Skip to Content
Author's profile photo Anthony MULLER

Secure your application on SAP Cloud Platform

This blog is about how to secure a java RESTful application deployed into SCP/CF (stands for SAP Cloud Platform, Cloud Foundry environment). It is not so easy to implement this because CF basically misses a component to manage Business Users.

In this walkthrough, we will see how to secure the “Hello World” application deployed in previous blog because, currently, this one can be accessed by anybody.

The first step aims to build a “shield” we will put later in front of our “Hello World” application.

This shield is made of two parts a service instance of “xsuaa” and an application which is called “approuter“.

Most of the operations explained in this blog are performed throught Cloud Foundry CLI. You can download it from here.

 

Create a service instance of “xsuaa”.

“xsuaa” is an extended user account and authentication service. You can print out all available services by typing this CF CLI command:

>cf marketplace

Getting services from marketplace in org P1942961245trial_trial / space dev as sap.cp.user1@gmail.com...
 OK

service plans description
 application-logs lite Stream logs of bound applications to central application logging stack
 autoscaler lite Automatically increase or decrease the number of application instances based on a policy you define.
 connectivity lite Establishes a secure and reliable connectivity between cloud applications and on-premise systems.
 destination lite [BETA] Provides a secure and reliable access to destination configurations
 feature-flags lite Feature Flags service for controlling feature rollout
 hanatrial hdi-shared SAP HANA trial database
 jobscheduler lite [Beta] Allows you to define and manage your jobs that run on one-time or recurring schedules
 mongodb v3.0-dev Store JSON-like documents in a document-oriented database.
 portal-services site-host, site-content, site-app Easily create SAP Fiori launchpad business sites for employees, customers and partners.
 postgresql v9.4-dev, v9.6-dev PostgreSQL object-relational database system
 rabbitmq v3.6-dev RabbitMQ messaging
 redis v3.0-dev Redis in-memory data structure store
 xsuaa application Manage application authorizations and trust to identity providers

 

So, you can simply create a new instance of the xsuaa service like this (don’t forget to replace pXXXXXXXXXX by your own p-number):

>cf create-service xsuaa application scphelloworld-uaa -c "{\"xsappname\":\"scphelloworld-pXXXXXXXXXX\"}"

Note that we provide some configuration using “-c” command switch. The service supports more complex configuration to handle functional scopes for instance.

 

Verify the service instance is OK:

>cf services
 Getting services in org P1942961245trial_trial / space dev as sap.cp.user1@gmail.com...
 OK

name service plan bound apps last operation
 scphelloworld-uaa xsuaa application scphelloworldrouter create succeeded

Deploy a copy of “approuter” application

This configurable application will act as the bouncer for your “Hello World”. It will choose to authorize or not incoming HTTP calls following rules you will specify through a configuration file.

You can clone this Git repository locally:

https://github.com/AnthonyMullerPlayground/scphelloworldrouter

 

To deploy it, you need first to adapt the “manifest.yml” file to indicate of your host (as usual, it needs to be unique globally in SCP/CF as we already saw it previously. A convenient way is to append your p-number (SCP identifier) in the hostnames. To do that, just replace “pXXXXXXXXXX” by your own p-number.

At this point, we are ready to deploy. Go to the “scphelloworldrouter” folder, and execute “cf push” command.

Check the application is running:

>cf apps
 Getting apps in org P1942961245trial_trial / space dev as sap.cp.user1@gmail.com...
 OK

name requested state instances memory disk urls
 scphelloworld started 1/1 512M 1G scphelloworld-p1942961245.cfapps.eu10.hana.ondemand.com
 scphelloworldrouter started 1/1 128M 1G scphelloworldrouter-p1942961245.cfapps.eu10.hana.ondemand.com

 

The next step is a bit stricky… The goal is to add a new CF route in order to make the application “multitenant-compliant”. To do that, we simply append the account identifier at the beginning of the URL.

>cf map-route scphelloworldrouter cfapps.eu10.hana.ondemand.com -n p1942961245trial-scphelloworldrouter-p1942961245
 Creating route p1942961245trial-scphelloworldrouter-p1942961245.cfapps.eu10.hana.ondemand.com for org P1942961245trial_trial / space dev as sap.cp.user1@gmail.com...
 OK
 Adding route p1942961245trial-scphelloworldrouter-p1942961245.cfapps.eu10.hana.ondemand.com to app scphelloworldrouter in org P1942961245trial_trial / space dev as sap.cp.user1@gmail.com...
 OK

 

 

Test the security

Try to access to this URL using Chrome for instance:

https://pXXXXXXXXXXtrial-scphelloworldrouter-pXXXXXXXXXX.cfapps.eu10.hana.ondemand.com/hello

If everything is properly configured, you should see the following screen:

 

 

Enter your credentials, and you will get the “Hello World!” response like before. Great your application is secured !

 

Hmmm wait… Not really secured in fact… If you entered the previous URL, you can still access it directly without authentication.

Yes, we need to modify the “scphelloworld” application to finish to implement the security, but this is explained in the next part.

Assigned Tags

      Be the first to leave a comment
      You must be Logged on to comment or reply to a post.