SAP/cloud-security-services-integration-library SAP/cloud-security-services-integration-library

  • Stars
    star
    125
  • Rank 286,335 (Top 6 %)
  • Language
    Java
  • License
    Apache License 2.0
  • Created about 6 years ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
SAP/cloud-security-services-integration-library
github

SAP

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or identity authentication service.

REUSE status Maven Build main Fosstars security rating CodeQL

SAP BTP Security Services Integration Libraries

This repository offers a comprehensive set of libraries designed to simplify the integration of SAP Business Technology Platform (SAP BTP) security services (XSUAA and Identity Services). Tailored to support Java EE and Spring Boot applications running on Cloud Foundry or Kubernetes environments. The libraries focus on streamlining OAuth 2.0 access token validation for tokens issued by XSUAA and Identity Services. In addition, it offers a token-client library to easily fetch tokens without cumbersome setup for http requests. Finally, it offers testing utility that mocks Xsuaa and Identity service behaviour and makes it easy to write integration and unit tests.

Table of Contents

  1. Prerequisites
  2. Usage
  3. Installation
  4. Troubleshooting
  5. Contributing
  6. License

Prerequisites

Before you can use the SAP Cloud Security Services Integration libraries, you must fulfil the following requirements:

  1. Knowledge of Java programming and (Optional) Spring Boot framework.
  2. Access to an SAP BTP account and the XSUAA or Identity service.
  3. Familiarity with OAuth 2.0 and JWT (JSON Web Tokens).
  4. Java 17
  5. Maven 3.9.0 or later
  6. (Optional) Spring Boot 3.0.0 or later, Spring Security 6.0.0 or later if using the Spring integration

For Java 8 and 11 please use 2.x release of this library.

Usage

Typical web applications consist of a gateway server serving HTML content to the user client and one or more servers behind the gateway providing REST APIs. The gateway server acts as OAuth2 client executing an OAuth2 Authorization Code Flow to retrieve an access token when a new user client session is created. Requests from the user client are correlated with a session id on the gateway server which appends the access token to subsequent requests and forwards them to the REST APIs. The session flow looks as follows:

  1. A user accesses the web application using a browser or mobile device which begins a new server session.
  2. The web application redirects the user client to the OAuth2 server for authentication. In typical SAP Business Technology Platform scenarios, this is handled by an application router. Upon authentication, the web application receives an authorization code from the user client issued by the OAuth2 server.
  3. An access token is retrieved from the OAuth2 server in exchange for the authorization code.
  4. The web application uses the access token to access resources on an OAuth2 resource server via a REST API. The OAuth2 resource server validates the token using online or offline validation to restrict access to the API.

OAuth 2.0 Authorization code flow

OAuth2 resource servers (as the one in step 4) require libraries for validating access tokens.

2.1. Token Validation

Key features:

  • Automatic OAuth2 service configuration based on SAP BTP service bindings found in the environment
  • OAuth2 Token Validation based on these service configurations
  • Easy access to principal and token claims within request handlers
  • Automatic or sample integrations for common web application frameworks (i.e. Java EE / Spring Security)

2.1.1. Java EE web applications

Developers who need OAuth2 token validation and token access in their Java EE applications can utilize the java-security library. This library simplifies the process of acquiring token information such as principal and audiences from the security context and takes over token validation for tokens issued by Xsuaa or Identity services. This library is also integrated in SAP Java Buildpack.

In the table below you'll find links to detailed information.

Library Usage Examples
java-security java-security-xsuaa-usage demonstrates java-security usage with Xsuaa service
java-security-identity-usage demonstrates java-security usage with Identity service
sap-java-builpack-api-usage demonstrates java-security usage with SAP Java Buildpack

💡 Changes with SAP Java Buildpack 1.26.0 The former SAP Java Buildpack versions have used deprecated (Spring) Security libraries and had to be updated. As of version 1.26.0 SAP Java Buildpack uses the java-security library. Please consider these (migration) guides:

2.1.2. Spring Boot web applications

Developers seeking OAuth2 token validation and access to token information for their Spring Boot applications can benefit from the spring-security library. This library streamlines the process of handling token validation for tokens issued by Xsuaa or Identity services and obtaining token details, such as principal and audiences from the security context.

For backward compatibility there is spring-xsuaa library available that supports only Xsuaa service integration, but with the next major release it will be removed.

In the table below you'll find links to detailed information.

Library Usage Examples
spring-security spring-security-hybrid-usage demonstrates usage of xsuaa and Identity service token validation
spring-xsuaa spring-security-basic-auth demonstrates how a user can access Rest API via basic authentication (user/password)
spring-xsuaa-usage demonstrates xsuaa only setup

2.2. Token Flows for token retrievals

Java applications that require access tokens (JWT) from Xsuaa or Identity services can utilize the Token Flows API from the token-client library, to fetch JWT tokens for their clients (applications) or users.

Typical use cases:

  • technical user / system tokens for service to service communication
  • user token exchange for principal propagation in service to service communication

In the table below you'll find links to detailed information.

Library Usage Examples
token-client java-tokenclient-usage demonstrates usage of token client library in Java EE application
spring-security-xsuaa-usage demonstrates usage in Spring Boot application

2.3 Testing utilities

For authentication/authorization flow testing purposes there is java-security-test library at your disposal that can be used for unit and integration tests to test the Xsuaa or Identity service client functionality in the application. It provides a JwtGenerator to generate custom JWT tokens that work together with a pre-configured WireMock web server that stubs outgoing calls to the Identity or Xsuaa service, e.g to fetch the JWKS used to check the validity of the token signature. With this library you can test end to end all your secured endpoints or app logic that is dependant on information from the tokens.

Key features:

  • Generates and signs tokens with user provided attributes
  • Provides a pre-configured local authorization server that mocks communication with the BTP security services to validate self-generated tokens
  • For Java EE application sets up a local application server that is pre-configured with a security filter matching self-generated tokens. It can be configured to serve the servlets you want to test with mocked authorization

In the table below you'll find links to detailed information.

Library Usage Examples
java-security-test Integration test code snippet for Spring application
Integration test code snippet for Java EE web.xml based servlets
Integration test code snippet for Java EE annotation based servlets

Installation

The SAP Cloud Security Services Integration is published to maven central: https://search.maven.org/search?q=com.sap.cloud.security and is available as a Maven dependency. Add the following BOM to your dependency management in your pom.xml:

<dependencyManagement>
    <dependencies>
        <dependency>
            <groupId>com.sap.cloud.security</groupId>
            <artifactId>java-bom</artifactId>
            <version>3.0.1</version>
            <scope>import</scope>
            <type>pom</type>
        </dependency>
    </dependencies>
</dependencyManagement>

along with libraries that you intend to use e.g. java-security

<dependencies>
    <dependency>
        <groupId>com.sap.cloud.security</groupId>
        <artifactId>java-security</artifactId>
    </dependency>
</dependencies>

💡 Please refer to the Maven Dependencies section in the README.md of the library you intend to use for detailed information on which dependencies need to be added to the pom.xml.

If you intend to extend this library you can clone this repository and install this project with mvn as follows:

git clone https://github.com/SAP/cloud-security-services-integration-library
cd cloud-security-services-integration-library
mvn clean install

Troubleshooting

Please refer to each library's Troubleshooting section

Link to troubleshooting section
spring-security
spring-xsuaa
java-security
token-client

Contributing

We welcome contributions to this project. Please see the CONTRIBUTING.md file for more details on how to contribute.

How to get support

Open a Github issue.

License

Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available in the REUSE tool.

More Repositories

1

openui5

OpenUI5 lets you build enterprise-ready web applications, responsive to all devices, running on almost any browser of your choice.
JavaScript
2,770
star
2

ui5-webcomponents

UI5 Web Components - the enterprise-flavored sugar on top of native APIs! Build SAP Fiori user interfaces with the technology of your choice.
HTML
1,525
star
3

styleguides

This repository provides SAP style guides for coding and coding-related topics.
Markdown
1,301
star
4

macOS-enterprise-privileges

For Mac users in an Enterprise environment, this app gives the User control over administration of their machine by elevating their level of access to Administrator privileges on macOS. Users can set the time frame using Preferences to perform specific tasks such as install or remove an application.
Objective-C
1,039
star
5

jenkins-library

Jenkins shared library for Continuous Delivery pipelines.
Go
710
star
6

luigi

Micro frontend framework
JavaScript
697
star
7

spartacus

Spartacus is a lean, Angular-based JavaScript storefront for SAP Commerce Cloud that communicates exclusively through the Commerce REST API.
TypeScript
673
star
8

PyRFC

Asynchronous, non-blocking SAP NW RFC SDK bindings for Python
Python
441
star
9

ui5-tooling

An open and modular toolchain to develop state of the art applications based on the UI5 framework
JavaScript
421
star
10

abap-cleaner

ABAP cleaner applies 75+ cleanup rules to ABAP code at a single keystroke
Java
414
star
11

SapMachine

An OpenJDK release maintained and supported by SAP
Java
412
star
12

openSAP-ui5-course

Repository for content related to the openSAP courses "Evolved Web Apps with SAPUI5"
JavaScript
384
star
13

ui5-webcomponents-react

A wrapper implementation for React of the UI5 Web Components that are compliant with the SAP Fiori User Experience
TypeScript
354
star
14

node-hdb

SAP HANA Database Client for Node
JavaScript
314
star
15

credential-digger

A Github scanning tool that identifies hardcoded credentials while filtering the false positive data through machine learning models 🔒
Python
312
star
16

macOS-icon-generator

Icons for macOS is the easiest way to create customized app icons in PNG format for your company’s internal app store. No graphic skills needed.
C
276
star
17

fundamental

Fiori Fundamentals is a component library and SASS toolkit for building SAP user interfaces with any technology.
Nunjucks
264
star
18

InfraBox

InfraBox is a cloud native continuous integration system
Python
261
star
19

openui5-sample-app

OpenUI5 Sample App
JavaScript
257
star
20

code-pal-for-abap

code pal for ABAP is a highly configurable engine, fully integrated into the ABAP development framework ensuring Cloud’s built-in quality.
ABAP
247
star
21

fundamental-ngx

Fundamental Library for Angular is SAP Design System Angular component library
TypeScript
232
star
22

node-rfc

Asynchronous, non-blocking SAP NW RFC SDK bindings for Node.js
C++
232
star
23

generator-easy-ui5

Meta-generator various project types within the UI5 Universe
JavaScript
200
star
24

fundamental-vue

Vue.js components implementation of Fundamental Library Styles guidelines. The library is aiming to provide a Vue.js implementation of the components designed in Fundamental Library Styles.
Vue
189
star
25

ui5-typescript

Tooling to enable TypeScript support in SAP UI5 projects
TypeScript
182
star
26

fundamental-react

React implementation of the reusable component library designed in Fundamental Library Styles
JavaScript
178
star
27

python-pyodata

Enterprise-ready Python OData client
Python
169
star
28

go-hdb

SAP HANA Database Client for Go
Go
152
star
29

fundamental-styles

SAP Fiori, theme-able, accessible component library for building SAP user interfaces with any web technology.
JavaScript
151
star
30

curated-resources-for-domain-driven-design

You want to get started with Domain-Driven Design or are looking for advanced learning resources in this topic? Then this collection of curated learning resources is a good place to check out.
149
star
31

btp-solution-diagrams

SAP Business Technology Platform solution diagram repository, based on the official SAP BTP Solution diagram guideline. This has been designed in accordance with the SAP Fiori Horizon principles and color palette which provides a holistic and pleasing aesthetic and user experience.
TypeScript
143
star
32

project-portal-for-innersource

Lists all InnerSource projects of a company in an interactive and easy to use way. Can be used as a template for implementing the "InnerSource portal" pattern by the InnerSource Commons community.
JavaScript
142
star
33

cloud-mta-build-tool

Multi-Target Application (MTA) build tool for Cloud Applications https://sap.github.io/cloud-mta-build-tool
Go
139
star
34

odata-vocabularies

SAP Vocabularies for semantic markup of structured data published via OData (www.odata.org) services.
JavaScript
135
star
35

ui5-inspector

With the UI5 Inspector, you can easily debug and support your OpenUI5/SAPUI5 based apps.
JavaScript
135
star
36

e-mobility-charging-stations-simulator

OCPP-J charging stations simulator
TypeScript
127
star
37

sap-btp-service-operator

SAP BTP service operator enables developers to connect Kubernetes clusters to SAP BTP accounts and to consume SAP BTP services within the clusters by using Kubernetes native tools.
Go
125
star
38

cloud-sdk-js

Use the SAP Cloud SDK for JavaScript / TypeScript to reduce development effort when building applications on SAP Business Technology Platform that communicate with SAP solutions and services such as SAP S/4HANA Cloud, SAP SuccessFactors, and many others.
HTML
124
star
39

kafka-connect-sap

Kafka Connect SAP is a set of connectors, using the Apache Kafka Connect framework for reliably connecting Kafka with SAP systems
Scala
121
star
40

ui5-uiveri5

End-to-end testing framework for SAPUI5
JavaScript
120
star
41

project-kb

Home page of project "KB"
Python
112
star
42

C4CODATAAPIDEVGUIDE

The SAP Cloud for Customer OData API Developer’s Guide complements the SAP Cloud for Customer OData API Reference (a link will be provided later) with usage details and samples for SAP Cloud for Customer OData API in a format that is most convenient to developers. Furthermore, it also covers known restrictions and limitations.
Java
108
star
43

olingo-jpa-processor-v4

The JPA Processor fills the gap between Olingo V4 and the database, by providing a mapping between JPA metadata and OData metadata, generating queries and supporting the entity manipulations.
Java
108
star
44

sqlalchemy-hana

SQLAlchemy Dialect for SAP HANA
Python
107
star
45

sap-btp-reference-architectures

This repository contains "SAP BTP reference architectures" based on the official BTP solution diagrams and icons..
106
star
46

power-monitoring-tool-for-macos

Power Monitor is an application that measures and reports the power consumption of a Mac.
Objective-C
104
star
47

yeoman-ui

Provide rich user experience for Yeoman generators using VSCode extension or the browser.
TypeScript
101
star
48

script-to-package-tool-for-macos

Script2Pkg is an application for creating payload-free installer packages for macOS.
HTML
98
star
49

cloud-sdk-ios-fiori

SwiftUI implementation of the SAP Fiori for iOS Design Language.
Swift
93
star
50

ui5-cli

UI5 Tooling: CLI
JavaScript
92
star
51

gorfc

SAP NW RFC Connector for GO
Go
83
star
52

open-ux-tools

Enable community collaboration to jointly promote and facilitate best in class tooling capabilities
TypeScript
83
star
53

terraform-provider-btp

Terraform provider for SAP BTP
Go
78
star
54

cloud-active-defense

Add a layer of active defense to your cloud applications.
Go
73
star
55

Webchat

The SAP Conversational AI webchat let you deploy a bot straight to a website
JavaScript
73
star
56

project-foxhound

A web browser with dynamic data-flow tracking enabled in the Javascript engine and DOM, based on Mozilla Firefox (https://github.com/mozilla/gecko-dev). It can be used to identify insecure data flows or data privacy leaks in client-side web applications.
73
star
57

cf-java-logging-support

The Java Logging Support for Cloud Foundry supports the creation of structured log messages and the collection of request metrics
Java
71
star
58

risk-explorer-for-software-supply-chains

A taxonomy of attacks on software supply chains in the form of an attack tree, based on and linked to numerous real-world incidents and other resources. The taxonomy as well as related safeguards can be explored using an interactive visualization tool.
JavaScript
71
star
59

openui5-docs

OpenUI5 Markdown Documentation
69
star
60

abap-atc-cr-cv-s4hc

ABAP test cockpit cloud readiness check variants for SAP S/4HANA Cloud
TypeScript
69
star
61

fundamental-tools

Web applications with ABAP, done simple.
JavaScript
68
star
62

devops-docker-images

A collection of Dockerfiles for images that can be used to implement Continuous Delivery pipelines for SAP development projects with project "Piper" or any other CD tool.
JavaScript
68
star
63

ui5-builder

UI5 Tooling: Builder
JavaScript
67
star
64

machine-learning-lab

ML Lab enables teams to be more productive in delivering machine learning solutions for their products and datasets.
JavaScript
67
star
65

karma-ui5

A Karma plugin for UI5
JavaScript
66
star
66

cloud-s4-sdk-examples

Runnable example applications that showcase the usage of the SAP Cloud SDK.
Java
65
star
67

apibusinesshub-integration-recipes

Accelerate integration projects using SAP Cloud Platform Integration with crowdsourced best practices, curated by experts, designed for developers.
Java
62
star
68

fosstars-rating-core

A framework for defining ratings for open source projects. In particular, the framework offers a security rating for open source projects that may be used to assess the security risk that comes with open source components.
Java
59
star
69

abap-file-formats

File formats that define and specify the file representation for ABAP development objects
ABAP
55
star
70

apibusinesshub-api-recipes

Accelerate integration projects using SAP Cloud Platform API Management with crowdsourced best practices, curated by experts, designed for developers.
JavaScript
54
star
71

ui5-language-assistant

VSCode Extension and Editor Tooling for SAPUI5
TypeScript
51
star
72

open-ux-odata

Enable community collaboration to jointly promote and facilitate best in class framework and tooling capabilities when working with OData services.
TypeScript
51
star
73

ui5-server

UI5 Tooling: Server
JavaScript
46
star
74

cloud-sdk

The SAP Cloud SDK documentation and support repository.
HTML
44
star
75

odata-library

Javascript library for processing OData protocol and developing OData clients.
JavaScript
43
star
76

ui5-linter

A static code analysis tool for UI5
TypeScript
43
star
77

openui5-worklist-app

OpenUI5 worklist template app
JavaScript
40
star
78

cf-nodejs-logging-support

Node.js Logging Support for Cloud Foundry provides the creation of structured log messages and the collection of request metrics
JavaScript
39
star
79

neonbee

A reactive dataflow engine, a data stream processing framework using Vert.x
Java
39
star
80

xml-tools

A Set of libraries for working with XML in JavaScript, mainly focused on Editor Tooling Scenarios.
JavaScript
38
star
81

cf-html5-apps-repo-cli-plugin

Cloud Foundry CLI plugin to work with SAP Cloud HTML5 Applications Repository
Go
38
star
82

code-pal-for-abap-cloud

Code Pal for ABAP - Cloud Edition helps ABAP developers adhere to clean code standards
ABAP
38
star
83

ui5-migration

A tool to support the migration of UI5 projects by adapting code for new UI5 framework versions.
JavaScript
37
star
84

odbc-cpp-wrapper

An object-oriented C++-wrapper of the ODBC API
C++
37
star
85

ui5-project

UI5 Tooling: Project Handling
JavaScript
37
star
86

devops-cm-client

Simple command line interface to handle basic change management related actions via ODATA requests.
Java
36
star
87

theming-base-content

Color, font and metric definitions of SAP themes to be used by application UIs and UI frameworks.
Less
35
star
88

hybris-commerce-eclipse-plugin

A plugin for Eclipse IDE that makes developers more efficient when developing on SAP Hybris Commerce.
Java
34
star
89

abap-to-json

ABAP to JSON serializer and deserializer
ABAP
33
star
90

emobility-smart-charging

Smart charging algorithms with REST API for electric vehicle fleets
Java
33
star
91

backgrounds

Backgrounds is an application that allows users to create their own custom background (wallpaper) for their Mac desktop. They can choose between two gradient types - linear and radial - and embed a logo. Each pixel of the background is calculated and optimized for the size of the connected screens.
Objective-C
33
star
92

project-piper-action

CI/CD tooling for the SAP Ecosystem, integrated with GitHub Actions
JavaScript
31
star
93

openui5-fhir

The openui5-fhir project connects the worlds of UI5 and FHIR®. Build beautiful and enterprise-ready web applications based on the FHIR® specification.
JavaScript
31
star
94

less-openui5

Build OpenUI5 themes with Less.js.
JavaScript
29
star
95

vscode-webview-rpc-lib

Provides a conventient way to communicate between VSCode extension and his Webviews. Use RPC calls to invoke functions on the webview and receive callbacks.
TypeScript
29
star
96

openui5-website

The OpenUI5 website.
JavaScript
27
star
97

ewm-cloud-robotics

Source code, containers & Helm charts enabling users to leverage the core of Google Cloud Robotics to automate fulfilment warehouse orders & tasks commissioned by SAP EWM
Python
27
star
98

ui5-webcomponents-ngx

UI5 Web Components for Angular provides directives for each UI5 Web Component. The directives allow to easily build your Angular application following the SAP Design System.
TypeScript
27
star
99

sap-commerce-db-sync

SAP Commerce extensions to perform table-to-table replication in single-directionally manner between two SAP Commerce instances or between SAP Commerce and an external database.
Java
26
star
100

ui5-manifest

This project contains the flattend json schema for the ui5 manifest.
26
star