diff --git a/app/xs-app.json b/app/xs-app.json
index f6adf5a4..a485a915 100644
--- a/app/xs-app.json
+++ b/app/xs-app.json
@@ -7,66 +7,66 @@
"cacheControl": "no-cache, no-store, must-revalidate",
"target": "$1",
"localDir": "./",
- "authenticationType": "xsuaa"
+ "authenticationType": "ias"
},
{
"source": "^/appconfig/(.*)$",
"localDir": "./",
- "authenticationType": "xsuaa"
+ "authenticationType": "ias"
},
{
"source": "^/browse/webapp/(.*)$",
"localDir": "./",
- "authenticationType": "xsuaa"
+ "authenticationType": "ias"
},
{
"source": "^/admin/webapp/(.*)$",
"localDir": "./",
- "authenticationType": "xsuaa"
+ "authenticationType": "ias"
},
{
"source": "^/orders/webapp/(.*)$",
"localDir": "./",
- "authenticationType": "xsuaa"
+ "authenticationType": "ias"
},
{
"source": "^/reviews/webapp/(.*)$",
"localDir": "./",
- "authenticationType": "xsuaa"
+ "authenticationType": "ias"
},
{
"source": "^/notes/webapp/(.*)$",
"localDir": "./",
- "authenticationType": "xsuaa"
+ "authenticationType": "ias"
},
{
"source": "^/addresses/webapp/(.*)$",
"localDir": "./",
- "authenticationType": "xsuaa"
+ "authenticationType": "ias"
},
{
"source": "^/vue/(.*)$",
"localDir": "./",
- "authenticationType": "xsuaa"
+ "authenticationType": "ias"
},
{
"source": "^/api/admin/(.*)",
- "authenticationType": "xsuaa",
+ "authenticationType": "ias",
"destination": "backend"
},
{
"source": "^/api/browse/(.*)",
- "authenticationType": "xsuaa",
+ "authenticationType": "ias",
"destination": "backend"
},
{
"source": "^/api/review/(.*)",
- "authenticationType": "xsuaa",
+ "authenticationType": "ias",
"destination": "backend"
},
{
"source": "^/api/notes/(.*)",
- "authenticationType": "xsuaa",
+ "authenticationType": "ias",
"destination": "backend"
},
{
diff --git a/mta-multi-tenant-ias-ams.yaml b/mta-multi-tenant-ias-ams.yaml
new file mode 100644
index 00000000..5c432ba2
--- /dev/null
+++ b/mta-multi-tenant-ias-ams.yaml
@@ -0,0 +1,173 @@
+_schema-version: '2.1'
+ID: bookshop-mt-ias
+version: 1.0.0
+description: "Multitenant Bookshop CAP Java Project with UI"
+parameters:
+ enable-parallel-deployments: true
+modules:
+ # --------------------- SERVER MODULE ------------------------
+ - name: bookshop-mt-ias-srv
+ # ------------------------------------------------------------
+ type: java
+ path: srv
+ parameters:
+ memory: 1024M
+ disk-quota: 512M
+ buildpacks:
+ - https://github.com/SAP/cloud-authorization-buildpack/releases/latest/download/opa_buildpack.zip
+ - sap_java_buildpack_jakarta
+ routes:
+ - route: '${default-url}'
+ - route: '${default-host}.cert.${default-domain}'
+ properties:
+ SPRING_PROFILES_ACTIVE: cloud,sandbox
+ CDS_MULTITENANCY_APPUI_TENANTSEPARATOR: "-"
+ JBP_CONFIG_COMPONENTS: "jres: ['com.sap.xs.java.buildpack.jre.SAPMachineJRE']"
+ JBP_CONFIG_SAP_MACHINE_JRE: '{ version: 21.+ }'
+ AMS_DCL_ROOT: "/BOOT-INF/classes/ams/"
+ build-parameters:
+ builder: custom
+ commands:
+ - mvn clean package -DskipTests=true
+ build-result: target/*-exec.jar
+ requires:
+ - name: bookshop-mt-ias-service-manager
+ - name: bookshop-mt-ias-sms
+ - name: bookshop-mt-ias-identity
+ parameters:
+ config:
+ credential-type: "X509_GENERATED"
+ key-length: 2048
+ validity: 30
+ validity-type: "DAYS"
+ app-identifier: "microservice1"
+ - name: mtx-api
+ properties:
+ CDS_MULTITENANCY_SIDECAR_URL: ~{mtx-url}
+ - name: app-api
+ properties:
+ CDS_MULTITENANCY_APPUI_URL: ~{app-url}
+ - name: cf-logging
+ provides:
+ - name: srv-api
+ properties:
+ srv-url: '${default-url}'
+ srv-cert-url: '${protocol}://${default-host}.cert.${default-domain}'
+ # --------------------- SIDECAR MODULE -----------------------
+ - name: bookshop-mt-ias-sidecar
+ # ------------------------------------------------------------
+ type: nodejs
+ path: mtx/sidecar
+ parameters:
+ memory: 256M
+ disk-quota: 1024M
+ build-parameters:
+ builder: custom
+ build-result: gen
+ commands:
+ - npm run build
+ requires:
+ - name: bookshop-mt-ias-srv
+ requires:
+ - name: bookshop-mt-ias-service-manager
+ - name: bookshop-mt-ias-identity
+ parameters:
+ config:
+ credential-type: "X509_GENERATED"
+ key-length: 2048
+ validity: 30
+ validity-type: "DAYS"
+ app-identifier: "microservice1"
+ - name: cf-logging
+ provides:
+ - name: mtx-api
+ properties:
+ mtx-url: ${default-url}
+ # --------------------- APPROUTER MODULE ---------------------
+ - name: bookshop-mt-ias-app
+ # ------------------------------------------------------------
+ type: approuter.nodejs
+ path: app
+ parameters:
+ memory: 256M
+ disk-quota: 512M
+ keep-existing-routes: true
+ properties:
+ TENANT_HOST_PATTERN: ^(.*)-${default-host}.${default-domain} # testing only, use custom domain with wildcard for production
+ requires:
+ - name: srv-api
+ group: destinations
+ properties:
+ name: backend
+ url: ~{srv-cert-url}
+ forwardAuthCertificates: true
+ forwardAuthToken: true
+ strictSSL: true
+ - name: bookshop-mt-ias-identity
+ parameters:
+ config:
+ credential-type: "X509_GENERATED"
+ key-length: 2048
+ validity: 30
+ validity-type: "DAYS"
+ app-identifier: "microservice1"
+ - name: bookshop-mt-ias-sms
+ provides:
+ - name: app-api
+ properties:
+ app-url: '${default-url}'
+ app-domain: '${default-domain}'
+# --------------------- RESOURCES ---------------------
+resources:
+# -----------------------------------------------------
+ - name: bookshop-mt-ias-service-manager
+ type: org.cloudfoundry.managed-service
+ parameters:
+ service: service-manager
+ service-plan: container
+ - name: bookshop-mt-ias-identity
+ type: org.cloudfoundry.managed-service
+ parameters:
+ service: identity
+ service-plan: application
+ config:
+ authorization:
+ enabled: true
+ value_help_url: "https://vhp-srv-develop.cert.cfapps.sap.hana.ondemand.com/odata/v4/ExampleValueHelpService/"
+ oauth2-configuration:
+ redirect-uris: [
+ "https://*.cfapps.sap.hana.ondemand.com/**",
+ "https://*.internal.cfapps.sap.hana.ondemand.com/node/signin-oidc/*",
+ "http://localhost:5000/login/callback?authType=ias"
+ ]
+ xsuaa-cross-consumption: true
+ display-name: bookshop-mt-ias-identity
+ multi-tenant: true
+ - name: bookshop-mt-ias-sms
+ type: org.cloudfoundry.managed-service
+ parameters:
+ service: subscription-manager
+ service-plan: provider
+ config:
+ iasServiceInstanceName: bookshop-mt-ias-identity
+ applicationType: application
+ appName: bookshop-mt-ias
+ appCallbacks:
+ dependenciesCallbacks:
+ url: ~{srv-api/srv-cert-url}/mt/sms/subscriptions/tenants/{app_tid}/dependencies
+ subscriptionCallbacks:
+ url: ~{srv-api/srv-cert-url}/mt/sms/subscriptions/tenants/{app_tid}
+ subscribeEnable: true
+ unSubscribeEnable: true
+ timeoutInMillis: 60000
+ displayName: bookshop-mt-ias
+ description: "MT Bookshop using IAS & AMS"
+ category: "Application Development and Automation"
+ requires:
+ - name: srv-api
+ processed-after: [ bookshop-mt-ias-identity ]
+ - name: cf-logging
+ type: org.cloudfoundry.managed-service
+ parameters:
+ service: application-logs
+ service-plan: lite
\ No newline at end of file
diff --git a/mtx/sidecar/package.json b/mtx/sidecar/package.json
index 13462cc9..842b6175 100644
--- a/mtx/sidecar/package.json
+++ b/mtx/sidecar/package.json
@@ -17,6 +17,9 @@
"profiles": ["mtx-sidecar", "java"],
"[development]": {
"requires": { "auth": "dummy" }
+ },
+ "requires": {
+ "auth": "ias"
}
},
"scripts": {
diff --git a/pom.xml b/pom.xml
index 246fda1a..a666f11f 100644
--- a/pom.xml
+++ b/pom.xml
@@ -28,6 +28,7 @@
3.5.3
3.8.4
8.3.0
+ 1.7.0
@@ -71,6 +72,19 @@
4.0.0
+
+
+ com.sap.cloud.security.ams.client
+ jakarta-ams
+ 1.7.0
+
+
+
+ com.sap.cloud.security.ams.client
+ cap-support
+ 1.7.0
+
+
diff --git a/srv/pom.xml b/srv/pom.xml
index 10125ea9..08276ba3 100644
--- a/srv/pom.xml
+++ b/srv/pom.xml
@@ -133,6 +133,17 @@
spring-boot-devtools
true
+
+
+
+ com.sap.cloud.security.ams.client
+ jakarta-ams
+
+
+
+ com.sap.cloud.security.ams.client
+ cap-support
+
diff --git a/srv/src/main/resources/ams/bookshop/bookshop.dcl b/srv/src/main/resources/ams/bookshop/bookshop.dcl
new file mode 100644
index 00000000..ffdcb0df
--- /dev/null
+++ b/srv/src/main/resources/ams/bookshop/bookshop.dcl
@@ -0,0 +1,7 @@
+POLICY Admin {
+ GRANT admin ON $SCOPES;
+}
+
+POLICY Expert {
+ GRANT expert ON $SCOPES;
+}
diff --git a/srv/src/main/resources/ams/schema.dcl b/srv/src/main/resources/ams/schema.dcl
new file mode 100644
index 00000000..35db1e21
--- /dev/null
+++ b/srv/src/main/resources/ams/schema.dcl
@@ -0,0 +1,2 @@
+SCHEMA {
+}
\ No newline at end of file
diff --git a/srv/src/main/resources/application.yaml b/srv/src/main/resources/application.yaml
index dad875b3..0775a4c2 100644
--- a/srv/src/main/resources/application.yaml
+++ b/srv/src/main/resources/application.yaml
@@ -51,6 +51,7 @@ cds:
kind: enterprise-messaging
format: cloudevents
subscribe-prefix: sap/S4HANAOD/java/ce/
+ security.authorization.deep.enabled: true
---
spring: