on 2024 Jun 19 8:27 PM
Securing applications in the cloud is critical to ensure that sensitive data and operations are protected from unauthorized access. SAP Cloud Foundry offers a robust way to handle authentication and authorization using the XSUAA (Extended Services User Account and Authentication) service. By leveraging XSUAA, developers can implement security measures that integrate seamlessly with SAP Cloud Platform, providing OAuth 2.0-based security mechanisms.
In this blog post, I'll walk you through the process of applying XSUAA security to a Python application deployed on Cloud Foundry using the Python Buildpack. Whether you're new to SAP Cloud Platform or looking to secure your existing applications, this guide will help you understand the steps involved and save you time in the process. We'll cover everything from setting up your environment to deploying and testing your secure application, ensuring you have a comprehensive understanding of the entire workflow.
Let's dive in and secure your Python application with XSUAA on Cloud Foundry!
Create a new project directory:
mkdir cf-python-xsuaa cd cf-python-xsuaa
Create a new file named hello.py with the following content:
import os from flask import Flask, request, abort from cfenv import AppEnv import jwt from sap import xssec app = Flask(__name__) env = AppEnv() port = int(os.environ.get('PORT', 3000)) uaa_service = env.get_service(name='xsuaa_service_name').credentials @app.route('/') def hello(): if 'authorization' not in request.headers: abort(403) access_token = request.headers.get('authorization')[7:] print(jwt.decode(access_token, options={"verify_signature": False})) security_context = xssec.create_security_context(access_token, uaa_service) isAuthorized = security_context.check_scope('uaa.resource') print(isAuthorized) print(security_context) print(access_token) if not isAuthorized: abort(403) return "Hello World" if __name__ == '__main__': app.run(host='0.0.0.0', port=port)
Create a manifest.yml file with the following content:
--- applications: - name: cf-python-xsuaa memory: 128MB disk_quota: 256MB random-route: true buildpack: python_buildpack command: python hello.py services: - xsuaa_service_name
Create a requirements.txt file with the following dependencies:
Flask gunicorn cfenv sap-xssec PyJWT
Create an xs-security.json file with the following content:
{ "xsappname": "xsuaa_service_name", "tenant-mode": "dedicated" }
Set up a virtual environment and install dependencies:
python -m venv venv .\venv\Scripts\activate pip install -r requirements.txt
Run the application locally:
python hello.py
Log in to Cloud Foundry:
cf login
Create the XSUAA service instance:
cf create-service xsuaa application xsuaa_service_name -c xs-security.json
Deploy the application:
cf push
Create a service key for the XSUAA service:
cf create-service-key xsuaa_service_name xsuaa_service_key
Retrieve the service key:
cf service-key xsuaa_service_name xsuaa_service_key
Generate a token using Postman:
Use the generated token to access your secure endpoint:
Replace YOUR_ACCESS_TOKEN with the token you obtained from the previous step.
By following these steps, you’ve successfully secured your Python application on Cloud Foundry using XSUAA. This method provides a robust authentication and authorization mechanism, ensuring that your application is protected from unauthorized access.
Try securing your applications and help others also in comments and post your experiences in SAP Community.
Thanks and regards,
Harsh Tirhekar
Request clarification before answering.
How to allow BTP Login screen to access the app?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
68 | |
33 | |
8 | |
8 | |
7 | |
7 | |
7 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.