Secure your application on SAP Cloud Platform
This blog is about how to secure a java RESTful application deployed into SCP/CF (stands for SAP Cloud Platform, Cloud Foundry environment). It is not so easy to implement this because CF basically misses a component to manage Business Users.
In this walkthrough, we will see how to secure the “Hello World” application deployed in previous blog because, currently, this one can be accessed by anybody.
The first step aims to build a “shield” we will put later in front of our “Hello World” application.
This shield is made of two parts a service instance of “xsuaa” and an application which is called “approuter“.
Most of the operations explained in this blog are performed throught Cloud Foundry CLI. You can download it from here.
Create a service instance of “xsuaa”.
“xsuaa” is an extended user account and authentication service. You can print out all available services by typing this CF CLI command:
>cf marketplace Getting services from marketplace in org P1942961245trial_trial / space dev as sap.cp.user1@gmail.com... OK service plans description application-logs lite Stream logs of bound applications to central application logging stack autoscaler lite Automatically increase or decrease the number of application instances based on a policy you define. connectivity lite Establishes a secure and reliable connectivity between cloud applications and on-premise systems. destination lite [BETA] Provides a secure and reliable access to destination configurations feature-flags lite Feature Flags service for controlling feature rollout hanatrial hdi-shared SAP HANA trial database jobscheduler lite [Beta] Allows you to define and manage your jobs that run on one-time or recurring schedules mongodb v3.0-dev Store JSON-like documents in a document-oriented database. portal-services site-host, site-content, site-app Easily create SAP Fiori launchpad business sites for employees, customers and partners. postgresql v9.4-dev, v9.6-dev PostgreSQL object-relational database system rabbitmq v3.6-dev RabbitMQ messaging redis v3.0-dev Redis in-memory data structure store xsuaa application Manage application authorizations and trust to identity providers
So, you can simply create a new instance of the xsuaa service like this (don’t forget to replace pXXXXXXXXXX by your own p-number):
>cf create-service xsuaa application scphelloworld-uaa -c "{\"xsappname\":\"scphelloworld-pXXXXXXXXXX\"}"
Note that we provide some configuration using “-c” command switch. The service supports more complex configuration to handle functional scopes for instance.
Verify the service instance is OK:
>cf services Getting services in org P1942961245trial_trial / space dev as sap.cp.user1@gmail.com... OK name service plan bound apps last operation scphelloworld-uaa xsuaa application scphelloworldrouter create succeeded
Deploy a copy of “approuter” application
This configurable application will act as the bouncer for your “Hello World”. It will choose to authorize or not incoming HTTP calls following rules you will specify through a configuration file.
You can clone this Git repository locally:
https://github.com/AnthonyMullerPlayground/scphelloworldrouter
To deploy it, you need first to adapt the “manifest.yml” file to indicate of your host (as usual, it needs to be unique globally in SCP/CF as we already saw it previously. A convenient way is to append your p-number (SCP identifier) in the hostnames. To do that, just replace “pXXXXXXXXXX” by your own p-number.
At this point, we are ready to deploy. Go to the “scphelloworldrouter” folder, and execute “cf push” command.
Check the application is running:
>cf apps Getting apps in org P1942961245trial_trial / space dev as sap.cp.user1@gmail.com... OK name requested state instances memory disk urls scphelloworld started 1/1 512M 1G scphelloworld-p1942961245.cfapps.eu10.hana.ondemand.com scphelloworldrouter started 1/1 128M 1G scphelloworldrouter-p1942961245.cfapps.eu10.hana.ondemand.com
The next step is a bit stricky… The goal is to add a new CF route in order to make the application “multitenant-compliant”. To do that, we simply append the account identifier at the beginning of the URL.
>cf map-route scphelloworldrouter cfapps.eu10.hana.ondemand.com -n p1942961245trial-scphelloworldrouter-p1942961245 Creating route p1942961245trial-scphelloworldrouter-p1942961245.cfapps.eu10.hana.ondemand.com for org P1942961245trial_trial / space dev as sap.cp.user1@gmail.com... OK Adding route p1942961245trial-scphelloworldrouter-p1942961245.cfapps.eu10.hana.ondemand.com to app scphelloworldrouter in org P1942961245trial_trial / space dev as sap.cp.user1@gmail.com... OK
Test the security
Try to access to this URL using Chrome for instance:
https://pXXXXXXXXXXtrial-scphelloworldrouter-pXXXXXXXXXX.cfapps.eu10.hana.ondemand.com/hello
If everything is properly configured, you should see the following screen:
Enter your credentials, and you will get the “Hello World!” response like before. Great your application is secured !
Hmmm wait… Not really secured in fact… If you entered the previous URL, you can still access it directly without authentication.
Yes, we need to modify the “scphelloworld” application to finish to implement the security, but this is explained in the next part.