cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HCP - Getting Current User in Java Services

Go to solution
Jeetendra
Explorer

on ‎11-26-2018 7:27 AM

0 Kudos

We are using the java services exposed as rest to consume in our Fiori application. Application architecture looks like below -

- Maven Project

| - Maven Module for Java Services

| - Maven Module for web project exposing as rest

We want the current user in java services, now is that possible to get it using api, I understand that the service should get the login credentials in some form ( not sure ) and using the credentials one should be able to get the current user. For this the services needs to be authenticated, my question is -

  1. How to enable the authentication in services? Because these services are faceless i.e they are exposed from rest module which is a separate module, Please mind that I don't have any web xml in services module, the services module are used as dependencies in web module.
  2. If the authentication needs to be passed from web module, how do I enable the authentication in web module. I don't have servlets in web module, so no request or response object here. I do have web.xml here.

Any help or pointer would be greatly appreciated.

Best Regards

Jeet

Show replies
Show replies
gregorw
Active Contributor
‎11-26-2018 11:57 AM
0 Kudos

Are you using SAP Cloud Platform Neo or Cloud Foundry?

Answer

Accepted Solutions (1)

Accepted Solutions (1)

Ivan-Mirisola
Product and Topic Expert
Product and Topic Expert
‎11-26-2018 3:18 PM

Hi Jeet,

I see that you posted this question on Java EE 6 Web Profile, so I am assuming you are developing on top of a compatible runtime provided by the Neo SDK.

First thing that needs to be clarified is that SCP works with the configured IdP settings of your account. In a trial landscape it uses acounts.sap.com (SAP ID Service). This IdP will perform the authentication for your application. So, if you specify the following in your web.xml web module:

    <login-config>
        <auth-method>FORM</auth-method>
    </login-config>

When you request the web application entry point and there isn't any SAML Token available it will display the IdP's authentication screen. Therefore, at this point your SCP account is delegating authentication to your configured IdP.

Once you are authenticated through the IdP, your request is then redirected to your application entry point where you can then retrieve the user details from the SAML assertion token generated by the IdP. Attributes availability will depend on how the Identity Provider (SAML token issuer) is setup. But, basically you could get the Principal object from the request thi way:

request.getUserPrincipal()

And then the user details this way:

    /**
     * Get name and e-mail user attributes and return them as condensed string.
     */
    private String getUserAttributes(Principal principal) throws PersistenceException,
            UnsupportedUserAttributeException {
        // Get user from user storage based on principal name
        UserProvider userProvider = UserManagementAccessor.getUserProvider();
        User user = userProvider.getUser(principal.getName());

        // Extract and return user name and e-mail address if present
        String firstName = user.getAttribute("firstname");
        String lastName = user.getAttribute("lastname");
        String eMail = user.getAttribute("email");
        return (firstName != null && lastName != null ? firstName + " " + lastName + " [" + principal.getName() + "]"
                : principal.getName()) + (eMail != null ? " (" + eMail + ")" : "");
    }

There is a sample on how to setup a main project with different modules in the samples directory. However, I am not aware of any means to avoid setting the security in the web.xml. The Neo runtime inspects what's defined in the web.xml in order to provide your application with the correct authentication features provided by the Java EE container. This is true even for a Spring Boot application.

With that in mind, you application (even when we are dealing with a main project and several modules) is a single deployable WAR file. Thus, the main entry point of your application should be protected and allow for authentication request to an IdP system. Once the user authenticates against the IdP, your application will have the token through out any of the protected resources. Thus, you could then retrieve the authenticated user via the code above. Even while dealing with Spring Security, your @RestController will have access to the HttpServletRequest object to retrieve the principal.

On your services module you could just check if the user is authenticated or not and deny any request based on that. If the user is authenticated, then you could check an user belonging to a role for authorization verification. Roles can be assigned automatically based on user attributes provided by the IdP. You assign your application roles directly to a group in SCP's cockpit. Then in the IdP configuration you assign users to groups based on their attributes.

Best regards,
Ivan

Show replies
Show replies
rileyrainey
Product and Topic Expert
Product and Topic Expert
‎11-27-2018 3:43 PM

Jeet,

You can find a fairly complete code example of the Neo mechanisms Ivan's talking about here: https://github.com/SAP/cloud-olingo-identity-ochat

Riley

Answers (1)

Answers (1)

Jeetendra
Explorer
‎11-30-2018 5:24 AM
0 Kudos

ivan.mirisola : Thank you very much for the detailed answer and support, I was able to achieve the desired result with the provided help.

riley.rainey : Indeed a great help, the provided code sample helped a lot, Thank you very much.

Best Regards

Jeet

Show replies
Show replies
Ask a Question