cancel
Showing results for 
Search instead for 
Did you mean: 

How to Secure Your Cloud Foundry Python Application with XSUAA.

Harsh_Tirhekar
Associate
Associate
98,542

 

How to Secure Your Cloud Foundry Python Application with XSUAA

Introduction

Securing applications in the cloud is critical to ensure that sensitive data and operations are protected from unauthorized access. SAP Cloud Foundry offers a robust way to handle authentication and authorization using the XSUAA (Extended Services User Account and Authentication) service. By leveraging XSUAA, developers can implement security measures that integrate seamlessly with SAP Cloud Platform, providing OAuth 2.0-based security mechanisms.

In this blog post, I'll walk you through the process of applying XSUAA security to a Python application deployed on Cloud Foundry using the Python Buildpack. Whether you're new to SAP Cloud Platform or looking to secure your existing applications, this guide will help you understand the steps involved and save you time in the process. We'll cover everything from setting up your environment to deploying and testing your secure application, ensuring you have a comprehensive understanding of the entire workflow.

Let's dive in and secure your Python application with XSUAA on Cloud Foundry!

Step-by-Step Guide

1. Setting Up Your Environment

Create a new project directory:

mkdir cf-python-xsuaa
cd cf-python-xsuaa

2. Create hello.py file

Create a new file named hello.py with the following content:

import os
from flask import Flask, request, abort
from cfenv import AppEnv
import jwt
from sap import xssec

app = Flask(__name__)
env = AppEnv()

port = int(os.environ.get('PORT', 3000))
uaa_service = env.get_service(name='xsuaa_service_name').credentials

@app.route('/')
def hello():
     if 'authorization' not in request.headers:
         abort(403)
     access_token = request.headers.get('authorization')[7:]
     print(jwt.decode(access_token, options={"verify_signature": False}))
     security_context = xssec.create_security_context(access_token, uaa_service)
     isAuthorized = security_context.check_scope('uaa.resource')
     print(isAuthorized)
     print(security_context)
     print(access_token)
     if not isAuthorized:
         abort(403)

     return "Hello World"

if __name__ == '__main__':
  app.run(host='0.0.0.0', port=port)

3. Create manifest.yml file

Create a manifest.yml file with the following content:

---
applications:
- name: cf-python-xsuaa
  memory: 128MB
  disk_quota: 256MB
  random-route: true
  buildpack: python_buildpack
  command: python hello.py
  services:
  - xsuaa_service_name

4. Create requirements.txt file

Create a requirements.txt file with the following dependencies:

Flask
gunicorn
cfenv
sap-xssec
PyJWT

5. Create xs-security.json file

Create an xs-security.json file with the following content:

{
    "xsappname": "xsuaa_service_name",
    "tenant-mode": "dedicated"
}

6. Install Dependencies and Run Locally

Set up a virtual environment and install dependencies:

python -m venv venv
.\venv\Scripts\activate
pip install -r requirements.txt

Run the application locally:

python hello.py

7. Deploy to Cloud Foundry

Log in to Cloud Foundry:

cf login

Create the XSUAA service instance:

cf create-service xsuaa application xsuaa_service_name -c xs-security.json

Deploy the application:

cf push

Create a service key for the XSUAA service:

cf create-service-key xsuaa_service_name xsuaa_service_key

Retrieve the service key:

cf service-key xsuaa_service_name xsuaa_service_key

8. Test Your Application with Postman

Generate a token using Postman:

Use the generated token to access your secure endpoint:

Replace YOUR_ACCESS_TOKEN with the token you obtained from the previous step.

Conclusion

By following these steps, you’ve successfully secured your Python application on Cloud Foundry using XSUAA. This method provides a robust authentication and authorization mechanism, ensuring that your application is protected from unauthorized access.

Additional Resources

  • SAP Cloud Platform XSUAA Documentation
  • Cloud Foundry Documentation
  • Python Buildpack Documentation

Call to Action

Try securing your applications and help others also in comments and post your experiences in SAP Community.

Thanks and regards,

Harsh Tirhekar

View Entire Topic
rakesh
Product and Topic Expert
Product and Topic Expert
0 Kudos

How to allow BTP Login screen to access the app?