Version 1 (modified by 7 years ago) (diff) | ,
---|
<?xml version="1.0" encoding="UTF-8"?> <web-app xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://java.sun.com/xml/ns/javaee" xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" id="WebApp_ID" version="3.0"> <display-name>xProject</display-name> <!-- DB and resource references for required services (Tenant, Connectivity, Password Storage) --> <resource-ref> <res-ref-name>jdbc/xProjectDB</res-ref-name> <res-type>javax.sql.DataSource</res-type> </resource-ref> <resource-ref> <res-ref-name>tenantContext</res-ref-name> <res-type>com.sap.cloud.account.TenantContext</res-type> </resource-ref> <resource-ref> <res-ref-name>connectivityConfiguration</res-ref-name> <res-type>com.sap.core.connectivity.api.configuration.ConnectivityConfiguration</res-type> </resource-ref> <!-- TODO: Place cursor below this line and insert Snippet 3 --> <resource-ref> <res-ref-name>PasswordStorage</res-ref-name> <res-type>com.sap.cloud.security.password.PasswordStorage</res-type> </resource-ref> <!-- Authentication and authorization settings --> <login-config> <auth-method>FORM</auth-method> </login-config> <security-constraint> <web-resource-collection> <web-resource-name>Protected APIs</web-resource-name> <url-pattern>/api/v1/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>ProjectManager</role-name> <role-name>ProjectMember</role-name> </auth-constraint> </security-constraint> <security-role> <role-name>ProjectManager</role-name> </security-role> <security-role> <role-name>ProjectMember</role-name> </security-role> <filter> <display-name>OAuth scope definition for joining a project</display-name> <filter-name>ListProjectsScopeFilter</filter-name> <filter-class>com.sap.cloud.security.oauth2.OAuthAuthorizationFilter</filter-class> <init-param> <param-name>scope</param-name> <param-value>list-projects</param-value> </init-param> <init-param> <param-name>http-method</param-name> <param-value>GET</param-value> </init-param> <init-param> <param-name>no-session</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ListProjectsScopeFilter</filter-name> <url-pattern>/api/v1/mobile/projects</url-pattern> </filter-mapping> <filter> <display-name>OAuth scope definition for joining a project</display-name> <filter-name>JoinProjectScopeFilter</filter-name> <filter-class>com.sap.cloud.security.oauth2.OAuthAuthorizationFilter</filter-class> <init-param> <param-name>scope</param-name> <param-value>join-project</param-value> </init-param> <init-param> <param-name>http-method</param-name> <param-value>POST</param-value> </init-param> <init-param> <param-name>no-session</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>JoinProjectScopeFilter</filter-name> <url-pattern>/api/v1/mobile/projects</url-pattern> </filter-mapping> <filter> <display-name>OAuth scope definition for managing a project member's timesheets </display-name> <filter-name>ManageTimesheetsScopeFilter</filter-name> <filter-class>com.sap.cloud.security.oauth2.OAuthAuthorizationFilter</filter-class> <init-param> <param-name>scope</param-name> <param-value>manage-timesheets</param-value> </init-param> <init-param> <param-name>http-method</param-name> <param-value>GET POST</param-value> </init-param> <init-param> <param-name>no-session</param-name> <param-value>true</param-value> </init-param> </filter> <filter-mapping> <filter-name>ManageTimesheetsScopeFilter</filter-name> <url-pattern>/api/v1/mobile/timesheets</url-pattern> </filter-mapping> <servlet> <servlet-name>TestDataServlet</servlet-name> <servlet-class>com.sap.cloud.sample.xproject.servlet.TestDataServlet</servlet-class> </servlet> <servlet-mapping> <servlet-name>TestDataServlet</servlet-name> <url-pattern>/TestDataServlet</url-pattern> </servlet-mapping> <filter> <filter-name>CsrfFilter</filter-name> <filter-class>org.apache.catalina.filters.CsrfPreventionFilter</filter-class> <init-param> <param-name>entryPoints</param-name> <param-value>/index.jsp</param-value> </init-param> </filter> <filter-mapping> <filter-name>CsrfFilter</filter-name> <url-pattern>/api/v1/web</url-pattern> </filter-mapping> </web-app>
package com.sap.cloud.sample.xproject.web; import java.io.IOException; import java.net.HttpURLConnection; import java.net.InetSocketAddress; import java.net.Proxy; import java.net.URL; import java.net.URLEncoder; import java.nio.charset.StandardCharsets; import java.util.ArrayList; import java.util.List; import java.util.Map; import javax.naming.Context; import javax.naming.InitialContext; import javax.naming.NamingException; import javax.sql.DataSource; import org.apache.http.HttpEntity; import org.apache.http.NameValuePair; import org.apache.http.auth.AuthenticationException; import org.apache.http.auth.UsernamePasswordCredentials; import org.apache.http.client.ClientProtocolException; import org.apache.http.client.entity.UrlEncodedFormEntity; import org.apache.http.client.methods.CloseableHttpResponse; import org.apache.http.client.methods.HttpDelete; import org.apache.http.client.methods.HttpPost; import org.apache.http.client.methods.HttpPut; import org.apache.http.entity.ContentType; import org.apache.http.entity.StringEntity; import org.apache.http.impl.auth.BasicScheme; import org.apache.http.impl.client.CloseableHttpClient; import org.apache.http.impl.client.HttpClients; import org.apache.http.message.BasicNameValuePair; import org.apache.http.util.EntityUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.core.JsonProcessingException; import com.fasterxml.jackson.databind.JsonNode; import com.fasterxml.jackson.databind.ObjectMapper; import com.sap.cloud.account.TenantContext; import com.sap.cloud.security.password.PasswordStorage; import com.sap.cloud.security.password.PasswordStorageException; import com.sap.core.connectivity.api.configuration.ConnectivityConfiguration; import com.sap.core.connectivity.api.configuration.DestinationConfiguration; public class Util { private static final Logger LOGGER = LoggerFactory.getLogger(Util.class); private static final String JNDI_KEY_DATA_SOURCE = "java:comp/env/jdbc/xProjectDB"; private static final String JNDI_KEY_CONNECTIVITY_CONFIG = "java:comp/env/connectivityConfiguration"; private static final String JNDI_KEY_PASSWORD_STORAGE = "java:comp/env/PasswordStorage"; private static final String DESTINATION_OAUTHAS_TOKEN = "oauthasTokenEndpoint"; private static final String DESTINATION_AUTHZ_MGMT = "authzMgmtService"; private static final String PROPERTY_CLIENTID = "User"; private static final String PROPERTY_SECRET = "Password"; private static final String ON_PREMISE_PROXY = "OnPremise"; // used for user to role assignments private static class Role { public String applicationName; public String name; public String providerAccount; } private static class Roles { public Roles() { this.role = new ArrayList<Util.Role>(); } @JsonProperty("roles") public List<Role> role; } public static DataSource getDataSource() { Object dataSource; try { InitialContext ctx = new InitialContext(); dataSource = ctx.lookup(JNDI_KEY_DATA_SOURCE); } catch (NamingException e) { throw new IllegalStateException("JNDI lookup failure", e); } if (dataSource instanceof DataSource) { return (DataSource) dataSource; } throw new IllegalStateException( "No data source available in JNDI context"); } public static String getAccountName() { TenantContext context = null; try { context = (TenantContext) (new InitialContext()).lookup("java:comp/env/tenantContext"); } catch (NamingException ne) { LOGGER.error("Failed to get tenant context", ne); } return context.getTenant().getAccount().getId(); } public static Proxy getProxy(String proxyType) { String proxyHost = null; int proxyPort; if (ON_PREMISE_PROXY.equals(proxyType)) { // Get proxy for on-premise destinations proxyHost = System.getenv("HC_OP_HTTP_PROXY_HOST"); proxyPort = Integer.parseInt(System.getenv("HC_OP_HTTP_PROXY_PORT")); } else { // Get proxy for internet destinations proxyHost = System.getProperty("http.proxyHost"); proxyPort = Integer.parseInt(System.getProperty("http.proxyPort")); } return new Proxy(Proxy.Type.HTTP, new InetSocketAddress(proxyHost, proxyPort)); } public static int assignUserToRole(String userid, String rolename, String accessToken) { // https://api.hana.ondemand.com/authorization/v1/documentation#accounts__accountName__users_roles_put Role newRole = new Role(); newRole.applicationName = "xproject"; newRole.name = rolename; newRole.providerAccount = getAccountName(); Roles roles = new Roles(); roles.role.add(newRole); int responseCode = 0; ObjectMapper mapper = new ObjectMapper(); try { String json = mapper.writeValueAsString(roles); // look up the connectivity configuration API "connectivityConfiguration" Context ctx = new InitialContext(); ConnectivityConfiguration configuration = (ConnectivityConfiguration) ctx.lookup(JNDI_KEY_CONNECTIVITY_CONFIG); // get destination configuration for "authzapi" DestinationConfiguration destConfiguration = configuration.getConfiguration(DESTINATION_AUTHZ_MGMT); // get destination URL String url = destConfiguration.getProperty("URL").replace("accountName", Util.getAccountName()). concat("?userId=" + URLEncoder.encode(userid, StandardCharsets.UTF_8.name())); LOGGER.debug("Usign URL {}", url); // create HTTP Client and PUT request from Apache libs CloseableHttpClient httpClient = HttpClients.createDefault(); HttpPut httpPut = new HttpPut(url); // add API request body StringEntity requestEntity = new StringEntity(json, ContentType.APPLICATION_JSON); httpPut.setEntity(requestEntity); LOGGER.debug("Sending API request body: {}", requestEntity.toString()); // add the OAuth Access Token to the header httpPut.addHeader("Authorization", "Bearer " + accessToken); try { // call API LOGGER.debug("Executing request {}", httpPut.getRequestLine()); CloseableHttpResponse response = httpClient.execute(httpPut); responseCode = response.getStatusLine().getStatusCode(); HttpEntity responseBody = response.getEntity(); try { LOGGER.debug("Response code: {}", responseCode); if (responseCode == HttpURLConnection.HTTP_CREATED) { // process response from api String apiResponse = EntityUtils.toString(responseBody); LOGGER.debug("Response is: {}", apiResponse); } } finally { // complete response processing EntityUtils.consume(responseBody); response.close(); } } catch (ClientProtocolException cpe) { LOGGER.error("ClientProtocol Exception: ", cpe); } finally { httpClient.close(); } } catch (JsonProcessingException jpe) { LOGGER.error("Error assigning the role: ", jpe); } catch (IOException ioe) { LOGGER.error("IO Exception: ", ioe); } catch (NamingException ne) { LOGGER.error("JNDI lookup failure", ne); } return responseCode; } public static int unassignUserFromRole(String userid, String rolename, String accessToken) { // https://api.hana.ondemand.com/authorization/v1/documentation#accounts__accountName__users_roles_delete int responseCode = 0; try { // look up the connectivity configuration API "connectivityConfiguration" Context ctx = new InitialContext(); ConnectivityConfiguration configuration = (ConnectivityConfiguration) ctx.lookup(JNDI_KEY_CONNECTIVITY_CONFIG); // get destination configuration for "authzapi" DestinationConfiguration destConfiguration = configuration.getConfiguration(DESTINATION_AUTHZ_MGMT); // get destination URL String url = destConfiguration.getProperty("URL").replace("accountName", Util.getAccountName()). concat("?userId=" + URLEncoder.encode(userid, StandardCharsets.UTF_8.name())). concat("&roles=" + URLEncoder.encode(rolename + "@" + Util.getAccountName() + ":" + "xproject",StandardCharsets.UTF_8.name())); LOGGER.debug("Usign URL {}", url); // create HTTP Client and DELETE request from Apache libs CloseableHttpClient httpClient = HttpClients.createDefault(); HttpDelete httpDelete = new HttpDelete(url); // add the OAuth Access Token to the header httpDelete.addHeader("Authorization", "Bearer " + accessToken); try { // call API LOGGER.debug("Executing request {}", httpDelete.getRequestLine()); CloseableHttpResponse response = httpClient.execute(httpDelete); responseCode = response.getStatusLine().getStatusCode(); try { HttpEntity responseBody = response.getEntity(); LOGGER.debug("Response code: {}", responseCode); if (responseCode == HttpURLConnection.HTTP_OK) { // process response from api String apiResponse = EntityUtils.toString(responseBody); LOGGER.debug("Response is: {}", apiResponse); } // complete response processing EntityUtils.consume(responseBody); } finally { response.close(); } } catch (ClientProtocolException cpe) { LOGGER.error("ClientProtocol Exception: ", cpe); } finally { httpClient.close(); } } catch (JsonProcessingException jpe) { LOGGER.error("Error assigning the role: ", jpe); } catch (IOException ioe) { LOGGER.error("IO Exception: ", ioe); } catch (NamingException ne) { LOGGER.error("JNDI lookup failure", ne); } return responseCode; } public static String requestNewAccessTokenForPlatformAPI() { String accessToken = null; try { // look up the connectivity configuration API "connectivityConfiguration" Context ctx = new InitialContext(); ConnectivityConfiguration configuration = (ConnectivityConfiguration) ctx.lookup(JNDI_KEY_CONNECTIVITY_CONFIG); // get destination configuration for "oauthasTokenEndpoint" DestinationConfiguration destConfiguration = configuration.getConfiguration(DESTINATION_OAUTHAS_TOKEN); // get all destination properties Map<String, String> allDestinationPropeties = destConfiguration.getAllProperties(); // get clientid and secret from destination user and password properties String clientid = allDestinationPropeties.get(Util.PROPERTY_CLIENTID); String secret = allDestinationPropeties.get(Util.PROPERTY_SECRET); LOGGER.debug("Usign client id {} and secret {}", clientid ,secret); // get destination URL URL url = new URL(allDestinationPropeties.get("URL")); LOGGER.debug("Usign URL {}", url.toString()); // create HTTP Client and POST request from Apache libs CloseableHttpClient httpClient = HttpClients.createDefault(); HttpPost httpPost = new HttpPost(url.toString()); // add OAuth access token request parameters as per https://tools.ietf.org/html/rfc6749#section-4.4.1 List<NameValuePair> nvps = new ArrayList<NameValuePair>(); nvps.add(new BasicNameValuePair("grant_type", "client_credentials")); httpPost.setEntity(new UrlEncodedFormEntity(nvps)); try { // create Basic Authn header UsernamePasswordCredentials creds = new UsernamePasswordCredentials(clientid, secret); httpPost.addHeader(new BasicScheme().authenticate(creds, httpPost, null)); // send access token request to SAP CP Neo OAuth 2.0 Authorization Server LOGGER.debug("Executing request {}", httpPost.getRequestLine()); CloseableHttpResponse response = httpClient.execute(httpPost); try { HttpEntity responseBody = response.getEntity(); int responseCode = response.getStatusLine().getStatusCode(); LOGGER.debug("Response code: {}", responseCode); if (responseCode == HttpURLConnection.HTTP_OK) { // process response from api token endpoint String apiTokenResponse = EntityUtils.toString(responseBody); LOGGER.debug("Response is: {}", apiTokenResponse); // read api token response ObjectMapper mapper = new ObjectMapper(); JsonNode apiToken = mapper.readTree(apiTokenResponse); // get access token from response accessToken = apiToken.findValue("access_token").textValue(); LOGGER.debug("Access token: {}", accessToken); // store access token in SAP CP password storage using the account- and API name as alias setAccessToken(getAccountName(), accessToken.toCharArray()); } // complete response processing EntityUtils.consume(responseBody); } finally { response.close(); } } catch (ClientProtocolException cpe) { LOGGER.error("ClientProtocol Exception: ", cpe); } catch (AuthenticationException ae) { LOGGER.error("Authentication Exception: ", ae); } finally { httpClient.close(); } } catch (Exception e) { LOGGER.error("Exception: ", e); } return accessToken; } public static String getAccessTokenForPlatformAPI() { String accessToken = null; try { char[] accessTokenChar = getAccessToken(getAccountName()); if (accessTokenChar != null) { accessToken = String.valueOf(accessTokenChar); } else { // request a new access token from SAP CP Neo OAuth 2.0 Authorization Server accessToken = requestNewAccessTokenForPlatformAPI(); } } catch (PasswordStorageException pse) { LOGGER.error("Error retrieving access token from password storage: ", pse); } catch (NamingException ne) { LOGGER.error("JNDI lookup failure", ne); } return accessToken; } private static PasswordStorage getPasswordStorage() throws NamingException { InitialContext ctx = new InitialContext(); PasswordStorage passwordStorage = (PasswordStorage) ctx.lookup(JNDI_KEY_PASSWORD_STORAGE); return passwordStorage; } private static void setAccessToken(String alias, char[] accessToken) throws PasswordStorageException, NamingException { // TODO: Place cursor below this line and insert Snippet 1 PasswordStorage passwordStorage = getPasswordStorage(); passwordStorage.setPassword(alias, accessToken); LOGGER.debug("Successfully stored access token with account id {} as alias", alias); } private static char[] getAccessToken(String alias) throws PasswordStorageException, NamingException { char[] accessToken = null; // TODO: Place cursor below this line and insert Snippet 2 PasswordStorage passwordStorage = getPasswordStorage(); accessToken = passwordStorage.getPassword(alias); if (accessToken != null) { LOGGER.debug("Retrieved access token {} for account id {} as alias", String.valueOf(accessToken), alias); } return accessToken; } }
Attachments (1)
- Solution_Session DX360.zip (231.0 KB) - added by 7 years ago.
Download all attachments as: .zip