4enzCTNw==", 18 | "url": "https://xsa-test.c.eu-de-2.cloud.sap:30132/uaa-security" 19 | } 20 | } 21 | ] 22 | } -------------------------------------------------------------------------------- /java-api/README.md: -------------------------------------------------------------------------------- 1 | ## Configuration 2 | 3 | ### Maven Dependencies 4 | ```xml 5 | 6 | com.sap.cloud.security 7 | java-api 8 | 3.6.0 9 | 10 | ``` 11 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/annotation/Beta.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.annotation; 7 | 8 | /** 9 | * Signifies that a public API (public class, method or field) is subject to incompatible changes, or even removal, in a 10 | * future release. 11 | */ 12 | public @interface Beta { 13 | } 14 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/config/CacheConfiguration.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.config; 7 | 8 | import java.time.Duration; 9 | 10 | /** 11 | * Interface used for the configuration of caches. 12 | */ 13 | public interface CacheConfiguration { 14 | 15 | /** 16 | * Returns the duration of the expire after write property of the cache. Cached elements are automatically 17 | * invalidated after this fixed duration has elapsed. 18 | * 19 | * @return duration of expire after write. 20 | */ 21 | Duration getCacheDuration(); 22 | 23 | /** 24 | * Returns the number of elements the cache can hold. 25 | * 26 | * @return the size of the cache. 27 | */ 28 | int getCacheSize(); 29 | 30 | /** 31 | * Caching is disabled when this returns {@code true}. 32 | * 33 | * @return {@code true} if cache is disabled 34 | */ 35 | default boolean isCacheDisabled() { 36 | return false; 37 | } 38 | 39 | /** 40 | * Returns {@code true} if cache statistics recording has been enabled. If it is enabled, cache statistics might be 41 | * obtained from the {@code Cacheable}. 42 | * 43 | * @return {@code true} if cache statistics is enabled 44 | */ 45 | default boolean isCacheStatisticsEnabled() { 46 | return false; 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/config/CredentialType.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.config; 7 | 8 | import javax.annotation.Nullable; 9 | 10 | /** 11 | * Constants denoting the credential types of identity OAuth2 configuration 12 | */ 13 | public enum CredentialType { 14 | X509("x509"), INSTANCE_SECRET("instance-secret"), BINDING_SECRET("binding-secret"), 15 | X509_GENERATED("X509_GENERATED"), X509_PROVIDED("X509_PROVIDED"), X509_ATTESTED("X509_ATTESTED"); 16 | 17 | private final String typeName; 18 | 19 | CredentialType(String typeName) { 20 | this.typeName = typeName; 21 | } 22 | 23 | @Override 24 | public String toString() { 25 | return typeName; 26 | } 27 | 28 | @Nullable 29 | public static CredentialType from(String claimValue) { 30 | for (CredentialType credentialType : values()) { 31 | if (credentialType.typeName.equalsIgnoreCase(claimValue)) { 32 | return credentialType; 33 | } 34 | } 35 | return null; 36 | } 37 | 38 | } 39 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/config/Service.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.config; 7 | 8 | import org.slf4j.Logger; 9 | import org.slf4j.LoggerFactory; 10 | 11 | import javax.annotation.Nullable; 12 | 13 | /** 14 | * Represents a supported identity service. 15 | */ 16 | public enum Service { 17 | 18 | XSUAA("xsuaa"), IAS(getIasServiceName()); 19 | 20 | private static String getIasServiceName() { 21 | Logger logger = LoggerFactory.getLogger(Service.class); 22 | if (System.getenv("IAS_SERVICE_NAME") != null) { 23 | logger.warn( 24 | "As of version 2.8.0 IAS_SERVICE_NAME system environment variable is no longer needed. Service 'identity' is available with plan 'application'."); 25 | } 26 | return "identity"; 27 | } 28 | 29 | private final String cloudFoundryName; 30 | 31 | Service(String cloudFoundryName) { 32 | this.cloudFoundryName = cloudFoundryName; 33 | } 34 | 35 | /** 36 | * Returns the name of the identity service as it appears on Cloud Foundry marketplace. 37 | * 38 | * @return name of the identity service in context of Cloud Foundry environment. 39 | */ 40 | public String getCFName() { 41 | return cloudFoundryName; 42 | } 43 | 44 | @Nullable 45 | public static Service from(String cloudFoundryName) { 46 | for (Service service : values()) { 47 | if (service.cloudFoundryName.equalsIgnoreCase(cloudFoundryName)) { 48 | return service; 49 | } 50 | } 51 | return null; 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/json/JsonParsingException.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.json; 7 | 8 | /** 9 | * An extraordinary runtime exception during json parsing. 10 | */ 11 | public class JsonParsingException extends RuntimeException { 12 | 13 | public JsonParsingException(String message) { 14 | super(message); 15 | } 16 | 17 | public JsonParsingException(String message, Throwable cause) { 18 | super(message, cause); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/servlet/MDCHelper.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.servlet; 7 | 8 | import org.slf4j.Logger; 9 | import org.slf4j.LoggerFactory; 10 | import org.slf4j.MDC; 11 | 12 | import java.util.UUID; 13 | 14 | /** 15 | * The Mapped Diagnostic Context helper class. 16 | */ 17 | public final class MDCHelper { 18 | 19 | public static final String CORRELATION_ID = "correlation_id"; 20 | public static final String CORRELATION_HEADER = "X-CorrelationID"; 21 | private static final Logger LOGGER = LoggerFactory.getLogger(MDCHelper.class); 22 | 23 | private MDCHelper() { 24 | } 25 | 26 | /** 27 | * Gets correlation_id from MDC, if it is missing, new correlation_id will be created. 28 | * 29 | * @return the string of correlation_id 30 | */ 31 | public static String getOrCreateCorrelationId() { 32 | String correlationId = MDC.get(CORRELATION_ID); 33 | if (correlationId == null || correlationId.isEmpty()) { 34 | correlationId = String.valueOf(UUID.randomUUID()); 35 | LOGGER.info("Correlation id (key={}) was not found in the MDC, generating a new one: {}", CORRELATION_ID, 36 | correlationId); 37 | } else { 38 | LOGGER.debug("Correlation id (key={}) from MDC: {}", CORRELATION_ID, correlationId); 39 | } 40 | return correlationId; 41 | } 42 | } 43 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/servlet/TokenAuthenticator.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.servlet; 7 | 8 | import jakarta.servlet.ServletRequest; 9 | import jakarta.servlet.ServletResponse; 10 | 11 | /** 12 | * TokenAuthenticator is used to authenticate a user sending servlet requests to a service via token. It produces a 13 | * {@link TokenAuthenticationResult}. The result contains the necessary information to perform container specific 14 | * authentication.
15 | * 16 | * See {@code JettyTokenAuthenticator} in the java-security-test library on how this is used with jetty to perform 17 | * authentication. 18 | */ 19 | public interface TokenAuthenticator { 20 | 21 | /** 22 | * Performs the authentication for the given request. 23 | * 24 | * @param request 25 | * servlet request. 26 | * @param response 27 | * servlet response. 28 | * @return a {@link TokenAuthenticationResult}. 29 | */ 30 | TokenAuthenticationResult validateRequest(ServletRequest request, ServletResponse response); 31 | } 32 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/token/GrantType.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token; 7 | 8 | import javax.annotation.Nullable; 9 | 10 | /** 11 | * Constants denoting the grant type of a Jwt access token as specified here: 12 | * 13 | */ 14 | public enum GrantType { 15 | // @formatter:off 16 | CLIENT_CREDENTIALS("client_credentials"), 17 | REFRESH_TOKEN("refresh_token"), 18 | PASSWORD("password"), 19 | JWT_BEARER("urn:ietf:params:oauth:grant-type:jwt-bearer"), 20 | SAML2_BEARER("urn:ietf:params:oauth:grant-type:saml2-bearer"), 21 | /** 22 | * @deprecated in favor of {@link #JWT_BEARER}. 23 | */ 24 | @Deprecated 25 | USER_TOKEN("user_token"), 26 | /** 27 | * @deprecated SAP proprietary grant type. 28 | */ 29 | @Deprecated 30 | CLIENT_X509("client_x509"), 31 | AUTHORIZATION_CODE("authorization_code"); 32 | // @formatter:on 33 | private final String claimName; 34 | 35 | GrantType(String claimName) { 36 | this.claimName = claimName; 37 | } 38 | 39 | @Override 40 | public String toString() { 41 | return claimName; 42 | } 43 | 44 | @Nullable 45 | public static GrantType from(String claimName) { 46 | for (GrantType grantType : values()) { 47 | if (grantType.claimName.equals(claimName)) { 48 | return grantType; 49 | } 50 | } 51 | return null; 52 | } 53 | 54 | } 55 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/token/InvalidTokenException.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token; 7 | 8 | /** 9 | * Runtime exception during token validation. 10 | */ 11 | public class InvalidTokenException extends RuntimeException { 12 | public InvalidTokenException(String message) { 13 | super(message); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/token/ProviderNotFoundException.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token; 7 | 8 | /** 9 | * A dedicated runtime exception for missing implementations in {@link java.util.ServiceLoader} context 10 | */ 11 | public class ProviderNotFoundException extends RuntimeException { 12 | 13 | public ProviderNotFoundException() { 14 | super(); 15 | } 16 | 17 | public ProviderNotFoundException(String message) { 18 | super(message); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/token/TokenFactory.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token; 7 | 8 | /** 9 | * Represents a {@link com.sap.cloud.security.token.Token} creation interface. 10 | */ 11 | public interface TokenFactory { 12 | 13 | /** 14 | * Returns a token interface for the given JWT token 15 | * 16 | * @param jwtToken 17 | * the encoded JWT token, e.g. from the Authorization Header 18 | * @return the new token instance 19 | */ 20 | Token create(String jwtToken); 21 | 22 | } 23 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/token/TokenHeader.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token; 7 | 8 | /** 9 | * Constants denoting Jwt header parameters. https://tools.ietf.org/html/rfc7515#section-4 11 | */ 12 | public final class TokenHeader { 13 | private TokenHeader() { 14 | throw new IllegalStateException("Utility class"); 15 | } 16 | 17 | public static final String ALGORITHM = "alg"; // Algorithm Header Parameter 18 | public static final String JWKS_URL = "jku"; // JWK Set URL Header Parameter 19 | public static final String KEY_ID = "kid"; // Key ID Header Parameter 20 | public static final String TYPE = "typ"; // Type Header Parameter 21 | } -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/token/validation/TestIssuerValidator.java: -------------------------------------------------------------------------------- 1 | package com.sap.cloud.security.token.validation; 2 | 3 | /** 4 | * This interface is for INTERNAL usage only to add backward-compatibility for test credentials with trusted domain 5 | * 'localhost' to the issuer validation. 6 | */ 7 | public interface TestIssuerValidator { 8 | boolean isValidIssuer(String issuer); 9 | } -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/token/validation/XsuaaJkuFactory.java: -------------------------------------------------------------------------------- 1 | package com.sap.cloud.security.token.validation; 2 | 3 | /** 4 | * This interface is for INTERNAL usage only to add backward-compatibility for test credentials with uaadomain 5 | * 'localhost' during JKU construction. 6 | */ 7 | public interface XsuaaJkuFactory { 8 | String create(String token); 9 | } 10 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/x509/Certificate.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.x509; 7 | 8 | import java.util.Map; 9 | 10 | /** 11 | * Represents mTLS certificate. 12 | */ 13 | public interface Certificate { 14 | 15 | /** 16 | * Gets certificate 'x5t' thumbprint which is a base64url-encoded SHA-1 thumbprint (a.k.a. digest) of the DER 17 | * encoding of an X.509 certificate. 18 | * 19 | * @return the thumbprint 20 | * @throws InvalidCertificateException 21 | * if error occurs while encoding X509 certificate or when a particular cryptographic algorithm is not supported 22 | * @see x5t 23 | */ 24 | String getThumbprint() throws InvalidCertificateException; 25 | 26 | /** 27 | * Gets certificate subject DN. 28 | * 29 | * @return the subject DN string without blanks 30 | */ 31 | String getSubjectDN(); 32 | 33 | /** 34 | * Gets certificate subject DN map. 35 | * 36 | * @return the subject DN map with entries such as ["CN"]["common name"], or ["OU"]["1234-5678"] 37 | */ 38 | Map getSubjectDNMap(); 39 | 40 | } 41 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/x509/InvalidCertificateException.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.x509; 7 | 8 | /** 9 | * Runtime exception during certificate parsing and validation. 10 | */ 11 | public class InvalidCertificateException extends RuntimeException { 12 | public InvalidCertificateException(String message, Exception e) { 13 | super(message, e); 14 | } 15 | 16 | public InvalidCertificateException(String message) { 17 | super(message); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /java-api/src/main/java/com/sap/cloud/security/x509/X509Constants.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.x509; 7 | 8 | public final class X509Constants { 9 | 10 | private X509Constants() { 11 | } 12 | 13 | public static final String FWD_CLIENT_CERT_HEADER = "x-forwarded-client-cert"; 14 | public static final String FWD_CLIENT_CERT_SUB = "cert-sub"; 15 | } 16 | -------------------------------------------------------------------------------- /java-api/src/test/java/com/sap/cloud/security/config/CredentialTypeTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.config; 7 | 8 | import org.junit.Assert; 9 | import org.junit.Test; 10 | 11 | public class CredentialTypeTest { 12 | 13 | @Test 14 | public void from() { 15 | Assert.assertEquals(CredentialType.X509, CredentialType.from("x509")); 16 | Assert.assertEquals(CredentialType.X509_GENERATED, CredentialType.from("X509_GENERATED")); 17 | Assert.assertEquals(CredentialType.X509_PROVIDED, CredentialType.from("X509_PROVIDED")); 18 | Assert.assertEquals(CredentialType.X509_ATTESTED, CredentialType.from("X509_ATTESTED")); 19 | Assert.assertEquals(CredentialType.X509_ATTESTED, CredentialType.from("x509_attested")); 20 | Assert.assertEquals(CredentialType.INSTANCE_SECRET, CredentialType.from("instance-secret")); 21 | Assert.assertEquals(CredentialType.BINDING_SECRET, CredentialType.from("binding-secret")); 22 | } 23 | } -------------------------------------------------------------------------------- /java-api/src/test/java/com/sap/cloud/security/config/ServiceTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.config; 7 | 8 | import org.junit.Test; 9 | 10 | import static org.assertj.core.api.Assertions.assertThat; 11 | 12 | public class ServiceTest { 13 | 14 | @Test 15 | public void getCFNameOfIas_shouldReturnCorrectName() { 16 | assertThat(Service.IAS.getCFName()).isEqualTo("identity"); 17 | } 18 | 19 | @Test 20 | public void getCFNameOfXsuaa_shouldReturnCorrectName() { 21 | assertThat(Service.XSUAA.getCFName()).isEqualTo("xsuaa"); 22 | } 23 | 24 | } -------------------------------------------------------------------------------- /java-api/src/test/java/com/sap/cloud/security/servlet/HybridTokenFactory.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.servlet; 7 | 8 | import com.sap.cloud.security.token.AccessToken; 9 | import com.sap.cloud.security.token.Token; 10 | import com.sap.cloud.security.token.TokenFactory; 11 | import org.mockito.Mockito; 12 | 13 | public class HybridTokenFactory implements TokenFactory { 14 | 15 | @Override 16 | public Token create(String jwtToken) { 17 | return Mockito.mock(AccessToken.class); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /java-api/src/test/java/com/sap/cloud/security/token/TokenTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token; 7 | 8 | import org.junit.Test; 9 | 10 | import static org.junit.Assert.assertFalse; 11 | import static org.junit.Assert.assertNotNull; 12 | 13 | public class TokenTest { 14 | 15 | @Test 16 | public void create() { 17 | Token cut = Token.create("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"); 18 | assertNotNull(cut); 19 | 20 | cut = Token.create("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9"); 21 | assertNotNull(cut); 22 | 23 | // Assert that custom Token factory has a priority over default 24 | // com.sap.cloud.security.servlet.HybridTokenFactory 25 | assertFalse(cut.getClass().getName().contains("AccessToken")); 26 | } 27 | 28 | } 29 | -------------------------------------------------------------------------------- /java-api/src/test/java/com/sap/cloud/security/token/test/CustomTokenFactory.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token.test; 7 | 8 | import com.sap.cloud.security.token.Token; 9 | import com.sap.cloud.security.token.TokenFactory; 10 | import org.mockito.Mockito; 11 | 12 | public class CustomTokenFactory implements TokenFactory { 13 | @Override 14 | public Token create(String jwtToken) { 15 | return Mockito.mock(Token.class); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /java-api/src/test/resources/META-INF/services/com.sap.cloud.security.token.TokenFactory: -------------------------------------------------------------------------------- 1 | com.sap.cloud.security.servlet.HybridTokenFactory 2 | com.sap.cloud.security.token.test.CustomTokenFactory -------------------------------------------------------------------------------- /java-security-it/src/test/resources/ias-simple/token.json: -------------------------------------------------------------------------------- 1 | { 2 | "header": { 3 | "alg": "RS256", 4 | "kid": "default-kid" 5 | }, 6 | "payload": { 7 | "aud": [ 8 | "T000310", 9 | "T000333" 10 | ], 11 | "azp": "T000310", 12 | "email": "john.doe@email.org", 13 | "exp": 6974031600, 14 | "given_name": "john", 15 | "iss": "https://gets.overwritten.com", 16 | "sub": "P176945", 17 | "user_uuid": "1234567890", 18 | "zone_uuid": "0987654321" 19 | } 20 | } -------------------------------------------------------------------------------- /java-security-it/src/test/resources/ias-simple/vcap_services-single.json: -------------------------------------------------------------------------------- 1 | { 2 | "identity": [ 3 | { 4 | "binding_name": null, 5 | "credentials": { 6 | "clientsecret": "", 7 | "clientid": "T000310", 8 | "domains": ["domain.gets.overwritten.bylocalhost.com"] 9 | }, 10 | "instance_name": "myservice", 11 | "label": "identity", 12 | "name": "myservice", 13 | "plan": "application", 14 | "provider": null, 15 | "syslog_drain_url": null, 16 | "tags": [], 17 | "volume_mounts": [] 18 | } 19 | ] 20 | } -------------------------------------------------------------------------------- /java-security-it/src/test/resources/privateRSAKey.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF 3 | At0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr 4 | QA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS 5 | kQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce 6 | 7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J 7 | BO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN 8 | A24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw== 9 | -----END RSA PRIVATE KEY----- -------------------------------------------------------------------------------- /java-security-it/src/test/resources/simplelogger.properties: -------------------------------------------------------------------------------- 1 | org.slf4j.simpleLogger.defaultLogLevel: WARN 2 | org.slf4j.simpleLogger.log.com.sap.cloud.security.test: DEBUG 3 | org.slf4j.simpleLogger.log.com.sap.cloud.security.token.validation.validators.JwtAudienceValidator: WARN 4 | org.slf4j.simpleLogger.log.com.sap.cloud.security.token.validation.ValidationResults: ERROR 5 | org.slf4j.simpleLogger.log.com.sap.cloud.security.xsuaa.token.authentication.XsuaaJwtDecoder: ERROR -------------------------------------------------------------------------------- /java-security-it/src/test/resources/uaa/token.json: -------------------------------------------------------------------------------- 1 | { 2 | "header": { 3 | "alg": "RS256", 4 | "jku": "http://auth.com/token_keys", 5 | "kid": "key-id-0" 6 | }, 7 | "payload": { 8 | "aud": [ 9 | "dashboard_client-Id" 10 | ], 11 | "azp": "dashboard_client-Id", 12 | "exp": "6974031600", 13 | "grant_type": "authorization_code", 14 | "iss": "http://auth.com/oauth/token", 15 | "origin": "sap.ids", 16 | "user_name": "testUser", 17 | "user_id": "testUserId", 18 | "zid": "uaa" 19 | } 20 | } -------------------------------------------------------------------------------- /java-security-it/src/test/resources/uaa/vcap_services.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "binding_name": null, 5 | "credentials": { 6 | "clientid": "dashboard_client-Id", 7 | "clientsecret": "", 8 | "identityzone": "uaa", 9 | "identityzoneid": "uaa", 10 | "tenantmode": "dedicated", 11 | "uaadomain": "auth.com", 12 | "url": "http://auth.com", 13 | "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTNVTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9YoU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GPn38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4oQIDAQAB-----END PUBLIC KEY-----", 14 | "xsappname": "dashboard_client" 15 | }, 16 | "instance_name": "user-provided", 17 | "label": "xsuaa", 18 | "name": "example-xsuaa", 19 | "plan": "broker", 20 | "provider": null, 21 | "syslog_drain_url": null, 22 | "tags": [ 23 | "xsuaa" 24 | ], 25 | "volume_mounts": [] 26 | } 27 | ] 28 | } -------------------------------------------------------------------------------- /java-security-it/src/test/resources/vcap_services-multiple.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "binding_name": null, 5 | "credentials": { 6 | "clientid": "sb-clientId!t0815", 7 | "clientsecret": "secret", 8 | "identityzone": "uaa", 9 | "identityzoneid": "uaa", 10 | "tenantmode": "dedicated", 11 | "uaadomain": "localhost", 12 | "url": "http://localhost", 13 | "xsappname": "clientId!t0815" 14 | }, 15 | "instance_name": "my-xsuaa", 16 | "label": "xsuaa", 17 | "name": "example-xsuaa", 18 | "plan": "application", 19 | "tags": [ 20 | "xsuaa" 21 | ], 22 | "volume_mounts": [] 23 | } 24 | ], 25 | "identity": [ 26 | { 27 | "binding_name": null, 28 | "credentials": { 29 | "clientsecret": "secret", 30 | "clientid": "T000310", 31 | "url": "http://localhost", 32 | "domains": ["localhost"] 33 | }, 34 | "instance_name": "myservice", 35 | "label": "identity", 36 | "name": "myservice", 37 | "plan": "application", 38 | "provider": null, 39 | "syslog_drain_url": null, 40 | "tags": [], 41 | "volume_mounts": [] 42 | } 43 | ] 44 | } -------------------------------------------------------------------------------- /java-security-it/src/test/resources/xsa-simple/token.json: -------------------------------------------------------------------------------- 1 | { 2 | "header": { 3 | "alg": "RS256", 4 | "typ": "JWT" 5 | }, 6 | "payload": { 7 | "aud": [ 8 | "sb-java-hello-world!i1", 9 | "openid" 10 | ], 11 | "auth_time": 1579526840, 12 | "azp": "sb-java-hello-world!i1", 13 | "client_id": "sb-java-hello-world!i1", 14 | "email": "XSA_ADMIN@XS1", 15 | "exp": 1579570287, 16 | "ext_attr": { 17 | "enhancer": "XSUAA" 18 | }, 19 | "grant_type": "authorization_code", 20 | "iat": 1579527087, 21 | "iss": "http://xsa-a272d86a-0f74-448c-93d1-6b78903d1543/UAA/oauth/token", 22 | "jti": "52a3356fddc44a359583b0f84bbb49ed", 23 | "origin": "uaa", 24 | "rev_sig": "eea1cc5e", 25 | "scope": [ 26 | "openid" 27 | ], 28 | "sub": "160497", 29 | "user_id": "160497", 30 | "user_name": "XSA_ADMIN", 31 | "xs.user.attributes": {}, 32 | "zid": "uaa" 33 | } 34 | } -------------------------------------------------------------------------------- /java-security-it/src/test/resources/xsa-simple/vcap_services-single.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa" : [ { 3 | "name" : "java-uaa", 4 | "label" : "xsuaa", 5 | "tags" : [ "xsuaa" ], 6 | "plan" : "space", 7 | "credentials" : { 8 | "tenantmode" : "dedicated", 9 | "clientid" : "sb-java-hello-world!i1", 10 | "xsappname" : "java-hello-world!i1", 11 | "identityzone" : "uaa", 12 | "identityzoneid" : "uaa", 13 | "clientsecret" : "", 14 | "url" : "https://xsa-test.c.eu-de-2.cloud.sap:30132/uaa-security" 15 | } 16 | } ] 17 | } -------------------------------------------------------------------------------- /java-security-it/src/test/resources/xsuaa/token.json: -------------------------------------------------------------------------------- 1 | { 2 | "header": { 3 | "alg": "RS256", 4 | "jku": "http://auth.com/token_keys", 5 | "kid": "key-id-0" 6 | }, 7 | "payload": { 8 | "aud": [ 9 | "clientId" 10 | ], 11 | "azp": "clientId", 12 | "exp": "6974031600", 13 | "ext_attr": { 14 | "enhancer": "XSUAA", 15 | "zdn": "theSubdomain" 16 | }, 17 | "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", 18 | "iss": "http://auth.com", 19 | "origin": "userIdp", 20 | "user_name": "testUser" 21 | } 22 | } -------------------------------------------------------------------------------- /java-security-it/src/test/resources/xsuaa/vcap_services-single.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "binding_name": null, 5 | "credentials": { 6 | "clientid": "clientId", 7 | "clientsecret": "", 8 | "identityzone": "uaa", 9 | "identityzoneid": "uaa", 10 | "sburl": "http://localhost/uaa", 11 | "tenantmode": "dedicated", 12 | "uaadomain": "auth.com", 13 | "url": "https://paastenant.auth.com", 14 | "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTNVTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9YoU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GPn38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4oQIDAQAB-----END PUBLIC KEY-----", 15 | "xsappname": "java-hello-world" 16 | }, 17 | "instance_name": "my-xsuaa", 18 | "label": "xsuaa", 19 | "name": "example-xsuaa", 20 | "plan": "broker", 21 | "provider": null, 22 | "syslog_drain_url": null, 23 | "tags": [ 24 | "xsuaa" 25 | ], 26 | "volume_mounts": [] 27 | } 28 | ] 29 | } -------------------------------------------------------------------------------- /java-security-test/src/main/java/com/sap/cloud/security/test/SecurityFilter.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.test; 7 | 8 | import jakarta.servlet.*; 9 | import jakarta.servlet.http.HttpServletRequest; 10 | import jakarta.servlet.http.HttpServletResponse; 11 | 12 | import java.io.IOException; 13 | 14 | class SecurityFilter implements Filter { 15 | 16 | @Override 17 | public void init(FilterConfig filterConfig) { 18 | } 19 | 20 | @Override 21 | public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) 22 | throws IOException, ServletException { 23 | if (request instanceof HttpServletRequest) { 24 | if (((HttpServletResponse) response).getStatus() < 400) { 25 | chain.doFilter(request, response); 26 | } 27 | } else { 28 | chain.doFilter(request, response); 29 | } 30 | } 31 | 32 | @Override 33 | public void destroy() { 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /java-security-test/src/main/java/com/sap/cloud/security/test/api/ServiceMockConfiguration.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.test.api; 7 | 8 | public interface ServiceMockConfiguration { 9 | 10 | /** 11 | * Overwrites the port on which the identity service mock server runs (WireMock). It needs to be configured before 12 | * the test execution has started. If the port is not specified or is set to 0, a free random port is chosen. 13 | * 14 | * @param port 15 | * the port on which the wire mock service is started. 16 | * @return the rule itself. 17 | */ 18 | ServiceMockConfiguration setPort(int port); 19 | 20 | /** 21 | * Overwrites the private/public key pair to be used. The private key is used to sign the jwt token. The public key 22 | * is provided by jwks endpoint (on behalf of WireMock). Checked exceptions are caught and rethrown as runtime 23 | * exceptions for test convenience. 24 | * 25 | * @param publicKeyPath 26 | * resource path to public key file. 27 | * @param privateKeyPath 28 | * resource path to private key file. 29 | * @return the rule itself. 30 | */ 31 | ServiceMockConfiguration setKeys(String publicKeyPath, String privateKeyPath); 32 | } 33 | -------------------------------------------------------------------------------- /java-security-test/src/main/java/com/sap/cloud/security/test/extension/IasExtension.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.test.extension; 7 | 8 | import com.sap.cloud.security.config.Service; 9 | 10 | public class IasExtension extends SecurityTestExtension { 11 | 12 | public IasExtension() { 13 | super(Service.IAS); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /java-security-test/src/main/java/com/sap/cloud/security/test/extension/XsuaaExtension.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.test.extension; 7 | 8 | import com.sap.cloud.security.config.Service; 9 | 10 | public class XsuaaExtension extends SecurityTestExtension { 11 | 12 | public XsuaaExtension() { 13 | super(Service.XSUAA); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /java-security-test/src/main/java/com/sap/cloud/security/token/validation/LocalhostIssuerValidator.java: -------------------------------------------------------------------------------- 1 | package com.sap.cloud.security.token.validation; 2 | 3 | /** 4 | * LocalhostIssuerValidator brings backward-compatibility for test credentials in consumer applications written before 5 | * 2.17.0 that are used to validate java-security-test tokens. This is necessary for successful validation of localhost 6 | * issuers that include a port when 'localhost' is defined as trusted domain without port in the service credentials. 7 | * This class MUST NOT be loaded outside test scope and MUST be the ONLY implementation of {@link TestIssuerValidator}. 8 | */ 9 | public class LocalhostIssuerValidator implements TestIssuerValidator { 10 | 11 | @Override 12 | public boolean isValidIssuer(String issuer) { 13 | return issuer.startsWith("http://localhost") || issuer.startsWith("https://localhost"); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /java-security-test/src/main/java/com/sap/cloud/security/token/validation/XsuaaLocalhostJkuFactory.java: -------------------------------------------------------------------------------- 1 | package com.sap.cloud.security.token.validation; 2 | 3 | import com.sap.cloud.security.token.Token; 4 | import com.sap.cloud.security.token.TokenHeader; 5 | 6 | /** 7 | * XsuaaLocalhostJkuFactory brings backward-compatibility for test credentials in consumer applications written before 8 | * 2.17.0 that are used to validate java-security-test tokens. This is necessary for successful JKU construction when 9 | * 'localhost' is defined as uaadomain in the service credentials. This class MUST NOT be loaded outside test scope and 10 | * MUST be the ONLY implementation of {@link XsuaaJkuFactory}. 11 | */ 12 | public class XsuaaLocalhostJkuFactory implements XsuaaJkuFactory { 13 | 14 | @Override 15 | public String create(String jwt) { 16 | Token token = Token.create(jwt); 17 | String tokenJku = (String) token.getHeaders().get(TokenHeader.JWKS_URL); 18 | 19 | if (tokenJku.contains("localhost") || tokenJku.contains("127.0.0.1")) { 20 | return tokenJku; 21 | } 22 | 23 | throw new IllegalArgumentException("JKU is not trusted because it does not target localhost."); 24 | } 25 | } -------------------------------------------------------------------------------- /java-security-test/src/main/resources/META-INF/services/com.sap.cloud.security.token.validation.TestIssuerValidator: -------------------------------------------------------------------------------- 1 | com.sap.cloud.security.token.validation.LocalhostIssuerValidator -------------------------------------------------------------------------------- /java-security-test/src/main/resources/META-INF/services/com.sap.cloud.security.token.validation.XsuaaJkuFactory: -------------------------------------------------------------------------------- 1 | com.sap.cloud.security.token.validation.XsuaaLocalhostJkuFactory -------------------------------------------------------------------------------- /java-security-test/src/main/resources/oidcConfigurationTemplate.json: -------------------------------------------------------------------------------- 1 | { 2 | "issuer": "$issuer", 3 | "authorization_endpoint": "$issuer/oauth2/authorize", 4 | "token_endpoint": "$issuer/oauth2/token", 5 | "jwks_uri": "$issuer/token_keys", 6 | "response_types_supported": [ 7 | "code", 8 | "id_token" 9 | ], 10 | "grant_types_supported": [ 11 | "password", 12 | "authorization_code", 13 | "refresh_token" 14 | ], 15 | "subject_types_supported": [ 16 | "public" 17 | ], 18 | "id_token_signing_alg_values_supported": [ 19 | "RS256" 20 | ], 21 | "scopes_supported": [ 22 | "openid" 23 | ], 24 | "token_endpoint_auth_methods_supported": [ 25 | "client_secret_basic" 26 | ] 27 | } -------------------------------------------------------------------------------- /java-security-test/src/main/resources/publicKey.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/ 3 | 2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTN 4 | VTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9Y 5 | oU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GP 6 | n38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0 7 | frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4 8 | oQIDAQAB 9 | -----END PUBLIC KEY----- -------------------------------------------------------------------------------- /java-security-test/src/test/java/com/sap/cloud/security/test/RSAKeysTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.test; 7 | 8 | import org.junit.Test; 9 | 10 | import java.io.IOException; 11 | import java.security.NoSuchAlgorithmException; 12 | import java.security.spec.InvalidKeySpecException; 13 | 14 | import static org.assertj.core.api.Assertions.assertThat; 15 | 16 | public class RSAKeysTest { 17 | 18 | @Test 19 | public void generate() { 20 | RSAKeys keys = RSAKeys.generate(); 21 | 22 | assertThat(keys.getPrivate()).isNotNull(); 23 | assertThat(keys.getPublic()).isNotNull(); 24 | } 25 | 26 | @Test 27 | public void fromKeyFiles() throws IOException, InvalidKeySpecException, 28 | NoSuchAlgorithmException { 29 | RSAKeys keys = RSAKeys.fromKeyFiles("/publicKey.txt", "/privateKey.txt"); 30 | 31 | assertThat(keys.getPrivate()).isNotNull(); 32 | assertThat(keys.getPublic()).isNotNull(); 33 | } 34 | } -------------------------------------------------------------------------------- /java-security-test/src/test/java/com/sap/cloud/security/test/SecurityTestTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.test; 7 | 8 | import com.sap.cloud.security.config.Service; 9 | import org.junit.Test; 10 | 11 | import static org.assertj.core.api.Assertions.assertThat; 12 | 13 | public class SecurityTestTest { 14 | 15 | private SecurityTest cut = new SecurityTest(Service.XSUAA); 16 | 17 | @Test 18 | public void wireMockServerIsNotRunningAfterTearDown() throws Exception { 19 | cut.setup(); 20 | cut.tearDown(); 21 | assertThat(cut.wireMockServer.isRunning()).isFalse(); 22 | } 23 | 24 | } -------------------------------------------------------------------------------- /java-security-test/src/test/java/com/sap/cloud/security/test/extension/IasExtensionTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.test.extension; 7 | 8 | import com.sap.cloud.security.test.api.SecurityTestContext; 9 | import org.junit.jupiter.api.Test; 10 | import org.junit.jupiter.api.extension.ExtendWith; 11 | 12 | import static org.assertj.core.api.Assertions.assertThat; 13 | import static org.junit.jupiter.api.Assertions.assertNotNull; 14 | 15 | @ExtendWith(IasExtension.class) 16 | public class IasExtensionTest { 17 | 18 | @Test 19 | void resolveSecurityTestConfigurationParameter(SecurityTestContext context) { 20 | assertNotNull(context); 21 | assertThat(context.getWireMockServer().isRunning()).isTrue(); 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /java-security-test/src/test/java/com/sap/cloud/security/test/extension/XsuaaExtensionTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.test.extension; 7 | 8 | import com.sap.cloud.security.test.api.SecurityTestContext; 9 | import org.junit.jupiter.api.Test; 10 | import org.junit.jupiter.api.extension.ExtendWith; 11 | 12 | import static org.assertj.core.api.Assertions.assertThat; 13 | import static org.junit.jupiter.api.Assertions.assertNotNull; 14 | 15 | @ExtendWith(XsuaaExtension.class) 16 | public class XsuaaExtensionTest { 17 | 18 | @Test 19 | void resolveSecurityTestConfigurationParameter(SecurityTestContext context) { 20 | assertNotNull(context); 21 | assertThat(context.getWireMockServer().isRunning()).isTrue(); 22 | } 23 | } -------------------------------------------------------------------------------- /java-security-test/src/test/resources/claims.json: -------------------------------------------------------------------------------- 1 | { 2 | "ext_attr": { 3 | "enhancer": "XSUAA", 4 | "serviceinstanceid": "brokerCloneServiceInstanceId", 5 | "zdn": "uaa", 6 | "acl": ["app1!t23"] 7 | }, 8 | "scope": [ 9 | "openid", "testScope", "testApp.localScope" 10 | ], 11 | "empty_list" : [], 12 | "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer", 13 | "email": "test@uaa.org", 14 | "exp": 1542416800, 15 | "az_attr": {"external_id":"abcd1234"}, 16 | "xs.system.attributes": {"subaccountid": "test-subaccount"} 17 | } -------------------------------------------------------------------------------- /java-security-test/src/test/resources/token.json: -------------------------------------------------------------------------------- 1 | { 2 | "header": { 3 | "alg": "RS256", 4 | "kid": "kid-custom" 5 | }, 6 | "payload": { 7 | "cid": "cidTestingClientId", 8 | "azp": "testingClientId", 9 | "zid": "zone-id", 10 | "exp": 1598314740, 11 | "scope": [ 12 | "openid", 13 | "app1.scope" 14 | ], 15 | "aud": [ 16 | "app1.scope" 17 | ] 18 | } 19 | } -------------------------------------------------------------------------------- /java-security-test/src/test/resources/token_client.json: -------------------------------------------------------------------------------- 1 | { 2 | "header": { 3 | }, 4 | "payload": { 5 | "clientId" : "testClientId", 6 | "grant_type": "client_credentials" 7 | } 8 | } -------------------------------------------------------------------------------- /java-security-test/src/test/resources/token_invalid_alg.json: -------------------------------------------------------------------------------- 1 | { 2 | "header": { 3 | "alg": "INVALID" 4 | } 5 | } -------------------------------------------------------------------------------- /java-security-test/src/test/resources/token_no_header.json: -------------------------------------------------------------------------------- 1 | { 2 | "payload": { 3 | "zid": "zone-id" 4 | } 5 | } -------------------------------------------------------------------------------- /java-security-test/src/test/resources/vcapServices/vcapSimple.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "binding_name": null, 5 | "credentials": { 6 | "clientid": "clientId", 7 | "identityzone": "uaa", 8 | "identityzoneid": "uaa", 9 | "sburl": "http://localhost/uaa", 10 | "tenantmode": "dedicated", 11 | "verificationkey": "-----BEGIN PUBLIC KEY-----fake, only for test-----END PUBLIC KEY-----", 12 | "uaadomain": "auth.com", 13 | "url": "https://paastenant.auth.com", 14 | "xsappname": "java-hello-world" 15 | }, 16 | "name": "example-xsuaa", 17 | "plan": "broker", 18 | "volume_mounts": [] 19 | } 20 | ] 21 | } -------------------------------------------------------------------------------- /java-security/images/TokenAuthenticator.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/cloud-security-services-integration-library/fa63ed4d7764b88e09801ef2c7b02fe863eda55f/java-security/images/TokenAuthenticator.png -------------------------------------------------------------------------------- /java-security/images/iasApplication.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/cloud-security-services-integration-library/fa63ed4d7764b88e09801ef2c7b02fe863eda55f/java-security/images/iasApplication.png -------------------------------------------------------------------------------- /java-security/images/iasApplication.puml: -------------------------------------------------------------------------------- 1 | @startuml 2 | -> Application: setup() 3 | Application --> Environments: getCurrent().getIasConfiguration() 4 | 5 | Environments -> Application: OAuth2ServiceConfiguration 6 | 7 | Application -> JwtValidatorBuilder: getInstance(OAuth2ServiceConfiguration).build() 8 | JwtValidatorBuilder --> Application: CombinedValidator 9 | 10 | -> Application: anyProtectedFunction() 11 | 12 | 13 | Application -> SapIdToken: new("abyJhbGci1iJSUzI1NiJ9.eyJhdW...") 14 | SapIdToken --> Application: Token 15 | 16 | Application -> CombinedValidator: validate(Token) 17 | CombinedValidator --> Application: ValidationResult 18 | @enduml 19 | 20 | 21 | -------------------------------------------------------------------------------- /java-security/images/xsuaaApplication.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/cloud-security-services-integration-library/fa63ed4d7764b88e09801ef2c7b02fe863eda55f/java-security/images/xsuaaApplication.png -------------------------------------------------------------------------------- /java-security/images/xsuaaApplication.puml: -------------------------------------------------------------------------------- 1 | @startuml 2 | -> TokenAuthenticator: setup() 3 | TokenAuthenticator --> Environments: getCurrent().getXsuaaConfiguration() 4 | TokenAuthenticator --> Environments: getCurrent().getIasConfiguration() 5 | 6 | Environments -> TokenAuthenticator: OAuth2ServiceConfiguration 7 | 8 | TokenAuthenticator --> HttpClientFactory: create(OAuth2ServiceConfiguration.getClientIdentity()) 9 | HttpClientFactory -> TokenAuthenticator: CloseableHttpClient 10 | 11 | TokenAuthenticator --> JwtValidatorBuilder: getInstance(OAuth2ServiceConfiguration).withHttpClient(CloseableHttpClient).build() 12 | JwtValidatorBuilder -> TokenAuthenticator: CombiningValidator 13 | 14 | -> TokenAuthenticator: anyProtectedServlet() 15 | 16 | 17 | TokenAuthenticator --> Token: create("eyJhdW...") 18 | Token -> TokenAuthenticator: Token 19 | 20 | TokenAuthenticator --> CombiningValidator: validate(Token) 21 | CombiningValidator -> TokenAuthenticator: ValidationResult 22 | @enduml 23 | 24 | 25 | -------------------------------------------------------------------------------- /java-security/images/xsuaaFilter.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/cloud-security-services-integration-library/fa63ed4d7764b88e09801ef2c7b02fe863eda55f/java-security/images/xsuaaFilter.png -------------------------------------------------------------------------------- /java-security/images/xsuaaFilter.puml: -------------------------------------------------------------------------------- 1 | @startuml 2 | -> SecurityFilter: new() 3 | SecurityFilter --> XsuaaTokenAuthenticator: new() 4 | XsuaaTokenAuthenticator -> SecurityFilter: XsuaaTokenAuthenticator 5 | 6 | -> SecurityFilter: doFilter() 7 | SecurityFilter --> XsuaaTokenAuthenticator: validateRequest() 8 | XsuaaTokenAuthenticator -> SecurityFilter: TokenAuthenticationResult 9 | 10 | XsuaaTokenAuthenticator -> SecurityContext: if XsuaaTokenAuthenticator.isAuthenticated() setToken(Token) 11 | 12 | WebServlet --> SecurityContext: getToken() 13 | SecurityContext -> WebServlet: Token 14 | @enduml 15 | 16 | 17 | -------------------------------------------------------------------------------- /java-security/src/main/java/com/sap/cloud/security/token/ScopeConverter.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token; 7 | 8 | import java.io.Serializable; 9 | import java.util.Collection; 10 | import java.util.Set; 11 | 12 | public interface ScopeConverter extends Serializable { 13 | Set convert(Collection scopes); 14 | } 15 | -------------------------------------------------------------------------------- /java-security/src/main/java/com/sap/cloud/security/token/validation/ValidationListener.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token.validation; 7 | 8 | /** 9 | * Implement this interface to register custom validation listener to the {@link CombiningValidator}. Those classes will 10 | * be called whenever a token is being validated.
11 | * 12 | * This might be relevant for writing Audit logs. 13 | */ 14 | public interface ValidationListener { 15 | 16 | void onValidationError(ValidationResult result); 17 | 18 | void onValidationSuccess(); 19 | 20 | } 21 | -------------------------------------------------------------------------------- /java-security/src/main/java/com/sap/cloud/security/token/validation/ValidationResult.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token.validation; 7 | 8 | import javax.annotation.Nullable; 9 | 10 | /** 11 | * Captures the result of a validation. Normally created by validators that implement the {@link Validator} interface. 12 | */ 13 | public interface ValidationResult { 14 | 15 | /** 16 | * Returns true if there is no validation error, false otherwise. 17 | * 18 | * @return true if there is no validation error. 19 | */ 20 | default boolean isValid() { 21 | return getErrorDescription() == null; 22 | } 23 | 24 | /** 25 | * Returns true if there is a validation error, false otherwise. 26 | * 27 | * @return true if there is a validation error. 28 | */ 29 | default boolean isErroneous() { 30 | return !isValid(); 31 | } 32 | 33 | /** 34 | * The validation error that have been found. 35 | * 36 | * @return the error description or null in case the validation was valid. 37 | */ 38 | @Nullable 39 | String getErrorDescription(); 40 | } -------------------------------------------------------------------------------- /java-security/src/main/java/com/sap/cloud/security/token/validation/Validator.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token.validation; 7 | 8 | /** 9 | * Generic validator interface over type {@link T}. 10 | * 11 | * @param 12 | * the type of the object to be validated. 13 | */ 14 | public interface Validator { 15 | 16 | /** 17 | * Validates the given object. 18 | * 19 | * @param t 20 | * the object of type {@link T} to be validated. 21 | * @return the validation result as {@link ValidationResult}. 22 | */ 23 | ValidationResult validate(T t); 24 | } 25 | -------------------------------------------------------------------------------- /java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JsonWebKey.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token.validation.validators; 7 | 8 | import javax.annotation.Nullable; 9 | import java.security.NoSuchAlgorithmException; 10 | import java.security.PublicKey; 11 | import java.security.spec.InvalidKeySpecException; 12 | 13 | /** 14 | * See also JSON Web Key (JWK) specification: tools.ietf.org/html/rfc7517" 16 | */ 17 | interface JsonWebKey { 18 | @java.lang.SuppressWarnings("squid:S1214") 19 | String DEFAULT_KEY_ID = "default-kid"; 20 | 21 | /** 22 | * Returns the key algorithm a JWT is/can be signed with, e.g. {@link JwtSignatureAlgorithm#RS256}. 23 | * 24 | * @return the key algorithm. 25 | */ 26 | JwtSignatureAlgorithm getKeyAlgorithm(); 27 | 28 | /** 29 | * Returns the key id. This is used, for instance, to choose among a set of keys within a JWK Set during key 30 | * rollover. 31 | * 32 | * @return unique key identifier. 33 | */ 34 | @Nullable 35 | String getId(); 36 | 37 | /** 38 | * Returns the public key representation. 39 | * 40 | * @return the public key. 41 | * @throws InvalidKeySpecException 42 | * in case the a PublicKey can not be created for this JSON web key. 43 | * @throws NoSuchAlgorithmException 44 | * in case the algorithm specified as part of the JSON web key is not supported. 45 | */ 46 | @Nullable 47 | PublicKey getPublicKey() throws NoSuchAlgorithmException, InvalidKeySpecException; 48 | 49 | } 50 | -------------------------------------------------------------------------------- /java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JsonWebKeyConstants.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token.validation.validators; 7 | 8 | class JsonWebKeyConstants { 9 | 10 | private JsonWebKeyConstants() { 11 | } 12 | 13 | static final String RSA_KEY_MODULUS_PARAMETER_NAME = "n"; 14 | static final String RSA_KEY_PUBLIC_EXPONENT_PARAMETER_NAME = "e"; 15 | 16 | // Parameter names as defined in https://tools.ietf.org/html/rfc7517 17 | static final String KEYS_PARAMETER_NAME = "keys"; 18 | static final String KEY_TYPE_PARAMETER_NAME = "kty"; 19 | static final String ALG_PARAMETER_NAME = "alg"; 20 | static final String VALUE_PARAMETER_NAME = "value"; 21 | static final String JKU_PARAMETER_NAME = "jku"; 22 | static final String KID_PARAMETER_NAME = "kid"; 23 | 24 | // Legacy Token Key ID 25 | static final String KEY_ID_VALUE_LEGACY = "legacy-token-key"; 26 | 27 | static final String BEGIN_PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----"; 28 | static final String END_PUBLIC_KEY = "-----END PUBLIC KEY-----"; 29 | } 30 | -------------------------------------------------------------------------------- /java-security/src/main/java/com/sap/cloud/security/token/validation/validators/JsonWebKeySet.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token.validation.validators; 7 | 8 | import javax.annotation.Nonnull; 9 | import javax.annotation.Nullable; 10 | import java.util.HashSet; 11 | import java.util.Set; 12 | import java.util.stream.Collectors; 13 | import java.util.stream.Stream; 14 | 15 | class JsonWebKeySet { 16 | 17 | private final Set jsonWebKeys = new HashSet<>(); 18 | 19 | @Nullable 20 | public JsonWebKey getKeyByAlgorithmAndId(JwtSignatureAlgorithm keyAlgorithm, String keyId) { 21 | return getTokenStreamWithTypeAndKeyId(keyAlgorithm, keyId) 22 | .findFirst() 23 | .orElse(null); 24 | } 25 | 26 | public Set getAll() { 27 | return jsonWebKeys; 28 | } 29 | 30 | public boolean put(@Nonnull JsonWebKey jsonWebKey) { 31 | return jsonWebKeys.add(jsonWebKey); 32 | } 33 | 34 | public void putAll(JsonWebKeySet jsonWebKeySet) { 35 | jsonWebKeys.addAll(jsonWebKeySet.getAll()); 36 | } 37 | 38 | private Stream getTokenStreamWithTypeAndKeyId(JwtSignatureAlgorithm algorithm, String keyId) { 39 | String kid = keyId != null ? keyId : JsonWebKey.DEFAULT_KEY_ID; 40 | return jsonWebKeys.stream() 41 | .filter(jwk -> algorithm.equals(jwk.getKeyAlgorithm())) 42 | .filter(jwk -> kid.equals(jwk.getId())); 43 | } 44 | 45 | public String toString() { 46 | return jsonWebKeys.stream().map(String::valueOf).collect(Collectors.joining("|")); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /java-security/src/main/resources/META-INF/services/com.sap.cloud.security.token.TokenFactory: -------------------------------------------------------------------------------- 1 | com.sap.cloud.security.servlet.HybridTokenFactory -------------------------------------------------------------------------------- /java-security/src/test/java/com/sap/cloud/security/TestConstants.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security; 7 | 8 | import java.time.Duration; 9 | import java.time.Instant; 10 | import java.time.LocalDate; 11 | import java.time.temporal.TemporalAmount; 12 | 13 | import static java.time.ZoneOffset.UTC; 14 | 15 | public class TestConstants { 16 | public static final Instant NOW = LocalDate.of(2019, 3, 3).atStartOfDay().toInstant(UTC); 17 | public static final TemporalAmount ONE_MINUTE = Duration.ofMinutes(1); 18 | public static final TemporalAmount ONE_SECOND = Duration.ofSeconds(1); 19 | } 20 | -------------------------------------------------------------------------------- /java-security/src/test/java/com/sap/cloud/security/core/AssertionsTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.core; 7 | 8 | import org.junit.Test; 9 | 10 | import static com.sap.cloud.security.xsuaa.Assertions.assertHasText; 11 | import static com.sap.cloud.security.xsuaa.Assertions.assertNotNull; 12 | import static org.assertj.core.api.Assertions.assertThatThrownBy; 13 | 14 | public class AssertionsTest { 15 | 16 | @Test 17 | public void assertNotNull_throwsIllegalArgumentExceptionContainingMessage() { 18 | String message = "A message"; 19 | assertThatThrownBy(() -> { 20 | assertNotNull(null, message); 21 | }).isInstanceOf(IllegalArgumentException.class).hasMessage(message); 22 | } 23 | 24 | @Test 25 | public void assertNotNull_doesNotThrow() { 26 | assertNotNull(new Object(), "Should not be thrown"); 27 | } 28 | 29 | @Test 30 | public void assertNotEmpty_throwsIllegalArgumentExceptionContainingMessage() { 31 | String message = "A message"; 32 | assertThatThrownBy(() -> { 33 | assertHasText(null, message); 34 | }).isInstanceOf(IllegalArgumentException.class).hasMessage(message); 35 | 36 | assertThatThrownBy(() -> { 37 | assertHasText("", message); 38 | }).isInstanceOf(IllegalArgumentException.class).hasMessage(message); 39 | 40 | assertThatThrownBy(() -> { 41 | assertHasText(" ", message); 42 | }).isInstanceOf(IllegalArgumentException.class).hasMessage(message); 43 | } 44 | 45 | @Test 46 | public void assertNotEmpty_doesNotThrow() { 47 | assertHasText(" s ", "Should not be thrown"); 48 | } 49 | } 50 | -------------------------------------------------------------------------------- /java-security/src/test/java/com/sap/cloud/security/token/MockTokenBuilder.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token; 7 | 8 | import org.mockito.Mockito; 9 | 10 | import java.time.Instant; 11 | import java.util.GregorianCalendar; 12 | 13 | import static org.mockito.Mockito.when; 14 | 15 | public class MockTokenBuilder { 16 | public static final Instant NO_EXPIRE_DATE = new GregorianCalendar(2190, 11, 31).getTime().toInstant(); 17 | 18 | private final AbstractToken token = Mockito.mock(AbstractToken.class); 19 | 20 | public MockTokenBuilder withExpiration(Instant expirationDate) { 21 | when(token.getExpiration()).thenReturn(expirationDate); 22 | return this; 23 | } 24 | 25 | public MockTokenBuilder withNotBefore(Instant notBeforeDate) { 26 | when(token.getNotBefore()).thenReturn(notBeforeDate); 27 | return this; 28 | } 29 | 30 | public AbstractToken build() { 31 | return token; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /java-security/src/test/java/com/sap/cloud/security/token/validation/TokenTestValidator.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token.validation; 7 | 8 | import com.sap.cloud.security.token.Token; 9 | 10 | public final class TokenTestValidator implements Validator { 11 | 12 | public static final String DEFAULT_ERROR_DESCRIPTION = "test error description"; 13 | 14 | private ValidationResult validationResult; 15 | 16 | private TokenTestValidator(ValidationResult validationResult) { 17 | this.validationResult = validationResult; 18 | } 19 | 20 | public static TokenTestValidator createValid() { 21 | return new TokenTestValidator(ValidationResults.createValid()); 22 | } 23 | 24 | public static TokenTestValidator createInvalid() { 25 | return TokenTestValidator.createInvalid(DEFAULT_ERROR_DESCRIPTION); 26 | } 27 | 28 | public static TokenTestValidator createInvalid(String errorDescription) { 29 | return new TokenTestValidator(ValidationResults.createInvalid(errorDescription)); 30 | } 31 | 32 | @Override 33 | public ValidationResult validate(Token token) { 34 | return validationResult; 35 | } 36 | 37 | } 38 | -------------------------------------------------------------------------------- /java-security/src/test/java/com/sap/cloud/security/token/validation/validators/JsonWebKeyTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.token.validation.validators; 7 | 8 | import org.junit.Before; 9 | import org.junit.Test; 10 | 11 | import static org.hamcrest.CoreMatchers.equalTo; 12 | import static org.hamcrest.CoreMatchers.not; 13 | import static org.hamcrest.MatcherAssert.assertThat; 14 | 15 | public class JsonWebKeyTest { 16 | private JsonWebKey cut; 17 | 18 | @Before 19 | public void setup() { 20 | cut = JsonWebKeyTestFactory.create(); 21 | } 22 | 23 | @Test 24 | public void equalsByInstance() { 25 | assertThat(cut.equals(cut), equalTo(true)); 26 | } 27 | 28 | @Test 29 | public void equalsByFields() { 30 | assertThat(cut.equals(JsonWebKeyTestFactory.create()), equalTo(true)); 31 | assertThat(cut.hashCode(), equalTo(JsonWebKeyTestFactory.create().hashCode())); 32 | } 33 | 34 | @Test 35 | public void notEqualsByFields() { 36 | assertThat(cut.equals(JsonWebKeyTestFactory.createDefault()), equalTo(false)); 37 | assertThat(cut.hashCode(), not(equalTo(JsonWebKeyTestFactory.createDefault().hashCode()))); 38 | } 39 | 40 | } 41 | -------------------------------------------------------------------------------- /java-security/src/test/java/com/sap/cloud/security/util/HttpClientTestFactory.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.util; 7 | 8 | import org.apache.http.HttpStatus; 9 | import org.apache.http.HttpVersion; 10 | import org.apache.http.client.methods.CloseableHttpResponse; 11 | import org.apache.http.entity.ContentType; 12 | import org.apache.http.entity.StringEntity; 13 | import org.apache.http.message.BasicStatusLine; 14 | import org.mockito.Mockito; 15 | 16 | import static org.mockito.Mockito.when; 17 | 18 | public class HttpClientTestFactory { 19 | 20 | public static CloseableHttpResponse createHttpResponse(String responseAsJson, int statusCode) { 21 | CloseableHttpResponse response = Mockito.mock(CloseableHttpResponse.class); 22 | when(response.getStatusLine()).thenReturn(new BasicStatusLine(HttpVersion.HTTP_1_1, statusCode, null)); 23 | when(response.getEntity()).thenReturn(new StringEntity(responseAsJson, ContentType.APPLICATION_JSON)); 24 | return response; 25 | } 26 | 27 | public static CloseableHttpResponse createHttpResponse(String responseAsJson) { 28 | return createHttpResponse(responseAsJson, HttpStatus.SC_OK); 29 | } 30 | } -------------------------------------------------------------------------------- /java-security/src/test/resources/iasJsonWebTokenKeys.json: -------------------------------------------------------------------------------- 1 | { 2 | "keys": [ 3 | { 4 | "kty": "RSA", 5 | "kid": "default-kid-ias", 6 | "e": "AQAB", 7 | "use": "sig", 8 | "n": "AJtUGmczI7RHx3Ypqxz9_9mK_tc-vOXojlJcMm0VRvYvMLIDlIfj1BrkC_IYLpS2Vl1OTG8AS0xAgBDEG3EUzVU6JZKuIuuxD-iXrBySBQA2ytTYtCrjHD7osji7wyogxDJ2BtVz9191gjX7AlU_WKFPpViK2a_2bCL0K4vI3M6-EZMp20wbD2gDsoD1JYqag66WnTDtZqJjQm3mv6Ohj59_C8RMOtPSLX4AxoS-n_8lYneaRc2UFm_vZepgricMNIZ4TuoLekb_fDlg7cvRtH61gD8hH7iFvQfpkf9rxoclPSG21qbxV4svUVW27DOd_Ewo3eSRdnSb8ctuGnXQuKE=" 9 | }, 10 | { 11 | "kty": "RSA", 12 | "kid": "default-kid", 13 | "e": "AQAB", 14 | "use": "sig", 15 | "n": "AJtUGmczI7RHx3Ypqxz9_9mK_tc-vOXojlJcMm0VRvYvMLIDlIfj1BrkC_IYLpS2Vl1OTG8AS0xAgBDEG3EUzVU6JZKuIuuxD-iXrBySBQA2ytTYtCrjHD7osji7wyogxDJ2BtVz9191gjX7AlU_WKFPpViK2a_2bCL0K4vI3M6-EZMp20wbD2gDsoD1JYqag66WnTDtZqJjQm3mv6Ohj59_C8RMOtPSLX4AxoS-n_8lYneaRc2UFm_vZepgricMNIZ4TuoLekb_fDlg7cvRtH61gD8hH7iFvQfpkf9rxoclPSG21qbxV4svUVW27DOd_Ewo3eSRdnSb8ctuGnXQuKE=" 16 | } 17 | ] 18 | } -------------------------------------------------------------------------------- /java-security/src/test/resources/iasJsonWebTokenKeys_noKid.json: -------------------------------------------------------------------------------- 1 | { 2 | "keys": [ 3 | { 4 | "kty": "RSA", 5 | "e": "AQAB", 6 | "use": "sig", 7 | "n": "AJtUGmczI7RHx3Ypqxz9_9mK_tc-vOXojlJcMm0VRvYvMLIDlIfj1BrkC_IYLpS2Vl1OTG8AS0xAgBDEG3EUzVU6JZKuIuuxD-iXrBySBQA2ytTYtCrjHD7osji7wyogxDJ2BtVz9191gjX7AlU_WKFPpViK2a_2bCL0K4vI3M6-EZMp20wbD2gDsoD1JYqag66WnTDtZqJjQm3mv6Ohj59_C8RMOtPSLX4AxoS-n_8lYneaRc2UFm_vZepgricMNIZ4TuoLekb_fDlg7cvRtH61gD8hH7iFvQfpkf9rxoclPSG21qbxV4svUVW27DOd_Ewo3eSRdnSb8ctuGnXQuKE=" 8 | } 9 | ] 10 | } -------------------------------------------------------------------------------- /java-security/src/test/resources/iasOidcTokenRSA256.txt: -------------------------------------------------------------------------------- 1 | eyJraWQiOiJkZWZhdWx0LWtpZC1pYXMiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJQMTc2OTQ1IiwiYXBwX3RpZCI6InRoZS1hcHAtdGlkIiwiaXNzIjoiaHR0cHM6Ly9hcHBsaWNhdGlvbi5teWF1dGguY29tIiwiZ2l2ZW5fbmFtZSI6ImpvaG4iLCJhdWQiOlsiVDAwMDMxMCIsIlQwMDAzMzMiXSwic2NpbV9pZCI6InNjaW0tMTIzNDU2Nzg5MCIsInVzZXJfdXVpZCI6IjEyMzQ1Njc4OTAiLCJhenAiOiJUMDAwMzEwIiwiem9uZV91dWlkIjoidGhlLXpvbmUtaWQiLCJleHAiOjY5NzQwMzE2MDAsImZhbWlseV9uYW1lIjoiZG9lIiwiZW1haWwiOiJqb2huLmRvZUBlbWFpbC5vcmciLCJjaWQiOiJUMDAwMzEwIn0.NkM70DLlYg1kDS37QXtlj5sQbyjk-UGSh6pmeGDDAj8-En4eNxRsG3wF_b7zv-ZseRINLURKp5mSW1O_xqI91w77Z9wwT45g_7WynH7kfXhKiAU0Te0RpZ6Iy19JbZXkfmMfbSjGNNRz5VIiVlTQOMS0bsNNLtGzz5QvhC6MkpwS8afDMjw-RX4zK-KO2CHsU7r7wjsLLpOmIfzgtao_HJJUhQCBkqwPNgmEJeHKTzJeDHxeAk-_Zbz5Won7nkajNZ4W6kn7eb3E-Vry9z7HDpV2_OKZpOP5lAWHVW1b7abPQ92npPqEdKaIhZT105-oGiwp20dX5Up7enAT_um38A -------------------------------------------------------------------------------- /java-security/src/test/resources/iasTokenInvalidCnfRSA256.txt: -------------------------------------------------------------------------------- 1 | eyJraWQiOiJkZWZhdWx0LWtpZC1pYXMiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOlsibXlDbGllbnRJZCJdLCJ1c2VyX3V1aWQiOiJ0aGUtdXNlci1pZCIsImF6cCI6IlQwMDAzMTAiLCJpc3MiOiJodHRwczovL2FwcGxpY2F0aW9uLm15YXV0aC5jb20iLCJ6b25lX3V1aWQiOiJ0aGUtem9uZS1pZCIsImNuZiI6eyJ4NXQjUzI1NiI6ImludmFsaWQifSwiZXhwIjo2OTc0MDMxNjAwLCJjaWQiOiJUMDAwMzEwIn0.Z2BwS6CpC9EAuh25xDB62RgeVfHpu0BzYnNMy7j-dq_deWrBVTr0ZEYDObM-E_c7J1gtSVQ4paJHS0OTcZkv3iigpxjjjUqUp1rhCZc76KXKgVG7JKZH8AtmeK-mTP5ssaEre-oLhatkWILieMrCcAkpcxF1W4wPsnOdljFwme7PzMkXDNTkD2lHuNt1IT1hi12GEGV6cv8M8tcf-A8JG0CtVbjA15qzCXOhIS-KpYBl41x_Onk6OtHnCPLkNzTjZn9lk_59Tc1NNzPp3_EgwCNvlAmWu3o9k_bHteoWuy8Mjr78L8a5JxaJeyZ6E9zbpEDldwHMmeNg0zEe4Zj91Q -------------------------------------------------------------------------------- /java-security/src/test/resources/iasTokenWithCnfRSA256.txt: -------------------------------------------------------------------------------- 1 | eyJraWQiOiJkZWZhdWx0LWtpZC1pYXMiLCJhbGciOiJSUzI1NiJ9.eyJhdWQiOlsibXlDbGllbnRJZCJdLCJ1c2VyX3V1aWQiOiJ0aGUtdXNlci1pZCIsImF6cCI6IlQwMDAzMTAiLCJpc3MiOiJodHRwczovL2FwcGxpY2F0aW9uLm15YXV0aC5jb20iLCJ6b25lX3V1aWQiOiJ0aGUtem9uZS1pZCIsImNuZiI6eyJ4NXQjUzI1NiI6ImZVLVhvUWxoTVRwUXN6OUFyWGw2ekhJcE1HdVJPNEV4TEtkTFJUYzVWak0ifSwiZXhwIjo2OTc0MDMxNjAwLCJjaWQiOiJUMDAwMzEwIn0.dlALBMbhbKQg0JylLNQOdFYXYbohRPahsjJZeS7I-grIq8sIyWb2U1h9PyC6-XQa3c_d6ttvSAZluRTgCAjbjWbZbdlbojoo_Q-drr32xS8fCMRUxfBmtQ8We5FjX4U593VH0XIe6Am_64Met1g0Vq0tr5RGh0ucgqy-wQi2MCl1RVa0OEJzpPT_5tEmQgUAG3I7i-BjquMKuimBoq-srrmRgkmJlTFLn_SoOu1F54Wz6yrwdIJEz8UVmnAfjAFsvPSkwXohF9QSiAvfgtd6fYax429bdb607xCGicQFdeiIQ_FFjhF2PaTK0ZgrrmfVstcGxIvhVLQ0kVlOophEWw -------------------------------------------------------------------------------- /java-security/src/test/resources/mockito-extensions/org.mockito.plugins.MockMaker: -------------------------------------------------------------------------------- 1 | mock-maker-inline -------------------------------------------------------------------------------- /java-security/src/test/resources/simplelogger.properties: -------------------------------------------------------------------------------- 1 | org.slf4j.simpleLogger.defaultLogLevel: WARN 2 | org.slf4j.simpleLogger.log.com.sap.cloud.security.token.validation.validators: DEBUG -------------------------------------------------------------------------------- /java-security/src/test/resources/uaaAccessTokenRSA256.txt: -------------------------------------------------------------------------------- 1 | eyJqa3UiOiJodHRwOi8vYXV0aC5jb20vdG9rZW5fa2V5cyIsImtpZCI6ImtleS1pZC0wIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOlsiZGFzaGJvYXJkX2NsaWVudC1JZCJdLCJ6aWQiOiJ1YWEiLCJncmFudF90eXBlIjoiYXV0aG9yaXphdGlvbl9jb2RlIiwidXNlcl9pZCI6InRlc3RVc2VySWQiLCJhenAiOiJkYXNoYm9hcmRfY2xpZW50LUlkIiwidXNlcl9uYW1lIjoidGVzdFVzZXIiLCJvcmlnaW4iOiJzYXAuaWRzIiwiaXNzIjoiaHR0cDovL2xvY2FsaG9zdDo2MjcwMCIsImV4cCI6Njk3NDAzMTYwMH0.dA9gjVpX3G099gtRwIQDvppLyIaO5WsxAfmq71CTNKJv2J6LXgQOyhOk0NKgmQHxCvL-UEqnAImRXK1EF9ewgI_MD6Bn0N9mSGV0HmroM3es9go8t4f5DWNPllgTTgaiO34dIGEuFXkhn3uFVy34ErRhjAxuhknGg571jW2hg0jncDwMuC1mK_h7gvH-bb1ENmxG7NXSNZAQiJ0IlIZxixGmo1cJZP9V1oNugnE4mLJmB0I_7fRm9iYm0kBfLbOV_NgJ32AQ7I44SDoRlO1k5HvxKOPWwn2ZlSEoFiPnfsO9N4wrK1TZ-5kH8y6NpSI6R4hnJbmomZruEXnQ0MitpQ -------------------------------------------------------------------------------- /java-security/src/test/resources/xsuaaAccessTokenRSA256_signedWithVerificationKey.txt: -------------------------------------------------------------------------------- 1 | eyJqa3UiOiJodHRwOi8vbG9jYWxob3N0OjY1MTQ4L3Rva2VuX2tleXMiLCJhbGciOiJSUzI1NiJ9.eyJncmFudF90eXBlIjoidXNlcl90b2tlbiIsInNjb3BlIjpbImJ1bGxldGluYm9hcmQtQzUyOTU0MDAuRGlzcGxheSIsImJ1bGxldGluYm9hcmQtQzUyOTU0MDAuVXBkYXRlIl0sImNpZCI6InNiLWNsaWVudElkIXQwODE1In0=.CetA62rQSNRj93S9mqaHrKJyzONKeEKcEJ9O5wObRD_RHrRNHAIOtXUgm2Qy6IrrhvPNY8CdNVmosrXOOebJZLwGdNNREqSz0Xu1tl3_Z3fzekq4dTV0yccTCfAYHVvUNbCdkXBYr2UTYULSMMXHXI5yuEtQaaQTxWN7k67Tgajq4BXUOT-asp3X-zhmMpmoTqAj8ARNrtaXUOzEt9inPgkMMhMJM3HT47p6SHe3XL8v0yBEIAsAQlxPPCjak9BSpCUUA-c6ZOEOIZBb346zZhCsV5SN1xC5cMZiFjHP6P0LIzQBEVlPpOy0NfIWdyH-o8FUUcI3nEzFx0qxc_TvuQ== -------------------------------------------------------------------------------- /java-security/src/test/resources/xsuaaCCAccessTokenRSA256.txt: -------------------------------------------------------------------------------- 1 | eyJhbGciOiJSUzI1NiIsImprdSI6Imh0dHBzOi8vYXV0aGVudGljYXRpb24uc3RhZ2luZ2F3cy5oYW5hdmxhYi5vbmRlbWFuZC5jb20vdG9rZW5fa2V5cyIsImtpZCI6ImtleS1pZC0xIiwidHlwIjoiSldUIn0.eyJqdGkiOiIyYTZiNDcxODJjZTM0YzgzYTNjNDY0MWI1NTZiOTQ2YyIsImV4dF9hdHRyIjp7ImVuaGFuY2VyIjoiWFNVQUEifSwic3ViIjoic2FwX29zYiIsImF1dGhvcml0aWVzIjpbInVhYS5yZXNvdXJjZSIsIlJPTEVfU0VSVklDRUJST0tFUiJdLCJzY29wZSI6WyJST0xFX1NFUlZJQ0VCUk9LRVIiLCJ1YWEucmVzb3VyY2UiXSwiY2xpZW50X2lkIjoic2FwX29zYiIsImNpZCI6InNhcF9vc2IiLCJhenAiOiJzYXBfb3NiIiwiZ3JhbnRfdHlwZSI6ImNsaWVudF9jcmVkZW50aWFscyIsInJldl9zaWciOiJiMjNhNzJkYyIsImlhdCI6MTU3MjAxNzU2OSwiZXhwIjoxNTcyMDYwNzY5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgwODAvdWFhL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInVhYSIsInNhcF9vc2IiXX0.OLDZiMerzH4gNELQEHCPUy7aD681L-twKYyfRSuNQAvlEeQeMaQm7_ZX3WrQ7HF04PASSocBkebG4PmFcbzX5uRSxoxUPbPB1JFsdbb_MU5o0P-xbYStY_lL0UVcZsSy2QrZwcNgtdTbHXpme2xn3jjW6KdwfO6Zd19fcPpPdstlmp34uUFBGfSkXek5sRDCw3ZklEStYIQG9dYsxEq-AmtEqsgPjVdFWv6_bfe8HqOoNfx1QC31DNNQQiAZBFFuZ3iX7IQWRHMdVjWw5GF7tvxM8al-wt8flaZ6gBvHTGzwGKBlDZYtKMDO57L5SyFCgwedoRdzE2NHIHvvp3CKEw -------------------------------------------------------------------------------- /java-security/src/test/resources/xsuaaJwtBearerTokenRSA256.txt: -------------------------------------------------------------------------------- 1 | eyJqa3UiOiJodHRwOi8vYXV0aC5jb20vdG9rZW5fa2V5cyIsImtpZCI6ImtleS1pZC0wIiwiYWxnIjoiUlMyNTYifQ.eyJhdWQiOlsiY2xpZW50SWQiXSwiZXh0X2F0dHIiOnsiemRuIjoidGhlU3ViZG9tYWluIiwiZW5oYW5jZXIiOiJYU1VBQSJ9LCJ6aWQiOiJ0aGUtem9uZS1pZCIsImdyYW50X3R5cGUiOiJ1cm46aWV0ZjpwYXJhbXM6b2F1dGg6Z3JhbnQtdHlwZTpqd3QtYmVhcmVyIiwiYXpwIjoiY2xpZW50SWQiLCJ1c2VyX25hbWUiOiJ0ZXN0VXNlciIsIm9yaWdpbiI6InVzZXJJZHAiLCJpc3MiOiJodHRwOi8vYXV0aC5jb20iLCJleHAiOjY5NzQwMzE2MDAsImNpZCI6ImNsaWVudElkIn0.jD6fsDWbTvTX7Biy7BjIV_Wu3UGe09fYeVevQ3qV1Rd6jkjps2a1gSzzPxNgf3MkkV7Ow54UnC0k2kQclT6MgsDHtakGmjCGxd4BMnqSe8tO38UY1MytRpRbP6Vy1C5StbdgyoIO1YIMMV-IYfYbQZBzB6VowY7n5v7UJ5-qQiGfarpJDfOz9LlggYmHiFWaTHn0HCQrpUQvikwRuDjcDm2YXNvO_sFTeMJGDmGJgDY7ICGdCuN3yGnRybZMLOiEgSyciSgex59hfwH4r7mJpGyB3L_-FwpX-7u1NF8qEjKsmR9dtFmrxvoth1Otpv_NYoL2mGd4Ea5FO9b-DWzAMA -------------------------------------------------------------------------------- /java-security/src/test/resources/xsuaaXsaAccessTokenRSA256_signedWithVerificationKey.txt: -------------------------------------------------------------------------------- 1 | eyJhbGciOiAiUlMyNTYiLCJ0eXAiOiAiSldUIn0.eyJqdGkiOiI1MmEzMzU2ZmRkYzQ0YTM1OTU4M2IwZjg0YmJiNDllZCIsInhzLnVzZXIuYXR0cmlidXRlcyI6e30sImV4dF9hdHRyIjp7ImVuaGFuY2VyIjoiWFNVQUEifSwic3ViIjoiMTYwNDk3Iiwic2NvcGUiOlsib3BlbmlkIl0sImNsaWVudF9pZCI6InNiLWphdmEtaGVsbG8td29ybGQhaTEiLCJjaWQiOiJzYi1qYXZhLWhlbGxvLXdvcmxkIWkxIiwiYXpwIjoic2ItamF2YS1oZWxsby13b3JsZCFpMSIsImdyYW50X3R5cGUiOiJhdXRob3JpemF0aW9uX2NvZGUiLCJ1c2VyX2lkIjoiMTYwNDk3Iiwib3JpZ2luIjoidWFhIiwidXNlcl9uYW1lIjoiWFNBX0FETUlOIiwiZW1haWwiOiJYU0FfQURNSU5AWFMxIiwiYXV0aF90aW1lIjoxNTc5NTI2ODQwLCJyZXZfc2lnIjoiZWVhMWNjNWUiLCJpYXQiOjE1Nzk1MjcwODcsImV4cCI6MTU3OTU3MDI4NywiaXNzIjoiaHR0cDovL3hzYS1hMjcyZDg2YS0wZjc0LTQ0OGMtOTNkMS02Yjc4OTAzZDE1NDMvVUFBL29hdXRoL3Rva2VuIiwiemlkIjoidWFhIiwiYXVkIjpbInNiLWphdmEtaGVsbG8td29ybGQhaTEiLCJvcGVuaWQiXX0.EY4Xh2ExTa07C6dkyjm5fwCxAsrV1rv1DfwVfaM0i5BjybVyfVa5F3PnNnSKCwmIMzpVWJ0vQgKJi_3GYTTRfC4UtxRNPIsFLovgyIQ9VbWLJGr0PCcv7-dt0ZXxRQ3mcQQ3NFl2PNVfFz2kk_5hMZZhOIxH00fyc_-BWE1yYndWPHSCJhynbje_RudG7x9McJMNAkcNY9O1wK3pOAnAFUNjM_CEV2Su6AZ6SLSq29o8OR5brI83RXGFPaxudNyTH1pyG4T-JrD8HJAf0KGxRdqDyteGo-bxnorZ57idxE6dBiKr8lBMCv6hJ2Lb0tOEVE66YSBz2BCNrfMZ02ct7Q -------------------------------------------------------------------------------- /samples/.gitignore: -------------------------------------------------------------------------------- 1 | vars.yml 2 | -------------------------------------------------------------------------------- /samples/images/SAP_CP_Cockpit_AssignRoleCollectionToUser.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/cloud-security-services-integration-library/fa63ed4d7764b88e09801ef2c7b02fe863eda55f/samples/images/SAP_CP_Cockpit_AssignRoleCollectionToUser.png -------------------------------------------------------------------------------- /samples/images/postman-ssl.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/SAP/cloud-security-services-integration-library/fa63ed4d7764b88e09801ef2c7b02fe863eda55f/samples/images/postman-ssl.png -------------------------------------------------------------------------------- /samples/java-security-usage-ias/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM --platform=linux/amd64 tomcat:10-jre17 2 | 3 | ADD target/java-security-usage-ias.war /usr/local/tomcat/webapps/ 4 | 5 | EXPOSE 8080 -------------------------------------------------------------------------------- /samples/java-security-usage-ias/manifest.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Configuration: 5 | # configured for EU10. For other landscapes, please adopt the destination in ../vars.yml 6 | # If the routes are occupied, you might need to change the host 7 | applications: 8 | - name: java-security-usage-ias 9 | instances: 1 10 | memory: 896M 11 | routes: 12 | - route: java-security-usage-ias-((ID)).((LANDSCAPE_APPS_DOMAIN)) 13 | - route: java-security-usage-ias-((ID)).cert.((LANDSCAPE_APPS_DOMAIN)) 14 | host: 15 | path: target/java-security-usage-ias.war 16 | buildpacks: 17 | - https://github.com/cloudfoundry/java-buildpack.git 18 | env: 19 | JBP_CONFIG_OPEN_JDK_JRE: '{ jre: { version: 17.0.+ } }' 20 | JBP_CONFIG_TOMCAT: '{ tomcat: { version: 10.0.+ } }' 21 | services: 22 | - name: ias-java-security 23 | parameters: { "credential-type": "X509_GENERATED" } 24 | ... 25 | -------------------------------------------------------------------------------- /samples/java-security-usage-ias/src/main/java/com/sap/cloud/security/samples/ias/HealthServlet.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.samples.ias; 7 | 8 | import jakarta.servlet.annotation.WebServlet; 9 | import jakarta.servlet.http.HttpServlet; 10 | import jakarta.servlet.http.HttpServletRequest; 11 | import jakarta.servlet.http.HttpServletResponse; 12 | 13 | import java.io.IOException; 14 | 15 | @WebServlet(HealthServlet.ENDPOINT) 16 | public class HealthServlet extends HttpServlet { 17 | 18 | static final String ENDPOINT = "/health"; 19 | 20 | @Override 21 | protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { 22 | resp.getWriter().write("OK"); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /samples/java-security-usage-ias/src/main/java/com/sap/cloud/security/samples/ias/HelloJavaServlet.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.samples.ias; 7 | 8 | import com.sap.cloud.security.token.SecurityContext; 9 | import com.sap.cloud.security.token.Token; 10 | import com.sap.cloud.security.token.TokenClaims; 11 | import jakarta.servlet.annotation.WebServlet; 12 | import jakarta.servlet.http.HttpServlet; 13 | import jakarta.servlet.http.HttpServletRequest; 14 | import jakarta.servlet.http.HttpServletResponse; 15 | import org.slf4j.Logger; 16 | import org.slf4j.LoggerFactory; 17 | 18 | import java.io.IOException; 19 | import java.io.Serial; 20 | 21 | @WebServlet(HelloJavaServlet.ENDPOINT) 22 | public class HelloJavaServlet extends HttpServlet { 23 | 24 | static final String ENDPOINT = "/hello-java-security-ias"; 25 | private static final Logger logger = LoggerFactory.getLogger(HelloJavaServlet.class); 26 | 27 | /** 28 | * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) 29 | */ 30 | @Override 31 | protected void doGet(HttpServletRequest request, HttpServletResponse response) { 32 | response.setContentType("text/plain"); 33 | Token token = SecurityContext.getToken(); 34 | try { 35 | response.getWriter().write("You ('" 36 | + token.getClaimAsString(TokenClaims.EMAIL) + "') " 37 | + "are authenticated and can access the application."); 38 | } catch (final IOException e) { 39 | logger.error("Failed to write error response: " + e.getMessage() + ".", e); 40 | } 41 | } 42 | 43 | } 44 | -------------------------------------------------------------------------------- /samples/java-security-usage/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM --platform=linux/amd64 tomcat:10-jre17 2 | 3 | ADD target/java-security-usage.war /usr/local/tomcat/webapps/ 4 | 5 | EXPOSE 8080 -------------------------------------------------------------------------------- /samples/java-security-usage/manifest.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Configuration: 5 | # configured for EU10. For other landscapes, please adopt the destination in ../vars.yml 6 | # If the routes are occupied, you might need to change the host 7 | applications: 8 | - name: java-security-usage 9 | instances: 1 10 | memory: 896M 11 | routes: 12 | - route: java-security-usage-((ID)).((LANDSCAPE_APPS_DOMAIN)) 13 | host: 14 | path: target/java-security-usage.war 15 | buildpacks: 16 | - https://github.com/cloudfoundry/java-buildpack.git 17 | env: 18 | JBP_CONFIG_OPEN_JDK_JRE: '{ jre: { version: 17.0.+ } }' 19 | JBP_CONFIG_TOMCAT: '{ tomcat: { version: 10.0.+ } }' 20 | services: 21 | - xsuaa-java-security 22 | ... 23 | -------------------------------------------------------------------------------- /samples/java-security-usage/src/main/java/com/sap/cloud/security/samples/HealthServlet.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.samples; 7 | 8 | import jakarta.servlet.annotation.WebServlet; 9 | import jakarta.servlet.http.HttpServlet; 10 | import jakarta.servlet.http.HttpServletRequest; 11 | import jakarta.servlet.http.HttpServletResponse; 12 | 13 | import java.io.IOException; 14 | 15 | @WebServlet(HealthServlet.ENDPOINT) 16 | public class HealthServlet extends HttpServlet { 17 | 18 | static final String ENDPOINT = "/health"; 19 | 20 | @Override 21 | protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws IOException { 22 | resp.getWriter().write("OK"); 23 | } 24 | 25 | } 26 | -------------------------------------------------------------------------------- /samples/java-security-usage/src/main/java/com/sap/cloud/security/samples/HelloJavaServletScopeProtected.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.samples; 7 | 8 | import com.sap.cloud.security.token.SecurityContext; 9 | import jakarta.servlet.annotation.WebServlet; 10 | import jakarta.servlet.http.HttpServlet; 11 | import jakarta.servlet.http.HttpServletRequest; 12 | import jakarta.servlet.http.HttpServletResponse; 13 | 14 | import java.io.IOException; 15 | 16 | @WebServlet(HelloJavaServletScopeProtected.ENDPOINT) 17 | public class HelloJavaServletScopeProtected extends HttpServlet { 18 | 19 | static final String ENDPOINT = "/hello-java-security-authz"; 20 | 21 | /** 22 | * @see HttpServlet#doGet(HttpServletRequest request, HttpServletResponse response) 23 | */ 24 | @Override 25 | protected void doGet(HttpServletRequest request, HttpServletResponse response) throws IOException { 26 | if (!SecurityContext.getAccessToken().hasLocalScope("Read")) { 27 | XsuaaSecurityFilter.sendUnauthorizedResponse(response, "Read"); 28 | return; 29 | } 30 | response.setContentType("text/plain"); 31 | response.getWriter().write("Read-protected method called!"); 32 | response.setStatus(HttpServletResponse.SC_OK); 33 | } 34 | 35 | } 36 | -------------------------------------------------------------------------------- /samples/java-security-usage/src/main/resources/simplelogger.properties: -------------------------------------------------------------------------------- 1 | org.slf4j.simpleLogger.defaultLogLevel: WARN 2 | org.slf4j.simpleLogger.log.com.sap.cloud.security: DEBUG -------------------------------------------------------------------------------- /samples/java-security-usage/xs-security.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsappname": "java-security-usage", 3 | "description": "SAP BTP Java Security Client Library with XSUAA sample application", 4 | "tenant-mode": "dedicated", 5 | "scopes": [ 6 | { 7 | "name": "$XSAPPNAME.Read", 8 | "description": "Scope for java-security-usage sample application" 9 | } 10 | ], 11 | "role-templates": [ 12 | { 13 | "name": "Viewer", 14 | "description": "Role for java-security-usage sample application", 15 | "scope-references": [ 16 | "$XSAPPNAME.Read" 17 | ] 18 | } 19 | ], 20 | "role-collections": [ 21 | { 22 | "name": "Sample Viewer (java-security-usage)", 23 | "description": "Role collection for java-security-usage sample application", 24 | "role-template-references": [ 25 | "$XSAPPNAME.Viewer" 26 | ] 27 | } 28 | ] 29 | } 30 | -------------------------------------------------------------------------------- /samples/java-tokenclient-usage/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM --platform=linux/amd64 tomcat:10-jre17 2 | 3 | ADD target/java-tokenclient-usage.war /usr/local/tomcat/webapps/ 4 | 5 | EXPOSE 8080 -------------------------------------------------------------------------------- /samples/java-tokenclient-usage/manifest.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Configuration: 5 | # configured for EU10. For other landscapes, please adopt the destination 6 | # If the routes are occupied, you might need to change the host in java-tokenclient-usage and the url in the destination 7 | applications: 8 | - name: java-tokenclient-usage 9 | instances: 1 10 | memory: 896M 11 | routes: 12 | - route: java-tokenclient-usage-((ID)).((LANDSCAPE_APPS_DOMAIN)) 13 | host: 14 | path: target/java-tokenclient-usage.war 15 | buildpacks: 16 | - https://github.com/cloudfoundry/java-buildpack.git 17 | env: 18 | JBP_CONFIG_OPEN_JDK_JRE: '{ jre: { version: 17.0.+ } }' 19 | JBP_CONFIG_TOMCAT: '{ tomcat: { version: 10.0.+ } }' 20 | services: 21 | - xsuaa-token-client 22 | ... 23 | -------------------------------------------------------------------------------- /samples/java-tokenclient-usage/src/main/resources/simplelogger.properties: -------------------------------------------------------------------------------- 1 | org.slf4j.simpleLogger.defaultLogLevel: WARN 2 | org.slf4j.simpleLogger.log.com.sap.cloud.security: DEBUG -------------------------------------------------------------------------------- /samples/java-tokenclient-usage/xs-security.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsappname": "java-tokenclient-usage", 3 | "oauth2-configuration": { 4 | "credential-types": ["x509"] 5 | }, 6 | "tenant-mode": "dedicated" 7 | } 8 | -------------------------------------------------------------------------------- /samples/localEnvironmentSetup.sh: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | export VCAP_APPLICATION='{}' # required when cloud profile is active 4 | export VCAP_SERVICES='{ "xsuaa": [ { "credentials": { "uaadomain": "localhost", "verificationkey": "-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn5dYHyD/nn/Pl+/W8jNGWHDaNItXqPuEk/hiozcPF+9l3qEgpRZrMx5ya7UjGdvihidGFQ9+efgaaqCLbk+bBsbU5L4WoJK+/t1mgWCiKI0koaAGDsztZsd3Anz4LEi2+NVNdupRq0ScHzweEKzqaa/LgtBi5WwyA5DaD33gbytG9hdFJvggzIN9+DSverHSAtqGUHhwHSU4/mL36xSReyqiKDiVyhf/y6V6eiE0USubTEGaWVUANIteiC+8Ags5UF22QoqMo3ttKnEyFTHpGCXSn+AEO0WMLK1pPavAjPaOyf4cVX8b/PzHsfBPDMK/kNKNEaU5lAXo8dLUbRYquQIDAQAB-----END PUBLIC KEY-----" } } ] }' 5 | -------------------------------------------------------------------------------- /samples/sap-java-buildpack-api-usage/approuter/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "approuter", 3 | "dependencies": { 4 | "@sap/approuter": "^10.4.3" 5 | }, 6 | "scripts": { 7 | "start": "node node_modules/@sap/approuter/approuter.js" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /samples/sap-java-buildpack-api-usage/approuter/xs-app.json: -------------------------------------------------------------------------------- 1 | { 2 | "routes": [{ 3 | "source": "^/", 4 | "target": "/hello-token", 5 | "destination": "sap-java-buildpack-api-usage-destination" 6 | }] 7 | } 8 | -------------------------------------------------------------------------------- /samples/sap-java-buildpack-api-usage/manifest.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Configuration: 5 | # configured for EU10. For other landscapes, please adopt the destination 6 | # If the routes are occupied, you might need to change the host in sap-java-buildpack-api-usage, the host in approuter- sap-java-buildpack-api-usage and the url in the destination 7 | applications: 8 | # Application sap-java-buildpack-api-usage 9 | - name: sap-java-buildpack-api-usage 10 | instances: 1 11 | memory: 896M 12 | routes: 13 | - route: sap-java-buildpack-api-usage-((ID)).((LANDSCAPE_APPS_DOMAIN)) 14 | 15 | host: 16 | path: target/sap-java-buildpack-api-usage.war 17 | services: 18 | - xsuaa-buildpack 19 | buildpacks: 20 | - sap_java_buildpack_jakarta 21 | env: 22 | JBP_CONFIG_OPEN_JDK_JRE: '{jre: { version: 17.0.+ }}' 23 | SET_LOGGING_LEVEL: '{com.sap.xs.security: DEBUG, com.sap.cloud.security: DEBUG}' 24 | ENABLE_SECURITY_JAVA_API_V2: true 25 | 26 | # Application Router as web server 27 | - name: approuter-sap-java-buildpack-api-usage 28 | path: approuter 29 | buildpacks: 30 | - nodejs_buildpack 31 | memory: 128M 32 | routes: 33 | - route: approuter-sap-java-buildpack-api-usage-((ID)).((LANDSCAPE_APPS_DOMAIN)) 34 | services: 35 | - xsuaa-buildpack 36 | env: 37 | destinations: > 38 | [ 39 | {"name":"sap-java-buildpack-api-usage-destination", 40 | "url":"https://sap-java-buildpack-api-usage-((ID)).((LANDSCAPE_APPS_DOMAIN))", 41 | "forwardAuthToken": true} 42 | ] 43 | ... 44 | -------------------------------------------------------------------------------- /samples/sap-java-buildpack-api-usage/src/main/webapp/WEB-INF/web.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 9 | 10 | 11 | XSUAA 12 | 13 | -------------------------------------------------------------------------------- /samples/sap-java-buildpack-api-usage/xs-security.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsappname": "sap-java-buildpack-api-usage", 3 | "description": "SAP BTP Java Security Client Library Buildpack sample application", 4 | "tenant-mode": "dedicated", 5 | "scopes": [ 6 | { 7 | "name": "$XSAPPNAME.Read", 8 | "description": "Scope for sap-java-buildpack-api-usage sample application" 9 | } 10 | ], 11 | "role-templates": [ 12 | { 13 | "name": "Viewer", 14 | "description": "Role for sap-java-buildpack-api-usage sample application", 15 | "scope-references": [ 16 | "$XSAPPNAME.Read" 17 | ] 18 | } 19 | ], 20 | "role-collections": [ 21 | { 22 | "name": "Sample Viewer (sap-java-buildpack-api-usage)", 23 | "description": "Role collection for sap-java-buildpack-api-usage sample application", 24 | "role-template-references": [ 25 | "$XSAPPNAME.Viewer" 26 | ] 27 | } 28 | ] 29 | } 30 | -------------------------------------------------------------------------------- /samples/spring-security-basic-auth/manifest.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Configuration: 5 | # configured for EU10. For other landscapes, please adopt LANDSCAPE_APPS_DOMAIN in ../vars.yml 6 | # If the route is occupied, you might need to change ID in in ../vars.yml 7 | applications: 8 | - name: spring-security-basic-auth 9 | instances: 1 10 | memory: 896M 11 | routes: 12 | - route: spring-security-basic-auth-((ID)).((LANDSCAPE_APPS_DOMAIN)) 13 | path: target/spring-security-basic-auth.jar 14 | services: 15 | - xsuaa-basic 16 | buildpacks: 17 | - java_buildpack 18 | env: 19 | JBP_CONFIG_OPEN_JDK_JRE: '{jre: { version: 17.0.+ }}' 20 | 21 | 22 | ... 23 | -------------------------------------------------------------------------------- /samples/spring-security-basic-auth/src/main/java/sample/spring/xsuaa/Application.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.xsuaa; 7 | 8 | import org.springframework.boot.SpringApplication; 9 | import org.springframework.boot.autoconfigure.SpringBootApplication; 10 | 11 | @SpringBootApplication 12 | public class Application { 13 | 14 | public static void main(String[] args) { 15 | SpringApplication.run(Application.class, args); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /samples/spring-security-basic-auth/src/main/java/sample/spring/xsuaa/TestController.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.xsuaa; 7 | 8 | import com.sap.cloud.security.token.Token; 9 | import org.springframework.security.core.annotation.AuthenticationPrincipal; 10 | import org.springframework.web.bind.annotation.GetMapping; 11 | import org.springframework.web.bind.annotation.RestController; 12 | 13 | @RestController 14 | public class TestController { 15 | 16 | /** 17 | * Returns the access token to the caller that was fetched by {@link TokenBrokerResolver} using the Basic auth 18 | * information from the request header with a {@link com.sap.cloud.security.token.GrantType#PASSWORD} grant type 19 | * flow. 20 | * 21 | * @param token 22 | * validated and processed access token 23 | * @return the access token 24 | */ 25 | @GetMapping("/fetchToken") 26 | public Token returnToken(@AuthenticationPrincipal Token token) { 27 | /* access to token claims is available via token object, e.g. 28 | String userName = token.getPrincipal().getName(); 29 | String zoneId = token.getZoneId() 30 | List scopes = token.getClaimAsStringList(TokenClaims.XSUAA.SCOPES); 31 | */ 32 | 33 | return token; 34 | } 35 | 36 | @GetMapping("/health") 37 | public String checkHealth() { 38 | return "OK"; 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /samples/spring-security-basic-auth/src/main/java/sample/spring/xsuaa/config/TokenBrokerConfiguration.java: -------------------------------------------------------------------------------- 1 | package sample.spring.xsuaa.config; 2 | 3 | import com.github.benmanes.caffeine.cache.Caffeine; 4 | import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows; 5 | import org.springframework.beans.factory.annotation.Qualifier; 6 | import org.springframework.cache.Cache; 7 | import org.springframework.cache.caffeine.CaffeineCache; 8 | import org.springframework.context.annotation.Bean; 9 | import org.springframework.context.annotation.Configuration; 10 | import sample.spring.xsuaa.TokenBrokerResolver; 11 | 12 | import java.util.concurrent.TimeUnit; 13 | 14 | @Configuration 15 | public class TokenBrokerConfiguration { 16 | 17 | @Bean 18 | public Cache tokenBrokerCache() { 19 | return new CaffeineCache("TokenBrokerResolverCache", 20 | Caffeine.newBuilder().expireAfterWrite(15, TimeUnit.MINUTES).maximumSize(100).build(), false); 21 | } 22 | 23 | /** Configures a TokenBrokerResolver with the default XsuaaTokenFlows and the specific cache configured for it. */ 24 | @Bean 25 | public TokenBrokerResolver tokenBrokerResolver(XsuaaTokenFlows tokenFlows, 26 | @Qualifier("tokenBrokerCache") Cache cache) { 27 | return new TokenBrokerResolver(tokenFlows, cache); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /samples/spring-security-basic-auth/src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | server: 5 | port: 8080 6 | debug: true -------------------------------------------------------------------------------- /samples/spring-security-basic-auth/src/test/java/sample/spring/xsuaa/ApplicationTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.xsuaa; 7 | 8 | import org.junit.jupiter.api.Test; 9 | import org.springframework.boot.test.context.SpringBootTest; 10 | 11 | @SpringBootTest 12 | public class ApplicationTest { 13 | 14 | @Test 15 | public void whenSpringContextIsBootstrapped_thenNoExceptions() { 16 | } 17 | } -------------------------------------------------------------------------------- /samples/spring-security-basic-auth/src/test/java/sample/spring/xsuaa/config/TokenBrokerTestConfiguration.java: -------------------------------------------------------------------------------- 1 | package sample.spring.xsuaa.config; 2 | 3 | import com.sap.cloud.security.config.ClientIdentity; 4 | import com.sap.cloud.security.spring.config.XsuaaServiceConfiguration; 5 | import com.sap.cloud.security.xsuaa.client.OAuth2ServiceEndpointsProvider; 6 | import com.sap.cloud.security.xsuaa.client.XsuaaDefaultEndpoints; 7 | import com.sap.cloud.security.xsuaa.client.XsuaaOAuth2TokenService; 8 | import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows; 9 | import org.springframework.context.annotation.Bean; 10 | import sample.spring.xsuaa.TokenBrokerResolver; 11 | 12 | public class TokenBrokerTestConfiguration { 13 | 14 | /** 15 | * Makes {@link TokenBrokerResolver} use the stubbed XsuaaOAuth2TokenService prepared in 16 | * {@link sample.spring.xsuaa.SecurityConfigurationTest} for testing. 17 | */ 18 | @Bean 19 | public XsuaaTokenFlows tokenFlows(XsuaaServiceConfiguration xsuaaConfig, XsuaaOAuth2TokenService tokenService) { 20 | OAuth2ServiceEndpointsProvider endpointsProvider = new XsuaaDefaultEndpoints(xsuaaConfig); 21 | ClientIdentity clientIdentity = xsuaaConfig.getClientIdentity(); 22 | return new XsuaaTokenFlows(tokenService, endpointsProvider, clientIdentity); 23 | } 24 | } 25 | -------------------------------------------------------------------------------- /samples/spring-security-basic-auth/src/test/java/sample/spring/xsuaa/config/XsuaaExtensionFixedPort.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | * SPDX-License-Identifier: Apache-2.0 4 | */ 5 | package sample.spring.xsuaa.config; 6 | 7 | import com.sap.cloud.security.test.extension.XsuaaExtension; 8 | 9 | public class XsuaaExtensionFixedPort extends XsuaaExtension { 10 | 11 | public XsuaaExtensionFixedPort() { 12 | super(); 13 | this.setPort(2222); 14 | } 15 | } 16 | -------------------------------------------------------------------------------- /samples/spring-security-basic-auth/src/test/resources/application.yml: -------------------------------------------------------------------------------- 1 | sap: 2 | security: 3 | services: 4 | xsuaa: # default configuration of the test XSUAA server from SecurityTest 5 | xsappname: xsapp!t0815 6 | uaadomain: http://localhost:2222 7 | clientid: sb-clientId!t0815 8 | url: http://localhost 9 | spring: 10 | main: 11 | allow-bean-definition-overriding: true -------------------------------------------------------------------------------- /samples/spring-security-basic-auth/xs-security.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsappname": "spring-security-basic-auth", 3 | "description": "SAP BTP Spring Security Client Library with Basic Auth sample application", 4 | "tenant-mode": "dedicated", 5 | "oauth2-configuration": { 6 | "credential-types": ["x509"] 7 | }, 8 | "scopes": [ 9 | { 10 | "name": "$XSAPPNAME.Read", 11 | "description": "Scope for spring-security-basic-auth sample application" 12 | } 13 | ], 14 | "role-templates": [ 15 | { 16 | "name": "Viewer", 17 | "description": "Role for spring-security-basic-auth sample application", 18 | "scope-references": [ 19 | "$XSAPPNAME.Read" 20 | ] 21 | } 22 | ], 23 | "role-collections": [ 24 | { 25 | "name": "Sample Viewer (spring-security-basic-auth)", 26 | "description": "Role collection for spring-security-basic-auth sample application", 27 | "role-template-references": [ 28 | "$XSAPPNAME.Viewer" 29 | ] 30 | } 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM openjdk:17-jdk-slim 2 | COPY target/spring-security-hybrid-usage.jar /app.jar 3 | ENTRYPOINT ["java", "-jar", "/app.jar"] 4 | EXPOSE 8080 -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/manifest.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Configuration: 5 | # configured for EU10. For other landscapes, please adopt LANDSCAPE_APPS_DOMAIN in ../vars.yml 6 | # If the route is occupied, you might need to change ID in ../vars.yml 7 | applications: 8 | - name: spring-security-hybrid-usage 9 | instances: 1 10 | memory: 896M 11 | routes: 12 | - route: spring-security-hybrid-usage-((ID)).((LANDSCAPE_APPS_DOMAIN)) 13 | path: target/spring-security-hybrid-usage.jar 14 | buildpacks: 15 | - java_buildpack 16 | env: 17 | JBP_CONFIG_OPEN_JDK_JRE: '{jre: { version: 17.0.+ }}' 18 | services: 19 | - name: xsuaa-authn 20 | # - name: xsuaa-broker 21 | - name: ias-authn 22 | parameters: { "credential-type": "X509_GENERATED" } 23 | 24 | -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/Application.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.security; 7 | 8 | import com.sap.hcp.cf.logging.servlet.filter.RequestLoggingFilter; 9 | import jakarta.servlet.DispatcherType; 10 | import org.springframework.boot.SpringApplication; 11 | import org.springframework.boot.autoconfigure.SpringBootApplication; 12 | import org.springframework.boot.web.servlet.FilterRegistrationBean; 13 | import org.springframework.context.annotation.Bean; 14 | import org.springframework.core.Ordered; 15 | 16 | @SpringBootApplication 17 | public class Application { 18 | 19 | public static void main(String[] args) { 20 | SpringApplication.run(Application.class, args); 21 | } 22 | 23 | @Bean 24 | public FilterRegistrationBean loggingFilter() { 25 | FilterRegistrationBean registrationBean = new FilterRegistrationBean<>(); 26 | registrationBean.setFilter(new RequestLoggingFilter()); 27 | registrationBean.setName("request-logging"); 28 | registrationBean.addUrlPatterns("/*"); 29 | registrationBean.setDispatcherTypes(DispatcherType.REQUEST); 30 | registrationBean.setOrder(Ordered.HIGHEST_PRECEDENCE); 31 | return registrationBean; 32 | } 33 | } 34 | -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/src/main/java/sample/spring/security/DataService.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.security; 7 | 8 | import com.sap.cloud.security.spring.config.XsuaaServiceConfiguration; 9 | import com.sap.cloud.security.spring.token.SpringSecurityContext; 10 | import org.springframework.beans.factory.annotation.Autowired; 11 | import org.springframework.stereotype.Service; 12 | 13 | /** 14 | * Simple DataLayer interface that shows how Spring global message security can be used to control access to data 15 | * objects on a method level. 16 | */ 17 | @Service 18 | public class DataService { 19 | @Autowired 20 | XsuaaServiceConfiguration xsuaaConfig; 21 | 22 | /** 23 | * Reads sensitive data from the data layer. User requires scope {@code Admin} for this to succeed. 24 | */ 25 | String readSensitiveData() { 26 | String appTid = SpringSecurityContext.getToken().getAppTid(); 27 | return "You got the sensitive data for tenant '" + appTid + "'."; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Setting Log Levels 5 | logging.level: 6 | com.sap: DEBUG # set SAP-class loggers to DEBUG. 7 | org.springframework: ERROR # set to DEBUG to see all beans loaded and auto-config conditions met. 8 | org.springframework.security: DEBUG # set to ERROR for production setups. 9 | org.springframework.web: DEBUG # set to ERROR for production setups. 10 | 11 | # Server Port (from environment or 8080 if not set). 12 | server: 13 | port: ${PORT:8080} 14 | 15 | # Enable to make Spring Boot log debug information. 16 | # debug: true 17 | 18 | -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/src/test/java/sample/spring/security/ApplicationTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.security; 7 | 8 | import org.junit.jupiter.api.Test; 9 | import org.junit.jupiter.api.extension.ExtendWith; 10 | import org.springframework.boot.test.context.SpringBootTest; 11 | import org.springframework.test.context.junit.jupiter.SpringExtension; 12 | 13 | @ExtendWith(SpringExtension.class) 14 | @SpringBootTest(classes = Application.class) 15 | @java.lang.SuppressWarnings("squid:S2699") 16 | // test properties are provided with /resources/application.yml 17 | class ApplicationTest { 18 | 19 | @Test 20 | void whenSpringContextIsBootstrapped_thenNoExceptions() { 21 | } 22 | } -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/src/test/java/sample/spring/security/junitjupiter/ApplicationTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.security.junitjupiter; 7 | 8 | import com.sap.cloud.security.xsuaa.tokenflows.XsuaaTokenFlows; 9 | import org.junit.jupiter.api.Test; 10 | import org.springframework.beans.factory.annotation.Autowired; 11 | import org.springframework.boot.test.context.SpringBootTest; 12 | 13 | import static org.junit.jupiter.api.Assertions.assertNotNull; 14 | 15 | @SpringBootTest 16 | @java.lang.SuppressWarnings("squid:S2699") 17 | class ApplicationTest { 18 | @Autowired 19 | XsuaaTokenFlows tokenflows; 20 | 21 | @Test 22 | void whenSpringContextIsBootstrapped_thenNoExceptions() { 23 | assertNotNull(tokenflows.clientCredentialsTokenFlow()); 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/src/test/java/sample/spring/security/util/MockBearerTokenRequestPostProcessor.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.security.util; 7 | 8 | import org.springframework.http.HttpHeaders; 9 | import org.springframework.mock.web.MockHttpServletRequest; 10 | import org.springframework.test.web.servlet.request.RequestPostProcessor; 11 | 12 | // https://docs.spring.io/autorepo/docs/spring-security/4.0.0.RELEASE/reference/html/test-mockmvc.html#test-mockmvc-smmrpp 13 | public final class MockBearerTokenRequestPostProcessor { 14 | 15 | private MockBearerTokenRequestPostProcessor() { 16 | } 17 | 18 | public static RequestPostProcessor bearerToken(String token) { 19 | return new BearerTokenRequestPostProcessor(token); 20 | } 21 | 22 | static class BearerTokenRequestPostProcessor implements RequestPostProcessor { 23 | private final String token; 24 | 25 | public BearerTokenRequestPostProcessor(String token) { 26 | this.token = token; 27 | } 28 | 29 | @Override 30 | public MockHttpServletRequest postProcessRequest(MockHttpServletRequest request) { 31 | request.addHeader(HttpHeaders.AUTHORIZATION, "Bearer " + this.token); 32 | return request; 33 | } 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/src/test/resources/application.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | sap: 5 | security: 6 | services: 7 | xsuaa[0]: 8 | xsappname: xsapp!t0815 9 | uaadomain: localhost 10 | clientid: sb-clientId!t0815 11 | clientsecret: pwd 12 | url: http://localhost 13 | plan: application 14 | xsuaa[1]: 15 | xsappname: xsapp!b04711 16 | clientid: sb-clientId!b04711 17 | plan: broker 18 | 19 | identity: 20 | clientid: sb-clientId!t0815 21 | domains: localhost 22 | 23 | #Single xsuaa service configuration 24 | # xsuaa: 25 | # xsappname: xsapp!t0815 26 | # uaadomain: localhost 27 | # clientid: sb-clientId!t0815 28 | # clientsecret: pwd 29 | # url: http://localhost 30 | # 31 | # identity: 32 | # clientid: sb-clientId!t0815 33 | # domains: localhost 34 | 35 | logging.level: 36 | com.sap: DEBUG # set SAP-class loggers to DEBUG. 37 | org.springframework: DEBUG -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/src/test/resources/broker-token.json: -------------------------------------------------------------------------------- 1 | { 2 | "header": { 3 | "alg": "RS256", 4 | "kid": "kid-custom" 5 | }, 6 | "payload": { 7 | "ext_attr": {"enhancer": "XSUAA"}, 8 | "grant_type": "urn:ietf:params:oauth:grant-type:jwt-bearer", 9 | "iss": "http://localhost:56911", 10 | "cid": "sb-clientId!b04711", 11 | "client_id": "sb-clientId!b04711", 12 | "azp": "sb-clientId!b04711", 13 | "zid": "zone-id", 14 | "exp": 1598314740, 15 | "scope": [ 16 | "openid", 17 | "xsapp!b04711.Read" 18 | ], 19 | "aud": [ 20 | "sb-clientId!b04711" 21 | ] 22 | } 23 | } -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/src/test/resources/iasClaims.json: -------------------------------------------------------------------------------- 1 | { 2 | "groups": ["IASAUTHZ_Read"] 3 | } -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/xs-security-broker.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsappname": "spring-security-hybrid-usage", 3 | "description": "SAP BTP Spring Security Client Library Hybrid sample application", 4 | "tenant-mode": "dedicated", 5 | "oauth2-configuration": { 6 | "credential-types": ["x509"] 7 | }, 8 | "scopes": [ 9 | { 10 | "name": "$XSAPPNAME.Read", 11 | "description": "Scope for spring-security-hybrid-usage sample application" 12 | } 13 | ], 14 | "role-templates": [ 15 | { 16 | "name": "Viewer", 17 | "description": "Role for spring-security-hybrid-usage sample application", 18 | "scope-references": [ 19 | "$XSAPPNAME.Read" 20 | ] 21 | } 22 | ], 23 | "role-collections": [ 24 | { 25 | "name": "Sample Viewer via broker (spring-security-hybrid-usage)", 26 | "description": "Role collection for spring-security-hybrid-usage broker access", 27 | "role-template-references": [ 28 | "$XSAPPNAME.Viewer" 29 | ] 30 | } 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /samples/spring-security-hybrid-usage/xs-security.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsappname": "spring-security-hybrid-usage", 3 | "description": "SAP BTP Spring Security Client Library Hybrid sample application", 4 | "tenant-mode": "dedicated", 5 | "oauth2-configuration": { 6 | "credential-types": ["x509"] 7 | }, 8 | "scopes": [ 9 | { 10 | "name": "$XSAPPNAME.Read", 11 | "description": "Scope for spring-security-hybrid-usage sample application" 12 | } 13 | ], 14 | "role-templates": [ 15 | { 16 | "name": "Viewer", 17 | "description": "Role for spring-security-hybrid-usage sample application", 18 | "scope-references": [ 19 | "$XSAPPNAME.Read" 20 | ] 21 | } 22 | ], 23 | "role-collections": [ 24 | { 25 | "name": "Sample Viewer (spring-security-hybrid-usage)", 26 | "description": "Role collection for spring-security-hybrid-usage sample application", 27 | "role-template-references": [ 28 | "$XSAPPNAME.Viewer" 29 | ] 30 | } 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/approuter/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "approuter", 3 | "dependencies": { 4 | "@sap/approuter": "^10.4.3" 5 | }, 6 | "scripts": { 7 | "start": "node node_modules/@sap/approuter/approuter.js" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/approuter/resources/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | Spring Security & XSUAA 4 | 5 |

13 | 14 | -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/approuter/xs-app.json: -------------------------------------------------------------------------------- 1 | { 2 | "welcomeFile": "index.html", 3 | "authenticationMethod": "route", 4 | "routes": [ 5 | { 6 | "source": "^/v1", 7 | "target": "/v1", 8 | "destination": "token-destination", 9 | "authenticationType": "xsuaa" 10 | }, 11 | { 12 | "source": "^/v2", 13 | "target": "/v2", 14 | "destination": "token-destination", 15 | "authenticationType": "xsuaa" 16 | }, 17 | { 18 | "source": "^/v3", 19 | "target": "/v3", 20 | "destination": "token-destination", 21 | "authenticationType": "xsuaa" 22 | } 23 | ] 24 | } 25 | -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/manifest.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Configuration: 5 | # configured for EU10. For other landscapes, please adopt LANDSCAPE_APPS_DOMAIN in ../vars.yml 6 | # If the route is occupied, you might need to change ID in ../vars.yml 7 | applications: 8 | # The sample application. 9 | - name: spring-security-xsuaa-usage 10 | instances: 1 11 | memory: 896M 12 | routes: 13 | - route: spring-security-xsuaa-usage-((ID)).((LANDSCAPE_APPS_DOMAIN)) 14 | path: target/spring-security-xsuaa-usage.jar 15 | services: 16 | - xsuaa-authentication 17 | buildpacks: 18 | - java_buildpack 19 | env: 20 | JBP_CONFIG_OPEN_JDK_JRE: '{jre: { version: 17.0.+ }}' 21 | 22 | # Application Router as web server 23 | - name: approuter-spring-security-xsuaa-usage 24 | path: approuter 25 | buildpacks: 26 | - nodejs_buildpack 27 | memory: 128M 28 | routes: 29 | - route: spring-security-xsuaa-usage-web-((ID)).((LANDSCAPE_APPS_DOMAIN)) 30 | services: 31 | - xsuaa-authentication 32 | env: 33 | destinations: > 34 | [ 35 | {"name":"token-destination", 36 | "url":"https://spring-security-xsuaa-usage-((ID)).((LANDSCAPE_APPS_DOMAIN))", 37 | "forwardAuthToken": true} 38 | ] 39 | ... 40 | -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/src/main/java/sample/spring/xsuaa/Application.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.xsuaa; 7 | 8 | import org.springframework.boot.SpringApplication; 9 | import org.springframework.boot.autoconfigure.SpringBootApplication; 10 | 11 | @SpringBootApplication 12 | public class Application { 13 | 14 | public static void main(String[] args) { 15 | SpringApplication.run(Application.class, args); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/src/main/java/sample/spring/xsuaa/DataService.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.xsuaa; 7 | 8 | import org.slf4j.Logger; 9 | import org.slf4j.LoggerFactory; 10 | import org.springframework.security.access.prepost.PreAuthorize; 11 | import org.springframework.stereotype.Service; 12 | 13 | /** 14 | * Simple DataLayer interface that shows how Spring global message security can be used to control access to data 15 | * objects on a method level. 16 | */ 17 | @Service 18 | public class DataService { 19 | private final Logger logger = LoggerFactory.getLogger(this.getClass()); 20 | 21 | /** 22 | * Reads sensitive data from the data layer. User requires scope {@code Admin} for this to succeed. 23 | */ 24 | @PreAuthorize("hasAuthority('Admin')") 25 | String readSensitiveData() { 26 | logger.info("Reading sensitive data."); 27 | return "You got the sensitive data"; 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Setting Log Levels 5 | logging.level: 6 | com.sap.cloud.security: DEBUG # set SAP-class loggers to DEBUG. 7 | org.springframework: ERROR # set to DEBUG to see all beans loaded and auto-config conditions met. 8 | org.springframework.security: DEBUG # set to ERROR for production setups. 9 | org.springframework.web: DEBUG # set to ERROR for production setups. 10 | 11 | # Server Port (from environment or 8080 if not set). 12 | server: 13 | port: ${PORT:8080} 14 | 15 | # Enable to make Spring Boot log debug information. 16 | # debug: true -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/src/test/java/sample/spring/xsuaa/ApplicationTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.xsuaa; 7 | 8 | import org.junit.Test; 9 | import org.junit.runner.RunWith; 10 | import org.springframework.boot.test.context.SpringBootTest; 11 | import org.springframework.test.context.junit4.SpringRunner; 12 | 13 | @RunWith(SpringRunner.class) 14 | @SpringBootTest(classes = Application.class) 15 | @java.lang.SuppressWarnings("squid:S2699") 16 | public class ApplicationTest { 17 | 18 | @Test 19 | public void whenSpringContextIsBootstrapped_thenNoExceptions() { 20 | } 21 | } -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/src/test/java/sample/spring/xsuaa/junitjupiter/ApplicationTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.xsuaa.junitjupiter; 7 | 8 | import org.junit.jupiter.api.Test; 9 | import org.springframework.boot.test.context.SpringBootTest; 10 | import sample.spring.xsuaa.Application; 11 | 12 | @SpringBootTest(classes = Application.class) 13 | @java.lang.SuppressWarnings("squid:S2699") 14 | class ApplicationTest { 15 | 16 | @Test 17 | void whenSpringContextIsBootstrapped_thenNoExceptions() { 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/xs-security-deprecated.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsappname": "spring-xsuaa-usage", 3 | "tenant-mode": "dedicated", 4 | "scopes": [ 5 | { 6 | "name": "$XSAPPNAME.Read", 7 | "description": "Read Permissions." 8 | }, 9 | { 10 | "name": "$XSAPPNAME.Admin", 11 | "description": "Admin permissions." 12 | } 13 | ], 14 | "role-templates": [ 15 | { 16 | "name": "Viewer", 17 | "description": "View Data", 18 | "scope-references": [ 19 | "$XSAPPNAME.Read", 20 | "uaa.user" 21 | ] 22 | }, 23 | { 24 | "name": "Administrator", 25 | "description": "View Sensitive Data", 26 | "scope-references": [ 27 | "$XSAPPNAME.Read", 28 | "$XSAPPNAME.Admin" 29 | ] 30 | } 31 | ], 32 | "role-collections": [ 33 | { 34 | "name": "Viewer", 35 | "description": "Viewer (read)", 36 | "role-template-references": [ 37 | "$XSAPPNAME.Viewer" 38 | ] 39 | }, 40 | { 41 | "name": "Administrator", 42 | "description": "Administrator (read all)", 43 | "role-template-references": [ 44 | "$XSAPPNAME.Administrator" 45 | ] 46 | } 47 | ] 48 | } 49 | -------------------------------------------------------------------------------- /samples/spring-security-xsuaa-usage/xs-security.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsappname": "spring-security-xsuaa-usage", 3 | "oauth2-configuration": { 4 | "credential-types": ["x509"] 5 | }, 6 | "tenant-mode": "dedicated", 7 | "scopes": [ 8 | { 9 | "name": "$XSAPPNAME.Read", 10 | "description": "Read Permissions." 11 | }, 12 | { 13 | "name": "$XSAPPNAME.Admin", 14 | "description": "Admin permissions." 15 | } 16 | ], 17 | "role-templates": [ 18 | { 19 | "name": "Viewer", 20 | "description": "View Data", 21 | "scope-references": [ 22 | "$XSAPPNAME.Read", 23 | "uaa.user" 24 | ] 25 | }, 26 | { 27 | "name": "Administrator", 28 | "description": "View Sensitive Data", 29 | "scope-references": [ 30 | "$XSAPPNAME.Read", 31 | "$XSAPPNAME.Admin" 32 | ] 33 | } 34 | ], 35 | "role-collections": [ 36 | { 37 | "name": "Viewer", 38 | "description": "Viewer (read)", 39 | "role-template-references": [ 40 | "$XSAPPNAME.Viewer" 41 | ] 42 | }, 43 | { 44 | "name": "Administrator", 45 | "description": "Administrator (read all)", 46 | "role-template-references": [ 47 | "$XSAPPNAME.Administrator" 48 | ] 49 | } 50 | ] 51 | } 52 | -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/approuter/package.json: -------------------------------------------------------------------------------- 1 | { 2 | "name": "approuter", 3 | "dependencies": { 4 | "@sap/approuter": "^10.4.3" 5 | }, 6 | "scripts": { 7 | "start": "node node_modules/@sap/approuter/approuter.js" 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/approuter/resources/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Welcome to our Index Page 6 | 7 | -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/approuter/xs-app.json: -------------------------------------------------------------------------------- 1 | { 2 | "welcomeFile": "index.html", 3 | "routes": [ 4 | { 5 | "source": "^/xsuaa", 6 | "target": "/v1", 7 | "destination": "token-destination", 8 | "authenticationType": "xsuaa" 9 | }, 10 | { 11 | "source": "^/ias", 12 | "target": "/v1", 13 | "destination": "token-destination", 14 | "authenticationType": "ias" 15 | } 16 | ] 17 | } 18 | -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/ias-security.json: -------------------------------------------------------------------------------- 1 | { 2 | "oauth2-configuration": 3 | { 4 | "redirect-uris": ["https://*.cfapps.eu10.hana.ondemand.com/login/callback"] 5 | }, 6 | "xsuaa-cross-consumption": true 7 | } -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/manifest.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Configuration: 5 | # configured for EU10. For other landscapes, please adopt LANDSCAPE_APPS_DOMAIN in ../vars.yml 6 | # If the route is occupied, you might need to change ID in ../vars.yml 7 | applications: 8 | # The sample application. 9 | - name: spring-webflux-security-hybrid-usage 10 | instances: 1 11 | memory: 896M 12 | routes: 13 | - route: spring-webflux-security-hybrid-usage-((ID)).((LANDSCAPE_APPS_DOMAIN)) 14 | path: target/spring-webflux-security-hybrid-usage.jar 15 | buildpacks: 16 | - sap_java_buildpack_jakarta 17 | env: 18 | JBP_CONFIG_OPEN_JDK_JRE: '{jre: { version: 17.0.+ }}' 19 | JBP_CONFIG_DEBUG: '{enabled: true}' 20 | services: 21 | - xsuaa-webflux 22 | - ias-webflux 23 | 24 | # Application Router as web server 25 | - name: approuter-spring-webflux-security-hybrid-usage 26 | path: approuter 27 | buildpacks: 28 | - nodejs_buildpack 29 | memory: 128M 30 | routes: 31 | - route: spring-webflux-security-hybrid-usage-web-((ID)).((LANDSCAPE_APPS_DOMAIN)) 32 | services: 33 | - xsuaa-webflux 34 | - ias-webflux 35 | env: 36 | destinations: > 37 | [ 38 | {"name":"token-destination", 39 | "url":"https://spring-webflux-security-hybrid-usage-((ID)).((LANDSCAPE_APPS_DOMAIN))", 40 | "forwardAuthToken": true} 41 | ] 42 | ... 43 | -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/src/main/java/sample/spring/webflux/hybrid/Application.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.webflux.hybrid; 7 | 8 | import org.springframework.boot.SpringApplication; 9 | import org.springframework.boot.autoconfigure.SpringBootApplication; 10 | 11 | @SpringBootApplication 12 | public class Application { 13 | 14 | public static void main(String[] args) { 15 | SpringApplication.run(Application.class, args); 16 | } 17 | 18 | } 19 | -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/src/main/java/sample/spring/webflux/hybrid/TestController.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.webflux.hybrid; 7 | 8 | import com.sap.cloud.security.spring.token.ReactiveSecurityContext; 9 | import com.sap.cloud.security.xsuaa.jwt.Base64JwtDecoder; 10 | import org.springframework.http.HttpStatus; 11 | import org.springframework.http.MediaType; 12 | import org.springframework.http.ResponseEntity; 13 | import org.springframework.web.bind.annotation.GetMapping; 14 | import org.springframework.web.bind.annotation.RestController; 15 | import reactor.core.publisher.Mono; 16 | 17 | @RestController 18 | public class TestController { 19 | 20 | @GetMapping("/v1/sayHello") 21 | public Mono> sayHello() { 22 | ResponseEntity.BodyBuilder unAuthenticated = ResponseEntity.status(HttpStatus.UNAUTHORIZED); 23 | 24 | return ReactiveSecurityContext.getToken() 25 | .doOnError(throwable -> Mono.just(unAuthenticated)) 26 | .map(token -> ResponseEntity.ok().contentType(MediaType.TEXT_PLAIN) 27 | .body(Base64JwtDecoder.getInstance().decode(token.getTokenValue()).getPayload())); 28 | } 29 | } 30 | -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # Setting Log Levels 5 | logging.level: 6 | com.sap: DEBUG # set SAP-class loggers to DEBUG. 7 | org.springframework: ERROR # set to DEBUG to see all beans loaded and auto-config conditions met. 8 | org.springframework.security: DEBUG # set to ERROR for production setups. 9 | org.springframework.webflux: DEBUG # set to ERROR for production setups. 10 | sample.spring.webflux.hybrid: INFO 11 | spring: 12 | main: 13 | allow-bean-definition-overriding: true 14 | 15 | -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/src/test/java/sample/spring/webflux/hybrid/ApplicationTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package sample.spring.webflux.hybrid; 7 | 8 | import com.sap.cloud.security.spring.autoconfig.HybridIdentityServicesAutoConfiguration; 9 | import org.junit.Test; 10 | import org.junit.runner.RunWith; 11 | import org.springframework.boot.test.context.SpringBootTest; 12 | import org.springframework.test.context.junit4.SpringRunner; 13 | 14 | @RunWith(SpringRunner.class) 15 | @SpringBootTest(classes = { HybridIdentityServicesAutoConfiguration.class }) 16 | public class ApplicationTest { 17 | 18 | @Test 19 | public void contextLoads() { 20 | } 21 | 22 | } -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/src/test/resources/application.yml: -------------------------------------------------------------------------------- 1 | 2 | spring: 3 | main: 4 | allow-bean-definition-overriding: true 5 | sap: 6 | security: 7 | services: 8 | identity: 9 | clientid: sb-clientId!t0815 10 | xsuaa: 11 | clientid: sb-clientId!t0815 12 | xsappname: xsapp!t0815 -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/src/test/resources/iasClaims.json: -------------------------------------------------------------------------------- 1 | { 2 | "groups": ["IASAUTHZ_Read"] 3 | } -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/src/test/resources/mockServer/jwks.json: -------------------------------------------------------------------------------- 1 | { 2 | "keys": [ 3 | { 4 | "kty": "RSA", 5 | "e": "AQAB", 6 | "use": "sig", 7 | "kid": "legacy-token-key", 8 | "alg": "RS256", 9 | "value": "-----BEGIN PUBLIC KEY-----\\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2G5MUF7szUMJfiaghYeb\\nwB+BgaG4wkbIDZ5fJU8Zm0/WnaupCCKX0fguLC21FtHATC6SOpOuVClXe9GY9AVJ\\nq3nyqAsiUil66jH9Y+kmeLeRVoBp8KXMQ15+W69GNU7/sYv+0k5PLUaxJPmcwb+W\\nCq9hw76zRXeEijnZ41YlVC9jcnZ7IjHjp2BASoznImmGJDW6F30FRbP/MLtfv5fM\\npj17OziVNE+eacuIygSH0IZZ+wvV7AcJAZlEwkCFqzzbVx2cLvRIpacHz2ci4seI\\nIxdPRj8O7i4y29hdSsHqTRFLtQiwCgIr7YItA5voVY/bS+CYy8a1MSckdXvFa5jY\\newIDAQAB\\n-----END PUBLIC KEY-----", 10 | "n": "ANhuTFBe7M1DCX4moIWHm8AfgYGhuMJGyA2eXyVPGZtP1p2rqQgil9H4LiwttRbRwEwukjqTrlQpV3vRmPQFSat58qgLIlIpeuox_WPpJni3kVaAafClzENefluvRjVO_7GL_tJOTy1GsST5nMG_lgqvYcO-s0V3hIo52eNWJVQvY3J2eyIx46dgQEqM5yJphiQ1uhd9BUWz_zC7X7-XzKY9ezs4lTRPnmnLiMoEh9CGWfsL1ewHCQGZRMJAhas821cdnC70SKWnB89nIuLHiCMXT0Y_Du4uMtvYXUrB6k0RS7UIsAoCK-2CLQOb6FWP20vgmMvGtTEnJHV7xWuY2Hs" 11 | } 12 | ] 13 | } -------------------------------------------------------------------------------- /samples/spring-webflux-security-hybrid-usage/xs-security.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsappname": "spring-webflux-security-hybrid-usage", 3 | "description": "SAP BTP Spring Security Client Library Webflux sample application", 4 | "tenant-mode": "dedicated", 5 | "oauth2-configuration": { 6 | "credential-types": ["x509"] 7 | }, 8 | "scopes": [ 9 | { 10 | "name": "$XSAPPNAME.Read", 11 | "description": "Scope for spring-webflux-security-hybrid-usage sample application" 12 | } 13 | ], 14 | "role-templates": [ 15 | { 16 | "name": "Viewer", 17 | "description": "Role for spring-webflux-security-hybrid-usage sample application", 18 | "scope-references": [ 19 | "$XSAPPNAME.Read" 20 | ] 21 | } 22 | ], 23 | "role-collections": [ 24 | { 25 | "name": "Sample Viewer (spring-webflux-security-hybrid-usage)", 26 | "description": "Role collection for spring-webflux-security-hybrid-usage sample application", 27 | "role-template-references": [ 28 | "$XSAPPNAME.Viewer" 29 | ] 30 | } 31 | ] 32 | } 33 | -------------------------------------------------------------------------------- /samples/vars.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | # some data to make the urls unique 5 | # change to another value, e.g. your User ID 6 | ID: 00-00-00 7 | 8 | # Choose cfapps.eu10.hana.ondemand.com for the EU10 landscape, cfapps.us10.hana.ondemand.com for US10 9 | LANDSCAPE_APPS_DOMAIN: cfapps.eu10.hana.ondemand.com 10 | #LANDSCAPE_APPS_DOMAIN: cfapps.us10.hana.ondemand.com 11 | 12 | -------------------------------------------------------------------------------- /spring-security-starter/src/main/resources/META-INF/spring.factories: -------------------------------------------------------------------------------- 1 | org.springframework.boot.env.EnvironmentPostProcessor=\ 2 | com.sap.cloud.security.spring.autoconfig.SecurityContextEnvironmentPostProcessor 3 | -------------------------------------------------------------------------------- /spring-security-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports: -------------------------------------------------------------------------------- 1 | com.sap.cloud.security.spring.autoconfig.HybridIdentityServicesAutoConfiguration 2 | com.sap.cloud.security.spring.autoconfig.HybridIdentityServicesProofTokenAutoConfiguration 3 | com.sap.cloud.security.spring.autoconfig.HybridAuthorizationAutoConfiguration 4 | com.sap.cloud.security.spring.autoconfig.XsuaaTokenFlowAutoConfiguration 5 | -------------------------------------------------------------------------------- /spring-security/src/main/java/com/sap/cloud/security/spring/autoconfig/SapSecurityProperties.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | * SPDX-License-Identifier: Apache-2.0 4 | */ 5 | package com.sap.cloud.security.spring.autoconfig; 6 | 7 | public class SapSecurityProperties { 8 | 9 | static final String SAP_SECURITY_SERVICES_IDENTITY_DOMAINS = "sap.security.services.identity.domains"; 10 | static final String SAP_SECURITY_SERVICES_XSUAA_UAADOMAIN = "sap.security.services.xsuaa.uaadomain"; 11 | static final String SAP_SECURITY_SERVICES_XSUAA_0_UAADOMAIN = "sap.security.services.xsuaa[0].uaadomain"; 12 | static final String SAP_SPRING_SECURITY_IDENTITY_PROOFTOKEN = "sap.spring.security.identity.prooftoken"; 13 | static final String SAP_SPRING_SECURITY_HYBRID = "sap.spring.security.hybrid.auto"; 14 | private SapSecurityProperties() { 15 | } 16 | } 17 | -------------------------------------------------------------------------------- /spring-security/src/main/java/com/sap/cloud/security/spring/config/IdentityServiceConfiguration.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.spring.config; 7 | 8 | import com.sap.cloud.security.config.Service; 9 | import org.springframework.boot.context.properties.ConfigurationProperties; 10 | 11 | @ConfigurationProperties("sap.security.services.identity") 12 | public class IdentityServiceConfiguration extends OAuth2ServiceConfigurationProperties { 13 | 14 | /** 15 | * Creates a new instance to map configuration of a dedicated identity service. 16 | */ 17 | public IdentityServiceConfiguration() { 18 | super(Service.IAS); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /spring-security/src/main/java/com/sap/cloud/security/spring/config/XsuaaServiceConfiguration.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.spring.config; 7 | 8 | import com.sap.cloud.security.config.Service; 9 | import org.springframework.boot.context.properties.ConfigurationProperties; 10 | 11 | @ConfigurationProperties("sap.security.services.xsuaa") 12 | public class XsuaaServiceConfiguration extends OAuth2ServiceConfigurationProperties { 13 | 14 | /** 15 | * Creates a new instance to map configuration of a dedicated identity service. 16 | */ 17 | public XsuaaServiceConfiguration() { 18 | super(Service.XSUAA); 19 | } 20 | } -------------------------------------------------------------------------------- /spring-security/src/main/java/com/sap/cloud/security/spring/config/XsuaaServiceConfigurations.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.spring.config; 7 | 8 | import org.springframework.boot.context.properties.ConfigurationProperties; 9 | import org.springframework.boot.context.properties.NestedConfigurationProperty; 10 | 11 | import java.util.ArrayList; 12 | import java.util.List; 13 | 14 | @ConfigurationProperties("sap.security.services") 15 | public class XsuaaServiceConfigurations { 16 | @NestedConfigurationProperty 17 | private List xsuaa = new ArrayList<>(); 18 | 19 | public List getConfigurations() { 20 | return this.xsuaa; 21 | } 22 | 23 | public void setXsuaa(List xsuaa) { 24 | this.xsuaa = xsuaa; 25 | } 26 | 27 | } 28 | -------------------------------------------------------------------------------- /spring-security/src/test/java/com/sap/cloud/security/spring/config/ConfigurationAssertions.java: -------------------------------------------------------------------------------- 1 | package com.sap.cloud.security.spring.config; 2 | 3 | import com.sap.cloud.security.config.OAuth2ServiceConfiguration; 4 | import com.sap.cloud.security.config.ServiceConstants; 5 | 6 | import static org.junit.jupiter.api.Assertions.assertEquals; 7 | 8 | public class ConfigurationAssertions { 9 | static void assertXsuaaConfigsAreEqual(XsuaaServiceConfiguration xsuaaConfig, 10 | OAuth2ServiceConfiguration oauthConfig) { 11 | assertEquals(oauthConfig.getClientId(), xsuaaConfig.getClientId()); 12 | assertEquals(oauthConfig.getClientSecret(), xsuaaConfig.getClientSecret()); 13 | assertEquals(oauthConfig.getProperty(ServiceConstants.XSUAA.UAA_DOMAIN), 14 | xsuaaConfig.getProperty(ServiceConstants.XSUAA.UAA_DOMAIN)); 15 | assertEquals(oauthConfig.getProperty(ServiceConstants.XSUAA.APP_ID), 16 | xsuaaConfig.getProperty(ServiceConstants.XSUAA.APP_ID)); 17 | assertEquals(oauthConfig.getProperty(ServiceConstants.NAME), xsuaaConfig.getName()); 18 | assertEquals(oauthConfig.getProperty(ServiceConstants.SERVICE_PLAN), xsuaaConfig.getPlan()); 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /spring-security/src/test/java/com/sap/cloud/security/spring/config/XsuaaServiceConfigurationTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.spring.config; 7 | 8 | import org.junit.jupiter.api.Test; 9 | import org.springframework.boot.context.properties.EnableConfigurationProperties; 10 | import org.springframework.boot.test.context.runner.ApplicationContextRunner; 11 | 12 | import static org.junit.jupiter.api.Assertions.assertEquals; 13 | 14 | class XsuaaServiceConfigurationTest { 15 | 16 | private final ApplicationContextRunner runner = new ApplicationContextRunner(); 17 | 18 | @EnableConfigurationProperties(XsuaaServiceConfiguration.class) 19 | static class EnablePropertiesConfiguration { 20 | } 21 | 22 | @Test 23 | void configuresXsuaaServiceConfiguration() { 24 | runner.withUserConfiguration(EnablePropertiesConfiguration.class) 25 | .withPropertyValues( 26 | "sap.security.services.xsuaa.url:http://localhost", 27 | "sap.security.services.xsuaa.uaadomain:localhost", 28 | "sap.security.services.xsuaa.clientid:cid", 29 | "sap.security.services.xsuaa.name:xsuaaInstance0", 30 | "sap.security.services.xsuaa.plan:broker") 31 | .run(context -> { 32 | XsuaaServiceConfiguration config = context.getBean(XsuaaServiceConfiguration.class); 33 | assertEquals("http://localhost", config.getUrl().toString()); 34 | assertEquals("xsuaaInstance0", config.getName()); 35 | assertEquals("broker", config.getPlan()); 36 | }); 37 | } 38 | } 39 | -------------------------------------------------------------------------------- /spring-security/src/test/resources/fourXsuaaBindingsAndOneIasBinding.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "credentials": { 5 | "clientid": "client-id-broker", 6 | "clientsecret": "client-secret-broker" 7 | }, 8 | "name": "xsuaaInstance0", 9 | "plan": "broker" 10 | }, 11 | { 12 | "credentials": { 13 | "clientid": "client-id-broker2", 14 | "clientsecret": "client-secret-broker2" 15 | }, 16 | "name": "xsuaaInstance1", 17 | "plan": "broker" 18 | }, 19 | { 20 | "credentials": { 21 | "clientid": "client-id2", 22 | "clientsecret": "client-secret2", 23 | "url": "http://domain.xsuaadomain", 24 | "uaadomain": "xsuaadomain", 25 | "xsappname": "xsappname2" 26 | }, 27 | "name": "xsuaaInstance2", 28 | "plan": "application" 29 | }, 30 | { 31 | "credentials": { 32 | "clientid": "client-id", 33 | "clientsecret": "client-secret", 34 | "url": "http://domain.xsuaadomain", 35 | "uaadomain": "xsuaadomain", 36 | "xsappname": "xsappname" 37 | }, 38 | "name": "xsuaaInstance3", 39 | "plan": "application" 40 | } 41 | ], 42 | "identity": [ 43 | { 44 | "credentials": { 45 | "clientid": "client-id-ias", 46 | "clientsecret": "client-secret-ias", 47 | "url": "http://domain.iasdomain", 48 | "domains": ["iasdomain", "iasdomain.com"] 49 | }, 50 | "name": "identityInstance0", 51 | "plan": "broker" 52 | } 53 | ] 54 | } 55 | -------------------------------------------------------------------------------- /spring-security/src/test/resources/singleXsuaaAndIasBinding.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "credentials": { 5 | "clientid": "client-id", 6 | "clientsecret": "client-secret", 7 | "url": "http://domain.xsuaadomain", 8 | "uaadomain": "xsuaadomain", 9 | "xsappname": "xsappname" 10 | }, 11 | "name": "xsuaaInstance0", 12 | "plan": "application" 13 | } 14 | ], 15 | "identity": [ 16 | { 17 | "credentials": { 18 | "clientid": "client-id-ias", 19 | "clientsecret": "client-secret-ias", 20 | "url": "http://domain.iasdomain", 21 | "domains": ["iasdomain"] 22 | }, 23 | "name": "identityInstance0", 24 | "plan": "broker" 25 | } 26 | ] 27 | } 28 | -------------------------------------------------------------------------------- /spring-security/src/test/resources/xsuaaBindingsTwoApplicationsNoBroker.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "credentials": { 5 | "clientid": "client-id2", 6 | "clientsecret": "client-secret2", 7 | "url": "http://domain.xsuaadomain", 8 | "uaadomain": "xsuaadomain", 9 | "xsappname": "xsappname2" 10 | }, 11 | "name": "xsuaaInstance0", 12 | "plan": "application" 13 | }, 14 | { 15 | "credentials": { 16 | "clientid": "client-id", 17 | "clientsecret": "client-secret", 18 | "url": "http://domain.xsuaadomain", 19 | "uaadomain": "xsuaadomain", 20 | "xsappname": "xsappname" 21 | }, 22 | "name": "xsuaaInstance1", 23 | "plan": "application" 24 | } 25 | ], 26 | "identity": [ 27 | { 28 | "credentials": { 29 | "clientid": "client-id-ias", 30 | "clientsecret": "client-secret-ias", 31 | "url": "http://domain.iasdomain", 32 | "domains": ["iasdomain", "iasdomain.com"] 33 | }, 34 | "name": "identityInstance0", 35 | "plan": "broker" 36 | } 37 | ] 38 | } 39 | -------------------------------------------------------------------------------- /spring-xsuaa-it/src/main/java/com/sap/cloud/security/xsuaa/mock/JWTUtil.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.mock; 7 | 8 | import com.sap.cloud.security.xsuaa.test.JwtGenerator; 9 | 10 | import java.io.IOException; 11 | 12 | public class JWTUtil { 13 | 14 | private JWTUtil() { 15 | // hide public one 16 | } 17 | 18 | public static String createJWT(String pathToTemplate, String subdomain) throws IOException { 19 | return JWTUtil.createJWT(pathToTemplate, subdomain, "legacy-token-key-" + subdomain); 20 | } 21 | 22 | public static String createJWT(String pathToTemplate, String subdomain, String keyId) throws IOException { 23 | JwtGenerator jwtGenerator = new JwtGenerator("sb-java-hello-world", subdomain) 24 | .setJwtHeaderKeyId(keyId); 25 | return jwtGenerator.createFromTemplate(pathToTemplate).getTokenValue(); 26 | } 27 | 28 | } 29 | -------------------------------------------------------------------------------- /spring-xsuaa-it/src/main/java/testservice/api/XsuaaITApplication.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package testservice.api; 7 | 8 | import org.springframework.boot.SpringApplication; 9 | import org.springframework.boot.autoconfigure.SpringBootApplication; 10 | 11 | @SpringBootApplication 12 | public class XsuaaITApplication { 13 | 14 | public static void main(String[] args) { 15 | SpringApplication.run(XsuaaITApplication.class, args); 16 | } 17 | } 18 | -------------------------------------------------------------------------------- /spring-xsuaa-it/src/main/java/testservice/api/nohttp/SecurityConfiguration.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package testservice.api.nohttp; 7 | 8 | import org.springframework.context.annotation.Configuration; 9 | import org.springframework.context.annotation.Profile; 10 | 11 | @Configuration 12 | @Profile({ "test.api.nohttp" }) 13 | public class SecurityConfiguration { 14 | 15 | } 16 | -------------------------------------------------------------------------------- /spring-xsuaa-it/src/main/resources/application.yml: -------------------------------------------------------------------------------- 1 | # SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 2 | # SPDX-License-Identifier: Apache-2.0 3 | --- 4 | server: 5 | port: 9999 6 | xsuaa: 7 | xsappname: 'java-hello-world' 8 | clientid: 'sb-java-hello-world' -------------------------------------------------------------------------------- /spring-xsuaa-it/src/main/resources/cc.txt: -------------------------------------------------------------------------------- 1 | { 2 | "jti": "8e7b3b00-7751-4b46-9b1a-5a46a2a1d5b8", 3 | "sub": "1002191", 4 | "scope": [ 5 | "java-hello-world.Display", 6 | "openid", 7 | "java-hello-world.Delete", 8 | "java-hello-world.Create" 9 | ], 10 | "client_id": "sb-java-hello-world", 11 | "cid": "sb-java-hello-world", 12 | "azp": "sb-java-hello-world", 13 | "grant_type": "client_credentials", 14 | "iat": 1442912244, 15 | "exp": $exp, 16 | "iss": "http://localhost:8080/uaa/oauth/token", 17 | "zid": "$zid", 18 | "aud": [ 19 | ], 20 | "ext_attr": { 21 | "serviceinstanceid": "abcd1234", 22 | "zdn": "$zdn" 23 | } 24 | } -------------------------------------------------------------------------------- /spring-xsuaa-it/src/main/resources/claims_template.txt: -------------------------------------------------------------------------------- 1 | { 2 | "jti": "37587e8c45b84a85820744c1459910b5", 3 | "ext_attr": { 4 | "enhancer": "XSUAA", 5 | "serviceinstanceid": "brokerCloneServiceInstanceId", 6 | "acl": ["app1!t23"] 7 | }, 8 | "xs.system.attributes": { 9 | "xs.saml.groups": [ 10 | "g1" 11 | ], 12 | "xs.rolecollections": [] 13 | }, 14 | "given_name": "TestUser", 15 | "xs.user.attributes": {"usrAttr": ["test"]}, 16 | "family_name": "unknown.org", 17 | "sub": "d21f5de9-d761-47a2-b6d4-2d83161584d9", 18 | "scope": [ 19 | "openid", "testScope", "testApp.localScope" 20 | ], 21 | "client_id": "$clientid", 22 | "cid": "sb-clone1!b5|LR-master!b5", 23 | "azp": "sb-clone1!b5|LR-master!b5", 24 | "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer", 25 | "user_id": "d21f5de9-d761-47a2-b6d4-2d83161584d9", 26 | "origin": "useridp", 27 | "user_name": "TestUser", 28 | "email": "TestUser@uaa.org", 29 | "rev_sig": "b850756a", 30 | "iat": 1532416849, 31 | "exp": $exp, 32 | "iss": "http://paas.localhost:8080/uaa/oauth/token", 33 | "zid": "$zid", 34 | "aud": [], 35 | "az_attr": {"external_id":"abcd1234"} 36 | } -------------------------------------------------------------------------------- /spring-xsuaa-it/src/main/resources/claims_templateMultiTenancy.txt: -------------------------------------------------------------------------------- 1 | { 2 | "jti": "37587e8c45b84a85820744c1459910b5", 3 | "ext_attr": { 4 | "enhancer": "XSUAA", 5 | "serviceinstanceid": "brokerCloneServiceInstanceId", 6 | "zdn": "paas", 7 | "acl": ["app1!t23"] 8 | }, 9 | "xs.system.attributes": { 10 | "xs.saml.groups": [ 11 | "g1" 12 | ], 13 | "xs.rolecollections": [] 14 | }, 15 | "given_name": "TestUser", 16 | "xs.user.attributes": {"usrAttr": ["test"]}, 17 | "family_name": "unknown.org", 18 | "sub": "d21f5de9-d761-47a2-b6d4-2d83161584d9", 19 | "scope": [ 20 | "openid", "testScope", "testApp.localScope" 21 | ], 22 | "client_id": "$clientid", 23 | "cid": "sb-clone1!b5|LR-master!b5", 24 | "azp": "sb-clone1!b5|LR-master!b5", 25 | "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer", 26 | "user_id": "d21f5de9-d761-47a2-b6d4-2d83161584d9", 27 | "origin": "useridp", 28 | "user_name": "TestUser", 29 | "email": "TestUser@uaa.org", 30 | "rev_sig": "b850756a", 31 | "iat": 1532416849, 32 | "exp": $exp, 33 | "iss": "http://paas.localhost:8080/uaa/oauth/token", 34 | "zid": "paas", 35 | "aud": [], 36 | "az_attr": {"external_id":"abcd1234"} 37 | } -------------------------------------------------------------------------------- /spring-xsuaa-it/src/main/resources/expired.txt: -------------------------------------------------------------------------------- 1 | { 2 | "client_id": "sb-java-hello-world", 3 | "cid": "sb-java-hello-world", 4 | "grant_type": "authorization_code", 5 | "iat": 1442912244, 6 | "exp": 1442912245, 7 | "iss": "http://localhost:8080/uaa/oauth/token", 8 | "zid": "$zid", 9 | "aud": [], 10 | "scope": [ 11 | "java-hello-world.Display", 12 | "openid", 13 | "java-hello-world.Delete", 14 | "java-hello-world.Create" 15 | ] 16 | } -------------------------------------------------------------------------------- /spring-xsuaa-it/src/main/resources/insufficient_scoped.txt: -------------------------------------------------------------------------------- 1 | { 2 | "client_id": "sb-java-hello-world", 3 | "cid": "wrongClientId", 4 | "grant_type": "authorization_code", 5 | "iat": 1442912244, 6 | "exp": $exp, 7 | "iss": "http://localhost:8080/uaa/oauth/token", 8 | "zid": "$zid", 9 | "aud": [], 10 | "scope": [ "insufficient" ] 11 | } -------------------------------------------------------------------------------- /spring-xsuaa-it/src/main/resources/password.txt: -------------------------------------------------------------------------------- 1 | { 2 | "jti": "8e7b3b00-7751-4b46-9b1a-5a46a2a1d5b8", 3 | "xs.user.attributes": { 4 | "cost-center": [ 5 | "0815", 6 | "4711" 7 | ], 8 | "country": [ 9 | "Germany" 10 | ] 11 | }, 12 | "xs.system.attributes": { 13 | "xs.saml.groups": [ 14 | "g1" 15 | ], 16 | "xs.rolecollections": ["rc1"] 17 | }, 18 | "sub": "1002191", 19 | "scope": [ 20 | "java-hello-world.Display", 21 | "openid", 22 | "java-hello-world.Delete", 23 | "java-hello-world.Create" 24 | ], 25 | "client_id": "sb-java-hello-world", 26 | "cid": "sb-java-hello-world", 27 | "azp": "sb-java-hello-world", 28 | "grant_type": "password", 29 | "user_id": "1002191", 30 | "user_name": "Mustermann", 31 | "origin": "useridp", 32 | "email": "max@example.com", 33 | "iat": 1442912244, 34 | "exp": $exp, 35 | "iss": "http://localhost:8080/uaa/oauth/token", 36 | "zid": "11-22-33-$zdn", 37 | "aud": [ 38 | ], 39 | "az_attr": { 40 | "external_group": "domain\\group1", 41 | "external_id": "abcd1234" 42 | }, 43 | "ext_attr": { 44 | "serviceinstanceid": "abcd1234", 45 | "zdn": "$zdn" 46 | } 47 | } -------------------------------------------------------------------------------- /spring-xsuaa-it/src/test/java/testservice/api/MockXsuaaServerConfiguration.java: -------------------------------------------------------------------------------- 1 | package testservice.api; 2 | 3 | import okhttp3.mockwebserver.MockWebServer; 4 | import org.junit.jupiter.api.BeforeAll; 5 | import org.springframework.test.context.TestPropertySource; 6 | 7 | import java.io.IOException; 8 | 9 | @TestPropertySource(properties = { "xsuaa.xsappname=java-hello-world", "xsuaa.clientid=sb-java-hello-world", 10 | "xsuaa.url=http://localhost:33195", "xsuaa.uaadomain=http://localhost:33195" }) 11 | public class MockXsuaaServerConfiguration { 12 | private static final int DEFAULT_PORT = 33195; 13 | private static MockWebServer server; 14 | 15 | @BeforeAll 16 | static void beforeAll() throws IOException { 17 | initServer(); 18 | } 19 | 20 | private static void initServer() throws IOException { 21 | if (server == null) { 22 | server = new MockWebServer(); 23 | server.setDispatcher(new XsuaaRequestDispatcher()); 24 | server.start(DEFAULT_PORT); 25 | } 26 | } 27 | 28 | } 29 | -------------------------------------------------------------------------------- /spring-xsuaa-it/src/test/resources/mockServer/otherdomain_token_keys.json: -------------------------------------------------------------------------------- 1 | {"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"legacy-token-key-otherdomain","alg":"RS256","value":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2G5MUF7szUMJfiaghYeb\nwB+BgaG4wkbIDZ5fJU8Zm0/WnaupCCKX0fguLC21FtHATC6SOpOuVClXe9GY9AVJ\nq3nyqAsiUil66jH9Y+kmeLeRVoBp8KXMQ15+W69GNU7/sYv+0k5PLUaxJPmcwb+W\nCq9hw76zRXeEijnZ41YlVC9jcnZ7IjHjp2BASoznImmGJDW6F30FRbP/MLtfv5fM\npj17OziVNE+eacuIygSH0IZZ+wvV7AcJAZlEwkCFqzzbVx2cLvRIpacHz2ci4seI\nIxdPRj8O7i4y29hdSsHqTRFLtQiwCgIr7YItA5voVY/bS+CYy8a1MSckdXvFa5jY\newIDAQAB\n-----END PUBLIC KEY-----","n":"ANhuTFBe7M1DCX4moIWHm8AfgYGhuMJGyA2eXyVPGZtP1p2rqQgil9H4LiwttRbRwEwukjqTrlQpV3vRmPQFSat58qgLIlIpeuox_WPpJni3kVaAafClzENefluvRjVO_7GL_tJOTy1GsST5nMG_lgqvYcO-s0V3hIo52eNWJVQvY3J2eyIx46dgQEqM5yJphiQ1uhd9BUWz_zC7X7-XzKY9ezs4lTRPnmnLiMoEh9CGWfsL1ewHCQGZRMJAhas821cdnC70SKWnB89nIuLHiCMXT0Y_Du4uMtvYXUrB6k0RS7UIsAoCK-2CLQOb6FWP20vgmMvGtTEnJHV7xWuY2Hs"}]} -------------------------------------------------------------------------------- /spring-xsuaa-it/src/test/resources/mockServer/publicKey.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2G5MUF7szUMJfiaghYeb\nwB+BgaG4wkbIDZ5fJU8Zm0/WnaupCCKX0fguLC21FtHATC6SOpOuVClXe9GY9AVJ\nq3nyqAsiUil66jH9Y+kmeLeRVoBp8KXMQ15+W69GNU7/sYv+0k5PLUaxJPmcwb+W\nCq9hw76zRXeEijnZ41YlVC9jcnZ7IjHjp2BASoznImmGJDW6F30FRbP/MLtfv5fM\npj17OziVNE+eacuIygSH0IZZ+wvV7AcJAZlEwkCFqzzbVx2cLvRIpacHz2ci4seI\nIxdPRj8O7i4y29hdSsHqTRFLtQiwCgIr7YItA5voVY/bS+CYy8a1MSckdXvFa5jY\newIDAQAB\n-----END PUBLIC KEY----- -------------------------------------------------------------------------------- /spring-xsuaa-it/src/test/resources/mockServer/testdomain_token_keys.json: -------------------------------------------------------------------------------- 1 | { 2 | "keys": [ 3 | { 4 | "kty": "RSA", 5 | "e": "AQAB", 6 | "use": "sig", 7 | "kid": "$kid", 8 | "alg": "RS256", 9 | "value": "$public_key", 10 | "n": "ANhuTFBe7M1DCX4moIWHm8AfgYGhuMJGyA2eXyVPGZtP1p2rqQgil9H4LiwttRbRwEwukjqTrlQpV3vRmPQFSat58qgLIlIpeuox_WPpJni3kVaAafClzENefluvRjVO_7GL_tJOTy1GsST5nMG_lgqvYcO-s0V3hIo52eNWJVQvY3J2eyIx46dgQEqM5yJphiQ1uhd9BUWz_zC7X7-XzKY9ezs4lTRPnmnLiMoEh9CGWfsL1ewHCQGZRMJAhas821cdnC70SKWnB89nIuLHiCMXT0Y_Du4uMtvYXUrB6k0RS7UIsAoCK-2CLQOb6FWP20vgmMvGtTEnJHV7xWuY2Hs" 11 | } 12 | ] 13 | } -------------------------------------------------------------------------------- /spring-xsuaa-starter/src/main/resources/META-INF/spring/org.springframework.boot.autoconfigure.AutoConfiguration.imports: -------------------------------------------------------------------------------- 1 | com.sap.cloud.security.xsuaa.autoconfiguration.XsuaaAutoConfiguration 2 | com.sap.cloud.security.xsuaa.autoconfiguration.XsuaaResourceServerJwkAutoConfiguration 3 | com.sap.cloud.security.xsuaa.autoconfiguration.XsuaaTokenFlowAutoConfiguration -------------------------------------------------------------------------------- /spring-xsuaa-test/src/main/java/com/sap/cloud/security/xsuaa/test/jwt/DecodedJwt.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.test.jwt; 7 | 8 | /** 9 | * A Jwt token consists of three parts, separated by ".": header.payload.signature 10 | *

11 | * Use {@code Base64JwtDecoder.getInstance().decode(token)} to get a {@link DecodedJwt} instance. 12 | */ 13 | 14 | public interface DecodedJwt { 15 | 16 | /** 17 | * Get the base64 decoded header of the jwt as UTF-8 String. 18 | * 19 | * @return the decoded header. 20 | */ 21 | String getHeader(); 22 | 23 | /** 24 | * Get the base64 decoded payload of the jwt as UTF-8 String. 25 | * 26 | * @return the decoded payload. 27 | */ 28 | String getPayload(); 29 | 30 | /** 31 | * Get the encoded signature of the jwt. 32 | * 33 | * @return the decoded signature. 34 | */ 35 | String getSignature(); 36 | 37 | /** 38 | * Get the original encoded access token. 39 | * 40 | *

41 | * Never expose this token via log or via HTTP. 42 | * 43 | * @return jwt token 44 | */ 45 | String getEncodedToken(); 46 | 47 | } 48 | -------------------------------------------------------------------------------- /spring-xsuaa-test/src/main/resources/spring-xsuaa-publicKey.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN PUBLIC KEY----- 2 | MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn5dYHyD/nn/Pl+/W8jNG 3 | WHDaNItXqPuEk/hiozcPF+9l3qEgpRZrMx5ya7UjGdvihidGFQ9+efgaaqCLbk+b 4 | BsbU5L4WoJK+/t1mgWCiKI0koaAGDsztZsd3Anz4LEi2+NVNdupRq0ScHzweEKzq 5 | aa/LgtBi5WwyA5DaD33gbytG9hdFJvggzIN9+DSverHSAtqGUHhwHSU4/mL36xSR 6 | eyqiKDiVyhf/y6V6eiE0USubTEGaWVUANIteiC+8Ags5UF22QoqMo3ttKnEyFTHp 7 | GCXSn+AEO0WMLK1pPavAjPaOyf4cVX8b/PzHsfBPDMK/kNKNEaU5lAXo8dLUbRYq 8 | uQIDAQAB 9 | -----END PUBLIC KEY----- -------------------------------------------------------------------------------- /spring-xsuaa-test/src/test/java/com/sap/cloud/security/xsuaa/test/TestConstants.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.test; 7 | 8 | public interface TestConstants { 9 | String DUMMY_SCOPE = "someScope"; 10 | String ANOTHER_SCOPE = "someOtherScope"; 11 | String DUMMY_ATTRIBUTE = "dummy-attribute"; 12 | String ANOTHER_ATTRIBUTE = "another-attribute"; 13 | String ANOTHER_ATTRIBUTE_VALUE = "100"; 14 | String ANOTHER_ATTRIBUTE_VALUE_2 = "200"; 15 | } 16 | -------------------------------------------------------------------------------- /spring-xsuaa-test/src/test/resources/claims_template.txt: -------------------------------------------------------------------------------- 1 | { 2 | "jti": "37587e8c45b84a85820744c1459910b5", 3 | "ext_attr": { 4 | "enhancer": "XSUAA", 5 | "serviceinstanceid": "brokerCloneServiceInstanceId", 6 | "zdn": "$zdn", 7 | "acl": ["app1!t23"] 8 | }, 9 | "xs.system.attributes": { 10 | "xs.saml.groups": [ 11 | "g1" 12 | ], 13 | "xs.rolecollections": [] 14 | }, 15 | "given_name": "$username", 16 | "xs.user.attributes": {"usrAttr": ["value_1", "value_2"]}, 17 | "family_name": "unknown.org", 18 | "sub": "d21f5de9-d761-47a2-b6d4-2d83161584d9", 19 | "scope": [ 20 | "openid", "testScope", "testApp.localScope" 21 | ], 22 | "client_id": "$clientid", 23 | "cid": "sb-clone1!b5|LR-master!b5", 24 | "azp": "sb-clone1!b5|LR-master!b5", 25 | "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer", 26 | "user_id": "d21f5de9-d761-47a2-b6d4-2d83161584d9", 27 | "origin": "useridp", 28 | "user_name": "$username", 29 | "email": "$username@uaa.org", 30 | "rev_sig": "b850756a", 31 | "iat": 1532416849, 32 | "exp": $exp, 33 | "iss": "http://paas.localhost:8080/uaa/oauth/token", 34 | "zid": "$zid", 35 | "aud": [], 36 | "az_attr": {"external_id":"abcd1234"} 37 | } -------------------------------------------------------------------------------- /spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/AuthoritiesExtractor.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.extractor; 7 | 8 | import com.sap.cloud.security.xsuaa.token.XsuaaToken; 9 | import org.springframework.security.core.GrantedAuthority; 10 | 11 | import java.util.Collection; 12 | 13 | /** 14 | * Extracts the authorities from the Jwt token. Can use this method to map / manipulate scopes, e.g. by changing their 15 | * prefix, etc. 16 | */ 17 | public interface AuthoritiesExtractor { 18 | /** 19 | * Returns the granted authorities based on the information in the Jwt. A standard implementation will base the 20 | * granted authorities on the scopes. 21 | * 22 | * @param jwt 23 | * the Jwt to extract the authorities from. 24 | * @return the collection of granted authorities. 25 | */ 26 | Collection getAuthorities(XsuaaToken jwt); 27 | } 28 | -------------------------------------------------------------------------------- /spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/DefaultAuthoritiesExtractor.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.extractor; 7 | 8 | import com.sap.cloud.security.xsuaa.token.TokenClaims; 9 | import com.sap.cloud.security.xsuaa.token.XsuaaToken; 10 | import org.springframework.security.core.GrantedAuthority; 11 | import org.springframework.security.core.authority.SimpleGrantedAuthority; 12 | import org.springframework.security.oauth2.jwt.Jwt; 13 | import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter; 14 | 15 | import java.util.Collection; 16 | import java.util.Collections; 17 | import java.util.List; 18 | import java.util.stream.Collectors; 19 | 20 | public class DefaultAuthoritiesExtractor extends JwtAuthenticationConverter implements AuthoritiesExtractor { 21 | 22 | public Collection getAuthorities(XsuaaToken jwt) { 23 | return extractAuthorities(jwt); 24 | } 25 | 26 | protected Collection extractAuthorities(Jwt jwt) { 27 | List scopes = jwt.getClaimAsStringList(TokenClaims.CLAIM_SCOPES); 28 | 29 | if (scopes == null) { 30 | return Collections.emptyList(); 31 | } 32 | 33 | return scopes.stream() 34 | .map(SimpleGrantedAuthority::new) 35 | .collect(Collectors.toList()); 36 | } 37 | 38 | } 39 | -------------------------------------------------------------------------------- /spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/extractor/LocalAuthoritiesExtractor.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.extractor; 7 | 8 | import com.sap.cloud.security.xsuaa.token.XsuaaToken; 9 | import org.springframework.security.core.GrantedAuthority; 10 | import org.springframework.security.core.authority.SimpleGrantedAuthority; 11 | 12 | import java.util.Collection; 13 | import java.util.Collections; 14 | import java.util.HashSet; 15 | import java.util.Set; 16 | import java.util.stream.Collectors; 17 | import java.util.stream.Stream; 18 | 19 | public class LocalAuthoritiesExtractor implements AuthoritiesExtractor { 20 | 21 | protected final String appId; 22 | 23 | public LocalAuthoritiesExtractor(String appId) { 24 | this.appId = appId; 25 | } 26 | 27 | @Override 28 | public Collection getAuthorities(XsuaaToken jwt) { 29 | 30 | Set scopeAuthorities = new HashSet<>(getScopes(jwt, appId)); 31 | 32 | Stream authorities = Stream.of(scopeAuthorities).flatMap(Collection::stream); 33 | 34 | return authorities.map(SimpleGrantedAuthority::new).collect(Collectors.toList()); 35 | } 36 | 37 | protected Set getScopes(XsuaaToken jwt, String appId) { 38 | Collection scopes = jwt.getScopes(); 39 | if (scopes == null) { 40 | return Collections.emptySet(); 41 | } 42 | return scopes.stream() 43 | .filter(scope -> scope.startsWith(appId + ".")) 44 | .map(scope -> scope.substring(appId.length() + 1)) 45 | .collect(Collectors.toSet()); 46 | } 47 | 48 | } 49 | -------------------------------------------------------------------------------- /spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/AuthenticationToken.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.token; 7 | 8 | import org.springframework.security.core.GrantedAuthority; 9 | import org.springframework.security.oauth2.jwt.Jwt; 10 | import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken; 11 | 12 | import java.io.Serial; 13 | import java.util.Collection; 14 | 15 | /** 16 | * Internal class used to expose the {@link Token} implementation as the standard Principal for Spring Security Jwt 17 | * handling. 18 | * 19 | * @see TokenAuthenticationConverter 20 | * @see XsuaaToken 21 | */ 22 | public class AuthenticationToken extends JwtAuthenticationToken { 23 | 24 | @Serial 25 | private static final long serialVersionUID = -3779129534612771294L; 26 | 27 | private final Token token; 28 | 29 | public AuthenticationToken(Jwt jwt, Collection authorities) { 30 | super(jwt, authorities); 31 | 32 | // Here is where the actual magic happens. 33 | // The Jwt is exchanged for another implementation. 34 | XsuaaToken xsuaaToken = new XsuaaToken(getToken()); 35 | xsuaaToken.setAuthorities(this.getAuthorities()); 36 | this.token = xsuaaToken; 37 | } 38 | 39 | @Override 40 | public Object getPrincipal() { 41 | return token; 42 | } 43 | 44 | @Override 45 | public String getName() { 46 | return token.getUsername(); 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/OAuth2Principal.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.token; 7 | 8 | import org.springframework.security.core.GrantedAuthority; 9 | import org.springframework.security.oauth2.core.OAuth2AuthenticatedPrincipal; 10 | 11 | import java.util.Collection; 12 | import java.util.Map; 13 | 14 | class OAuth2Principal extends XsuaaToken implements OAuth2AuthenticatedPrincipal { 15 | 16 | private final Collection authorities; 17 | private final Map attributes; 18 | private final String name; 19 | 20 | public OAuth2Principal(AuthenticationToken authenticationToken) { 21 | super(authenticationToken.getToken()); 22 | this.authorities = authenticationToken.getAuthorities(); 23 | this.name = authenticationToken.getName(); 24 | this.attributes = authenticationToken.getTokenAttributes(); 25 | } 26 | 27 | @Override 28 | public Map getAttributes() { 29 | return this.attributes; 30 | } 31 | 32 | @Override 33 | public Collection getAuthorities() { 34 | return this.authorities; 35 | } 36 | 37 | @Override 38 | public String getName() { 39 | return this.name; 40 | } 41 | } 42 | -------------------------------------------------------------------------------- /spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/authentication/PostValidationAction.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.token.authentication; 7 | 8 | import org.springframework.security.oauth2.jwt.Jwt; 9 | 10 | public interface PostValidationAction { 11 | 12 | void perform(Jwt token); 13 | } 14 | -------------------------------------------------------------------------------- /spring-xsuaa/src/main/java/com/sap/cloud/security/xsuaa/token/authentication/TokenInfoExtractor.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.token.authentication; 7 | 8 | import com.nimbusds.jwt.JWT; 9 | 10 | /** 11 | * Responsible to extract information out of the token and provide it to the JwtDecoder. 12 | */ 13 | public interface TokenInfoExtractor { 14 | 15 | String getJku(JWT jwt); 16 | 17 | String getKid(JWT jwt); 18 | 19 | String getUaaDomain(JWT jwt); 20 | } 21 | -------------------------------------------------------------------------------- /spring-xsuaa/src/main/resources/META-INF/services/com.sap.cloud.security.xsuaa.token.authentication.httpclient.SpringHttpClientFactory: -------------------------------------------------------------------------------- 1 | com.sap.cloud.security.xsuaa.token.authentication.httpclient.DefaultSpringHttpClientFactory -------------------------------------------------------------------------------- /spring-xsuaa/src/test/java/com/sap/cloud/security/xsuaa/extractor/LocalAuthoritiesExtractorTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.extractor; 7 | 8 | import com.sap.cloud.security.xsuaa.token.XsuaaToken; 9 | import org.junit.Before; 10 | import org.junit.Test; 11 | import org.mockito.Mockito; 12 | import org.springframework.security.core.authority.SimpleGrantedAuthority; 13 | 14 | import java.util.Collection; 15 | import java.util.HashSet; 16 | 17 | import static org.assertj.core.api.Assertions.assertThat; 18 | 19 | public class LocalAuthoritiesExtractorTest { 20 | LocalAuthoritiesExtractor cut; 21 | XsuaaToken token; 22 | Collection scopes = new HashSet<>(); 23 | 24 | @Before 25 | public void setup() { 26 | cut = new LocalAuthoritiesExtractor("appId!1234"); 27 | 28 | token = Mockito.mock(XsuaaToken.class); 29 | scopes.add("appId!1234.Scope1"); 30 | scopes.add("appId!1234.Scope2"); 31 | scopes.add("appId2!888.Scope1"); 32 | scopes.add("appId2!777.Scope3"); 33 | Mockito.when(token.getScopes()).thenReturn(scopes); 34 | } 35 | 36 | @Test 37 | public void extractLocalScopes() { 38 | assertThat(cut.getAuthorities(token)).containsExactlyInAnyOrder( 39 | new SimpleGrantedAuthority("Scope1"), 40 | new SimpleGrantedAuthority("Scope2")); 41 | } 42 | 43 | } -------------------------------------------------------------------------------- /spring-xsuaa/src/test/java/com/sap/cloud/security/xsuaa/token/XsuaaLocalhostJkuFactory.java: -------------------------------------------------------------------------------- 1 | package com.sap.cloud.security.xsuaa.token; 2 | 3 | import com.nimbusds.jwt.JWT; 4 | import com.nimbusds.jwt.JWTParser; 5 | import com.sap.cloud.security.token.TokenHeader; 6 | import com.sap.cloud.security.token.validation.XsuaaJkuFactory; 7 | 8 | import java.text.ParseException; 9 | 10 | public class XsuaaLocalhostJkuFactory implements XsuaaJkuFactory { 11 | 12 | @Override 13 | public String create(String token) { 14 | String tokenJku; 15 | try { 16 | JWT jwt = JWTParser.parse(token); 17 | tokenJku = (String) jwt.getHeader().toJSONObject().get(TokenHeader.JWKS_URL); 18 | } catch (ParseException e) { 19 | throw new RuntimeException(e); 20 | } 21 | 22 | if (tokenJku == null || tokenJku.contains("localhost") || tokenJku.contains("127.0.0.1")) { 23 | return tokenJku; 24 | } 25 | 26 | throw new IllegalArgumentException("JKU is not trusted because it does not target localhost."); 27 | } 28 | } -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/META-INF/services/com.sap.cloud.security.token.validation.XsuaaJkuFactory: -------------------------------------------------------------------------------- 1 | com.sap.cloud.security.xsuaa.token.XsuaaLocalhostJkuFactory -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/XsuaaJwtDecoderTest.properties: -------------------------------------------------------------------------------- 1 | xsuaa.uaadomain=localhost 2 | xsuaa.clientid=sb-clientId!t0815 3 | xsuaa.verificationkey=-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTNVTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9YoU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GPn38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4oQIDAQAB-----END PUBLIC KEY----- -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/accessTokenRSA256WithVerificationKey.txt: -------------------------------------------------------------------------------- 1 | eyJqa3UiOiJodHRwOi8vbG9jYWxob3N0OjY0MzEyL3Rva2VuX2tleXMiLCJraWQiOiJkZWZhdWx0LWtpZCIsImFsZyI6IlJTMjU2In0.eyJPcmlnaW4iOiJ4c3VhYSIsImF1ZCI6WyJzYi1jbGllbnRJZCF0MDgxNSJdLCJncmFudF90eXBlIjoidXNlcl90b2tlbiIsInNjb3BlIjpbInhzYXBwIXQwODE1LkRpc3BsYXkiLCJ4c2FwcCF0MDgxNS5VcGRhdGUiXSwiZXhwIjo2OTc0MDMxNjAwLCJjaWQiOiJzYi1jbGllbnRJZCF0MDgxNSJ9.Q3JsYsRLDprzcIb7mrmPFhK_UmodQfIuSVXQx5cK3XMCVXOQyhdglXjsn-M0BMM5CE31D_7kxbkZXEB507gIibGM7SCgcpuQ0rh0L7ZSuZMwDWcmvPZXvzs_reaq4c9_qn5hg0d9Wd17wmdIvkiiKojKtvfxQyx4sAiX-XRWrrYsK69QS9Yp2-cU7UDncvOZ-IYa8HCfUOo20XJ4ZfE4KzNnffeKMRfo9_J_jnD_j2MGURminAlbtKIzdqLzOXXjIzRz81pb5V0QRiIlPcBNN_Cgk6pcJwUyPPNH5ULHdHBepJbiDoL9-PaJ5nyA4DwTDi1QScWLhd5p7M6HDB-lKg -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/audience_1.txt: -------------------------------------------------------------------------------- 1 | { 2 | "cid":"sb-test1!t1", 3 | "exp":$exp, 4 | "scope":["test1!t1.read","test2!t1.write"], 5 | "user_name":"testUser", 6 | "user_id":"1234", 7 | "email":"testUser@testOrg", 8 | "zid":"demo", 9 | "grant_type":"password", 10 | "aud":["test1!t1","test2!t1","test4!t1.data"], 11 | "iat": 1532416849 12 | } -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/audience_2.txt: -------------------------------------------------------------------------------- 1 | { 2 | "cid":"sb-test1!t1", 3 | "exp":$exp, 4 | "scope":["test1!t1.read","test2!t1.write"], 5 | "user_name":"testUser", 6 | "user_id":"1234", 7 | "email":"testUser@testOrg", 8 | "zid":"demo", 9 | "grant_type":"password", 10 | "aud":[], 11 | "iat": 1532416849 12 | } -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/audience_3.txt: -------------------------------------------------------------------------------- 1 | { 2 | "cid":"sb-clone1!b22|test3!b1", 3 | "exp":$exp, 4 | "scope":["test1!t1.read","test2!t1.write"], 5 | "user_name":"testUser", 6 | "user_id":"1234", 7 | "email":"testUser@testOrg", 8 | "zid":"demo", 9 | "grant_type":"password", 10 | "aud":["clone1!b22|test3!b1"], 11 | "iat": 1532416849 12 | } -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/audience_4.txt: -------------------------------------------------------------------------------- 1 | { 2 | "cid":"sb-clone1!b22|test3!b1", 3 | "exp":$exp, 4 | "scope":["test1!t1.read","test2!t1.write"], 5 | "user_name":"testUser", 6 | "user_id":"1234", 7 | "email":"testUser@testOrg", 8 | "zid":"demo", 9 | "grant_type":"password", 10 | "aud":[], 11 | "iat": 1532416849 12 | } -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/claims_template.txt: -------------------------------------------------------------------------------- 1 | { 2 | "client_id":"$clientid", 3 | "exp":$exp, 4 | "scope":["java-hello-world.read"], 5 | "user_name":"testUser", 6 | "user_id":"1234", 7 | "email":"testUser@testOrg", 8 | "zid":"demo", 9 | "grant_type":"password", 10 | "origin": "useridp" 11 | } -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/claims_templateMultiTenancy.txt: -------------------------------------------------------------------------------- 1 | { 2 | "jti": "37587e8c45b84a85820744c1459910b5", 3 | "ext_attr": { 4 | "enhancer": "XSUAA", 5 | "serviceinstanceid": "brokerCloneServiceInstanceId", 6 | "zdn": "paas", 7 | "acl": ["app1!t23"] 8 | }, 9 | "xs.system.attributes": { 10 | "xs.saml.groups": [ 11 | "g1" 12 | ], 13 | "xs.rolecollections": [] 14 | }, 15 | "given_name": "TestUser", 16 | "xs.user.attributes": {"usrAttr": ["test"]}, 17 | "family_name": "unknown.org", 18 | "sub": "d21f5de9-d761-47a2-b6d4-2d83161584d9", 19 | "scope": [ 20 | "openid", "testScope", "testApp.localScope" 21 | ], 22 | "client_id": "$clientid", 23 | "cid": "sb-clone1!b5|LR-master!b5", 24 | "azp": "sb-clone1!b5|LR-master!b5", 25 | "grant_type": "urn:ietf:params:oauth:grant-type:saml2-bearer", 26 | "user_id": "d21f5de9-d761-47a2-b6d4-2d83161584d9", 27 | "origin": "useridp", 28 | "user_name": "TestUser", 29 | "email": "TestUser@uaa.org", 30 | "rev_sig": "b850756a", 31 | "iat": 1532416849, 32 | "exp": $exp, 33 | "iss": "http://paas.localhost:8080/uaa/oauth/token", 34 | "zid": "paas", 35 | "aud": [], 36 | "az_attr": {"external_id":"abcd1234"} 37 | } -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/jwks.json: -------------------------------------------------------------------------------- 1 | { 2 | "keys": [ 3 | { 4 | "kty": "RSA", 5 | "e": "AQAB", 6 | "use": "sig", 7 | "kid": "default-kid", 8 | "alg": "RS256", 9 | "value": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAm1QaZzMjtEfHdimrHP3/2Yr+1z685eiOUlwybRVG9i8wsgOUh+PUGuQL8hgulLZWXU5MbwBLTECAEMQbcRTNVTolkq4i67EP6JesHJIFADbK1Ni0KuMcPuiyOLvDKiDEMnYG1XP3X3WCNfsCVT9YoU+lWIrZr/ZsIvQri8jczr4RkynbTBsPaAOygPUlipqDrpadMO1momNCbea/o6GPn38LxEw609ItfgDGhL6f/yVid5pFzZQWb+9l6mCuJww0hnhO6gt6Rv98OWDty9G0frWAPyEfuIW9B+mR/2vGhyU9IbbWpvFXiy9RVbbsM538TCjd5JF2dJvxy24addC4oQIDAQAB", 10 | "n": "AJtUGmczI7RHx3Ypqxz9_9mK_tc-vOXojlJcMm0VRvYvMLIDlIfj1BrkC_IYLpS2Vl1OTG8AS0xAgBDEG3EUzVU6JZKuIuuxD-iXrBySBQA2ytTYtCrjHD7osji7wyogxDJ2BtVz9191gjX7AlU_WKFPpViK2a_2bCL0K4vI3M6-EZMp20wbD2gDsoD1JYqag66WnTDtZqJjQm3mv6Ohj59_C8RMOtPSLX4AxoS-n_8lYneaRc2UFm_vZepgricMNIZ4TuoLekb_fDlg7cvRtH61gD8hH7iFvQfpkf9rxoclPSG21qbxV4svUVW27DOd_Ewo3eSRdnSb8ctuGnXQuKE=" 11 | } 12 | ] 13 | } -------------------------------------------------------------------------------- /spring-xsuaa/src/test/resources/vcap_multipleBindings.json: -------------------------------------------------------------------------------- 1 | { 2 | "xsuaa": [ 3 | { 4 | "credentials": { 5 | "clientid": "client-id-api", 6 | "clientsecret": "client-secret-api" 7 | }, 8 | "instance_name": "xsuaa-api", 9 | "label": "xsuaa", 10 | "name": "xsuaa-api", 11 | "plan": "apiaccess", 12 | "tags": [ 13 | "xsuaa" 14 | ] 15 | }, 16 | { 17 | "credentials": { 18 | "clientid": "client-id", 19 | "clientsecret": "client-secret", 20 | "apiurl": "https://api.mydomain.com", 21 | "tenantid": "tenant-id", 22 | "subaccountid": "subaccount-id" 23 | }, 24 | "instance_name": "xsuaa-main", 25 | "label": "xsuaa", 26 | "name": "xsuaa-main", 27 | "plan": "application", 28 | "tags": [ 29 | "xsuaa" 30 | ] 31 | } 32 | ] 33 | } 34 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/client/HttpClientException.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.client; 7 | 8 | /** 9 | * Thrown to signal issues during a http client initialization. 10 | */ 11 | public class HttpClientException extends RuntimeException { 12 | /** 13 | * Instantiates a new Service client exception. 14 | * 15 | * @param message 16 | * the message 17 | */ 18 | public HttpClientException(String message) { 19 | super(message); 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/xsuaa/Assertions.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa; 7 | 8 | import java.util.List; 9 | 10 | public class Assertions { 11 | 12 | private Assertions() { 13 | } 14 | 15 | public static void assertNotNull(Object object, String message) { 16 | if (object == null) { 17 | throw new IllegalArgumentException(message); 18 | } 19 | } 20 | 21 | public static void assertHasText(String string, String message) { 22 | if (string == null || string.trim().isEmpty()) { 23 | throw new IllegalArgumentException(message); 24 | } 25 | } 26 | 27 | public static void assertNotEmpty(List list, String message) { 28 | if (list == null || list.isEmpty()) { 29 | throw new IllegalArgumentException(message); 30 | } 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/xsuaa/client/OAuth2ServiceEndpointsProvider.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.client; 7 | 8 | import java.net.URI; 9 | 10 | public interface OAuth2ServiceEndpointsProvider { 11 | 12 | /** 13 | * Returns token endpoint URI. 14 | * 15 | * @return token endpoint, e.g. {@code https://oauth.server.com/oauth/token} 16 | */ 17 | URI getTokenEndpoint(); 18 | 19 | /** 20 | * Returns authorize endpoint URI. 21 | * 22 | * @return authorize endpoint, e.g. {@code https://oauth.server.com/oauth/authorize} 23 | */ 24 | URI getAuthorizeEndpoint(); 25 | 26 | /** 27 | * Returns Jwt Key Set URI (JWKS) as specified in /.well-known/openid-configuration. 28 | * 29 | * @return jwks_uri , e.g. {@code https://oauth.server.com/token_keys} 30 | */ 31 | URI getJwksUri(); 32 | } 33 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/xsuaa/client/OidcConfigurationService.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.client; 7 | 8 | import javax.annotation.Nonnull; 9 | import java.net.URI; 10 | 11 | @SuppressWarnings("squid:S1214") 12 | public interface OidcConfigurationService { 13 | String DISCOVERY_ENDPOINT_DEFAULT = "/.well-known/openid-configuration"; // NOSONAR 14 | 15 | /** 16 | * Requests an OpenID Provider Configuration Document from OAuth Server. 17 | * 18 | * @param discoveryEndpointUri 19 | * the discovery endpoint URI. 20 | * @return an object with access endpoints. 21 | * @throws OAuth2ServiceException 22 | * in case of an error during the http request. 23 | */ 24 | OAuth2ServiceEndpointsProvider retrieveEndpoints(@Nonnull URI discoveryEndpointUri) throws OAuth2ServiceException; 25 | 26 | } 27 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/xsuaa/http/HttpHeader.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.http; 7 | 8 | import java.util.Objects; 9 | 10 | public class HttpHeader { 11 | 12 | private final String name; 13 | private final String value; 14 | 15 | public HttpHeader(String name, String value) { 16 | this.name = name; 17 | this.value = value; 18 | } 19 | 20 | public String getValue() { 21 | return value; 22 | } 23 | 24 | public String getName() { 25 | return name; 26 | } 27 | 28 | @Override 29 | public boolean equals(Object o) { 30 | if (this == o) 31 | return true; 32 | if (o == null || getClass() != o.getClass()) 33 | return false; 34 | final HttpHeader that = (HttpHeader) o; 35 | return Objects.equals(getName(), that.getName()) && 36 | Objects.equals(getValue(), that.getValue()); 37 | } 38 | 39 | @Override 40 | public int hashCode() { 41 | return Objects.hash(getName(), getValue()); 42 | } 43 | 44 | @Override 45 | public String toString() { 46 | return "\"" + name + ": " + value + "\""; 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/xsuaa/http/MediaType.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.http; 7 | 8 | public enum MediaType { 9 | APPLICATION_JSON("application/json"), APPLICATION_FORM_URLENCODED("application/x-www-form-urlencoded"); 10 | 11 | private final String value; 12 | 13 | MediaType(String value) { 14 | this.value = value; 15 | } 16 | 17 | public String value() { 18 | return value; 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/xsuaa/jwt/DecodedJwt.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.jwt; 7 | 8 | import java.io.Serializable; 9 | 10 | /** 11 | * A Jwt token consists of three parts, separated by ".": header.payload.signature 12 | *

13 | * Use {@code Base64JwtDecoder.getInstance().decode(token)} to get a {@link DecodedJwt} instance. 14 | */ 15 | 16 | public interface DecodedJwt extends Serializable { 17 | 18 | /** 19 | * Get the base64 decoded header of the jwt as UTF-8 String. 20 | * 21 | * @return the decoded header. 22 | */ 23 | String getHeader(); 24 | 25 | /** 26 | * Get the base64 decoded payload of the jwt as UTF-8 String. 27 | * 28 | * @return the decoded payload. 29 | */ 30 | String getPayload(); 31 | 32 | /** 33 | * Get the encoded signature of the jwt. 34 | * 35 | * @return the decoded signature. 36 | */ 37 | String getSignature(); 38 | 39 | /** 40 | * Get the original encoded access token. 41 | * 42 | *

43 | * Never expose this token via log or via HTTP. 44 | * 45 | * @return jwt token 46 | */ 47 | String getEncodedToken(); 48 | 49 | } 50 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/xsuaa/tokenflows/Cacheable.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.tokenflows; 7 | 8 | import com.sap.cloud.security.config.CacheConfiguration; 9 | 10 | import javax.annotation.Nonnull; 11 | import javax.annotation.Nullable; 12 | 13 | /** 14 | * Interface for components that manage a cache configured with {@link CacheConfiguration}. 15 | */ 16 | public interface Cacheable { 17 | 18 | /** 19 | * Provides the cache configuration of the component. Must not be null. 20 | * 21 | * @return the cache configuration 22 | */ 23 | @Nonnull 24 | CacheConfiguration getCacheConfiguration(); 25 | 26 | /** 27 | * Clears the cache of the component. 28 | */ 29 | void clearCache(); 30 | 31 | /** 32 | * This returns an implementation specific statistics object if the underlying cache supports it and cache 33 | * statistics have been enabled in the {@link CacheConfiguration}. 34 | *

35 | * Use with care. The type of the statistics object might change in later versions. 36 | * 37 | * @return the cache statistics object. 38 | */ 39 | @Nullable 40 | Object getCacheStatistics(); 41 | } 42 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/xsuaa/tokenflows/TokenFlowException.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.tokenflows; 7 | 8 | import java.io.IOException; 9 | import java.io.Serial; 10 | 11 | /** 12 | * Exception thrown to signal issues during a token flow execution. 13 | */ 14 | public class TokenFlowException extends IOException { 15 | @Serial 16 | private static final long serialVersionUID = 1452898292676860358L; 17 | 18 | /** 19 | * Creates a new exception instances. 20 | */ 21 | public TokenFlowException() { 22 | super(); 23 | } 24 | 25 | /** 26 | * Creates a new exception instances. 27 | * 28 | * @param message 29 | * - the error message. 30 | * @param cause 31 | * - the error cause. 32 | */ 33 | public TokenFlowException(String message, Throwable cause) { 34 | super(message, cause); 35 | } 36 | 37 | /** 38 | * Creates a new exception instances. 39 | * 40 | * @param message 41 | * - the error message. 42 | */ 43 | public TokenFlowException(String message) { 44 | super(message); 45 | } 46 | 47 | /** 48 | * Creates a new exception instances. 49 | * 50 | * @param cause 51 | * - the error cause. 52 | */ 53 | public TokenFlowException(Throwable cause) { 54 | super(cause); 55 | } 56 | } 57 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/xsuaa/tokenflows/XsuaaTokenFlowsUtils.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | * SPDX-License-Identifier: Apache-2.0 4 | */ 5 | package com.sap.cloud.security.xsuaa.tokenflows; 6 | 7 | import org.json.JSONObject; 8 | 9 | import java.util.HashMap; 10 | import java.util.Map; 11 | 12 | /** 13 | * A utilities class providing static functions required to build the XSUAA token flow REST requests. 14 | */ 15 | class XsuaaTokenFlowsUtils { 16 | 17 | static final String CLAIM_ADDITIONAL_AZ_ATTR = "az_attr"; 18 | 19 | /** 20 | * Builds the additional authorities claim 'az_attr' for the JWT. 21 | * 22 | * @param additionalAuthorities 23 | * to be added to az_attr claim. 24 | * @return the additional authorities az_attr claim as a String or null if additional authorities were null 25 | */ 26 | static String buildAdditionalAuthoritiesJson(Map additionalAuthorities) { 27 | if (additionalAuthorities != null) { 28 | Map additionalAuthorizationAttributes = new HashMap<>(); 29 | additionalAuthorizationAttributes.put(CLAIM_ADDITIONAL_AZ_ATTR, additionalAuthorities); 30 | 31 | JSONObject additionalAuthorizationAttributesJson = new JSONObject(additionalAuthorizationAttributes); 32 | return additionalAuthorizationAttributesJson.toString(); 33 | } 34 | return null; 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /token-client/src/main/java/com/sap/cloud/security/xsuaa/util/HttpClientUtil.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.util; 7 | 8 | import java.io.IOException; 9 | import java.io.InputStream; 10 | import java.util.Properties; 11 | 12 | public class HttpClientUtil { 13 | 14 | private HttpClientUtil() { 15 | // use static fields and methods 16 | } 17 | 18 | public static String getUserAgent() { 19 | Properties props = new Properties(); 20 | InputStream stream = HttpClientUtil.class.getResourceAsStream("/token-client.properties"); 21 | try { 22 | props.load(stream); 23 | return props.getProperty("artifactId") + "/" + props.getProperty("version"); 24 | } catch (IOException | NullPointerException | IllegalArgumentException e) { 25 | return "token-client/0.0.0"; 26 | } 27 | } 28 | 29 | } 30 | -------------------------------------------------------------------------------- /token-client/src/main/resources/META-INF/services/com.sap.cloud.security.client.HttpClientFactory: -------------------------------------------------------------------------------- 1 | com.sap.cloud.security.client.DefaultHttpClientFactory 2 | -------------------------------------------------------------------------------- /token-client/src/main/resources/token-client.properties: -------------------------------------------------------------------------------- 1 | artifactId=${project.artifactId} 2 | version=${project.version} -------------------------------------------------------------------------------- /token-client/src/test/java/com/sap/cloud/security/client/HttpClientFactoryTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.client; 7 | 8 | import com.sap.cloud.security.config.ClientCredentials; 9 | import org.apache.http.impl.client.CloseableHttpClient; 10 | import org.junit.Test; 11 | 12 | import static org.junit.Assert.*; 13 | 14 | public class HttpClientFactoryTest { 15 | 16 | @Test 17 | public void create() { 18 | CloseableHttpClient cut = HttpClientFactory.create(new ClientCredentials("clientId", "secret")); 19 | assertNotNull(cut); 20 | 21 | // Assert that custom HttpClientFactory factory has a priority over default 22 | // com.sap.cloud.security.client.DefaultHttpClientFactory 23 | assertFalse(cut.getClass().getName().contains("InternalHttpClient")); 24 | assertTrue(cut.getClass().getName().contains("CloseableHttpClient$MockitoMock")); 25 | } 26 | 27 | } -------------------------------------------------------------------------------- /token-client/src/test/java/com/sap/cloud/security/client/TestHttpClientFactory.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.client; 7 | 8 | import com.sap.cloud.security.config.ClientIdentity; 9 | import org.apache.http.impl.client.CloseableHttpClient; 10 | import org.mockito.Mockito; 11 | 12 | public class TestHttpClientFactory implements HttpClientFactory { 13 | 14 | @Override 15 | public CloseableHttpClient createClient(ClientIdentity clientIdentity) throws HttpClientException { 16 | return Mockito.mock(CloseableHttpClient.class); 17 | } 18 | } 19 | -------------------------------------------------------------------------------- /token-client/src/test/java/com/sap/cloud/security/xsuaa/tokenflows/TestConstants.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.tokenflows; 7 | 8 | import com.sap.cloud.security.config.ClientCredentials; 9 | 10 | import java.net.URI; 11 | 12 | //@formatter:off 13 | interface TestConstants { 14 | URI XSUAA_BASE_URI = URI.create("https://subdomain.authentication.eu10.hana.ondemand.com/"); 15 | URI TOKEN_ENDPOINT_URI = URI.create("https://subdomain.authentication.eu10.hana.ondemand.com/oauth/token"); 16 | ClientCredentials CLIENT_CREDENTIALS = new ClientCredentials("sb-spring-netflix-demo!t12291", 17 | "2Tc2Xz7DNy4KiACwvunulmxF32w="); 18 | String USERNAME = "Bob"; 19 | String PASSWORD = "qwerty"; 20 | String ACCESS_TOKEN = "8fea5fdea005417d8c7104a5a4165da2"; 21 | String REFRESH_TOKEN = "c9336d3de6b7450b8b14cc61362d595d"; 22 | String JWT_BEARER_TOKEN = "cabb9a945e43f5d9d7eb5aa7c"; 23 | long EXPIRED_IN = 4223; 24 | } 25 | //@formatter:on -------------------------------------------------------------------------------- /token-client/src/test/java/com/sap/cloud/security/xsuaa/tokenflows/TokenFlowExceptionTest.java: -------------------------------------------------------------------------------- 1 | /** 2 | * SPDX-FileCopyrightText: 2018-2023 SAP SE or an SAP affiliate company and Cloud Security Client Java contributors 3 | *

4 | * SPDX-License-Identifier: Apache-2.0 5 | */ 6 | package com.sap.cloud.security.xsuaa.tokenflows; 7 | 8 | import org.junit.Test; 9 | 10 | import static org.junit.Assert.assertNotNull; 11 | import static org.junit.Assert.assertNull; 12 | 13 | public class TokenFlowExceptionTest { 14 | 15 | static final String MESSAGE = "Message"; 16 | static final Exception CAUSE = new Exception(); 17 | 18 | @Test 19 | public void constructors() { 20 | 21 | TokenFlowException ex = new TokenFlowException(); 22 | assertNull("Exception should not have any message.", ex.getMessage()); 23 | assertNull("Exception should not have any cause.", ex.getCause()); 24 | 25 | ex = new TokenFlowException(MESSAGE); 26 | assertNotNull("Exception should have a message.", ex.getMessage()); 27 | assertNull("Exception should not have any cause.", ex.getCause()); 28 | 29 | ex = new TokenFlowException(CAUSE); 30 | assertNotNull("Exception should not have a default message.", ex.getMessage()); 31 | assertNotNull("Exception should have a cause.", ex.getCause()); 32 | 33 | ex = new TokenFlowException(MESSAGE, CAUSE); 34 | assertNotNull("Exception should have a message.", ex.getMessage()); 35 | assertNotNull("Exception should have a cause.", ex.getCause()); 36 | } 37 | 38 | } 39 | -------------------------------------------------------------------------------- /token-client/src/test/resources/META-INF/services/com.sap.cloud.security.client.HttpClientFactory: -------------------------------------------------------------------------------- 1 | com.sap.cloud.security.client.DefaultHttpClientFactory 2 | com.sap.cloud.security.client.TestHttpClientFactory -------------------------------------------------------------------------------- /token-client/src/test/resources/iasJsonWebTokenKeys.json: -------------------------------------------------------------------------------- 1 | { 2 | "keys": [ 3 | { 4 | "kty": "RSA", 5 | "e": "AQAB", 6 | "use": "sig", 7 | "n": "j9XvbTYr3uXbkrAM10zQmOXkt4Gaj-SKZHbOK1y_eIdvrZge_LeSKVIgce6ZtC5b7F3HfJ1TAPy2kCSfusQ-P17egl6ka6-kMvPhDltWnurgAgfjDPnt6NckHxadut7L_-s9kd2L84GO-PznvcHGbc8ntTjtlgLmxDq-gZgCJKJqhWM3NYifUkLbbQT-c4dK6my-JtNyuye2fd2cR_G7IQE1UrZm7zqu9DttjN5A-R1eLYmtTuTC3xSHRCLVks6OyzIjzXP1TcyxXUvbwZWD6LpTidcapztRcwckO_AJHsztAvtC2hsPbl03lKzloHqQeRSEWVzRcgtK5ViRxcH7VQ" 8 | } 9 | ] 10 | } -------------------------------------------------------------------------------- /token-client/src/test/resources/key-ztis.pem: -------------------------------------------------------------------------------- 1 | -----BEGIN PRIVATE KEY----- 2 | MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgOt7smVohjk5hhbL0 3 | iXozlFrgtoBXVKtVzadX3X7ohv6hRANCAARCv3HNbB6kWJwEwfHwFEO/7VIE8GBF 4 | 59iI7p7nZWXmugUfa2Lnc32ijODsVbN7i+XkMWB+b7C3yL2LYBXz07ts 5 | -----END PRIVATE KEY----- -------------------------------------------------------------------------------- /token-client/src/test/resources/mockito-extensions/org.mockito.plugins.MockMaker: -------------------------------------------------------------------------------- 1 | mock-maker-inline -------------------------------------------------------------------------------- /token-client/src/test/resources/oidcConfiguration.json: -------------------------------------------------------------------------------- 1 | { 2 | "issuer" : "http://localhost:8080/uaa/oauth/token", 3 | "authorization_endpoint" : "http://localhost/oauth/authorize", 4 | "token_endpoint" : "http://localhost/oauth/token", 5 | "token_endpoint_auth_methods_supported" : [ "client_secret_basic", "client_secret_post" ], 6 | "token_endpoint_auth_signing_alg_values_supported" : [ "RS256", "HS256" ], 7 | "userinfo_endpoint" : "http://localhost/userinfo", 8 | "jwks_uri" : "http://localhost/token_keys", 9 | "scopes_supported" : [ "openid", "profile", "email", "phone", "roles", "user_attributes" ], 10 | "response_types_supported" : [ "code", "code id_token", "id_token", "token id_token" ], 11 | "subject_types_supported" : [ "public" ], 12 | "id_token_signing_alg_values_supported" : [ "RS256", "HS256" ], 13 | "id_token_encryption_alg_values_supported" : [ "none" ], 14 | "claim_types_supported" : [ "normal" ], 15 | "claims_supported" : [ "sub", "user_name", "origin", "iss", "auth_time", "amr", "acr", "client_id", "aud", "zid", "grant_type", "user_id", "azp", "scope", "exp", "iat", "jti", "rev_sig", "cid", "given_name", "family_name", "phone_number", "email" ], 16 | "claims_parameter_supported" : false, 17 | "service_documentation" : "http://docs.cloudfoundry.org/api/uaa/", 18 | "ui_locales_supported" : [ "en-US" ] 19 | } -------------------------------------------------------------------------------- /token-client/src/test/resources/privateRSAKey.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIIBOwIBAAJBAJv8ZpB5hEK7qxP9K3v43hUS5fGT4waKe7ix4Z4mu5UBv+cw7WSF 3 | At0Vaag0sAbsPzU8Hhsrj/qPABvfB8asUwcCAwEAAQJAG0r3ezH35WFG1tGGaUOr 4 | QA61cyaII53ZdgCR1IU8bx7AUevmkFtBf+aqMWusWVOWJvGu2r5VpHVAIl8nF6DS 5 | kQIhAMjEJ3zVYa2/Mo4ey+iU9J9Vd+WoyXDQD4EEtwmyG1PpAiEAxuZlvhDIbbce 6 | 7o5BvOhnCZ2N7kYb1ZC57g3F+cbJyW8CIQCbsDGHBto2qJyFxbAO7uQ8Y0UVHa0J 7 | BO/g900SAcJbcQIgRtEljIShOB8pDjrsQPxmI1BLhnjD1EhRSubwhDw5AFUCIQCN 8 | A24pDtdOHydwtSB5+zFqFLfmVZplQM/g5kb4so70Yw== 9 | -----END RSA PRIVATE KEY----- -------------------------------------------------------------------------------- /token-client/src/test/resources/privateRSAKeyCorrupt.txt: -------------------------------------------------------------------------------- 1 | -----BEGIN RSA PRIVATE KEY----- 2 | MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgOt7smVohjk5hhbL0 3 | iXozlFrgtoBXVKtVzadX3X7ohv6hRANCAARCv3HNbB6kWJwEwfHwFEO/7VIE8GBF 4 | 59iI7p7nZWXmugUfa2Lnc32ijODsVbN7i+XkMWB+b7C3yL2LYBXz07ts 5 | -----END RSA PRIVATE KEY----- -------------------------------------------------------------------------------- /troubleshooting/README.md: -------------------------------------------------------------------------------- 1 | # Troubleshooting Information 2 | For more information about troubleshooting the XSUAA, please visit the [SAP Help Portal](https://help.sap.com/viewer/65de2977205c403bbc107264b8eccf4b/Cloud/en-US/1b3e89e915b349c1aa3896ac8c6becd6.html) or take a look at our [Guided Answers](https://ga.support.sap.com/dtp/viewer/index.html#/tree/2212/actions/28290). 3 | --------------------------------------------------------------------------------