问题
I've generated project via:
mvn archetype:generate -DarchetypeGroupId=com.sap.cloud.s4hana.archetypes -DarchetypeArtifactId=scp-cf-spring -DarchetypeVersion=LATEST
I included S4Sdk jars and accessing S4Hana V2 API. The code works fine with Basic authentication but when I configure destination type as "OAuth2SAMLBEARER ASSERTION" I get the following error in CF logs when accessing S4Hana API's via .execute calls. :
2018-09-07T06:37:22.728+0000 [APP/PROC/WEB/0] ERR ... 1 more
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR Caused by: com.sap.cloud.sdk.cloudplatform.connectivity.exception.DestinationAccessException: Failed to get access token for destination service.
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR at com.sap.cloud.sdk.cloudplatform.connectivity.DestinationServiceCommand.getAccessToken(DestinationServiceCommand.java:107)
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR at com.sap.cloud.sdk.cloudplatform.connectivity.DestinationServiceCommand.run(DestinationServiceCommand.java:117)
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR at com.sap.cloud.sdk.cloudplatform.connectivity.DestinationServiceCommand.run(DestinationServiceCommand.java:26)
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:302)
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR at com.netflix.hystrix.HystrixCommand$2.call(HystrixCommand.java:298)
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR at rx.internal.operators.OnSubscribeDefer.call(OnSubscribeDefer.java:46)
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR ... 26 more
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR Caused by: com.sap.cloud.sdk.cloudplatform.connectivity.TokenRequestFailedException: Failed to get access token: no valid JWT bearer found in "Authorization" header of request.
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR at com.sap.cloud.sdk.cloudplatform.connectivity.TokenRequest.getCurrentJwt(TokenRequest.java:307)
2018-09-07T06:37:22.729+0000 [APP/PROC/WEB/0] ERR at com.sap.cloud.sdk.cloudplatform.connectivity.TokenRequest.requestTokenWithUserTokenGrant(TokenRequest.java:348)
Note I've established trust between S4Hana system and subaccount, communication and business users are configured, principal propagation steps as specified in: https://blogs.sap.com/2018/02/05/deep-dive-8-with-sap-s4hana-cloud-sdk-leverage-principal-propagation-via-oauth-2-when-consuming-a-business-api-from-s4hana-cloud/ ,
Please check and let me know if something else needs to be configured for this.
I tried creating approuter via blog suggested in comments but i'm getting error in deploying approuter in cf:
2018-09-07T20:01:21.20+0530 [APP/PROC/WEB/0] OUT > @sap/approuter@2.10.0 start /home/vcap/app
2018-09-07T20:01:21.20+0530 [APP/PROC/WEB/0] OUT > node approuter.js
2018-09-07T20:01:25.50+0530 [APP/PROC/WEB/0] OUT #2.0#2018 09 07 14:31:25:497#+00:00#WARNING#/LoggingLibrary################PLAIN##Dynamic log level switching not available#
2018-09-07T20:01:28.89+0530 [APP/PROC/WEB/0] OUT #2.0#2018 09 07 14:31:28:897#+00:00#INFO#/approuter################PLAIN##Application router version 2.10.0#
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR /home/vcap/app/lib/utils/JsonValidator.js:30
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR throw new VError('%s%s: %s',
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR ^
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR VError: environment-destinations/0/url: Format validation failed (URI must be absolute)
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR at JsonValidator.validate (/home/vcap/app/lib/utils/JsonValidator.js:30:11)
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR at Object.validateEnvDestinations (/home/vcap/app/lib/configuration/validators.js:100:15)
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR at loadDestinations (/home/vcap/app/lib/configuration/env-config.js:55:14)
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR at Object.load (/home/vcap/app/lib/configuration/env-config.js:20:28)
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR at Object.module.exports.load (/home/vcap/app/lib/configuration.js:15:37)
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR at bootstrap (/home/vcap/app/lib/bootstrap.js:47:36)
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR at Approuter.start (/home/vcap/app/approuter.js:58:13)
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR at Object.<anonymous> (/home/vcap/app/approuter.js:115:6)
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR at Module._compile (module.js:577:32)
2018-09-07T20:01:29.00+0530 [APP/PROC/WEB/0] ERR at Object.Module._extensions..js (module.js:586:10)
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! Linux 4.4.0-133-generic
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! argv "/home/vcap/deps/0/node/bin/node" "/home/vcap/deps/0/bin/npm" "start"
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! node v6.14.3
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! npm v3.10.10
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! code ELIFECYCLE
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! @sap/approuter@2.10.0 start: `node approuter.js`
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! Exit status 1
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR!
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! Failed at the @sap/approuter@2.10.0 start script 'node approuter.js'.
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! Make sure you have the latest version of node.js and npm installed.
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! If you do, this is most likely a problem with the @sap/approuter package,
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! not with npm itself.
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! Tell the author that this fails on your system:
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! node approuter.js
2018-09-07T20:01:29.19+0530 [APP/PROC/WEB/0] ERR npm ERR! You can get information on how to open an issue for this project with:
2018-09-07T20:01:29.20+0530 [APP/PROC/WEB/0] ERR npm ERR! npm bugs @sap/approuter
2018-09-07T20:01:29.20+0530 [APP/PROC/WEB/0] ERR npm ERR! Or if that isn't available, you can get their info via:
2018-09-07T20:01:29.20+0530 [APP/PROC/WEB/0] ERR npm ERR! npm owner ls @sap/approuter
2018-09-07T20:01:29.20+0530 [APP/PROC/WEB/0] ERR npm ERR! There is likely additional logging output above.
2018-09-07T20:01:29.29+0530 [APP/PROC/WEB/0] ERR npm ERR! Please include the following file with any support request:
2018-09-07T20:01:29.29+0530 [APP/PROC/WEB/0] ERR npm ERR! /home/vcap/app/npm-debug.log
Can you please help me here. I downloaded approuter from the link suggested in blog.
回答1:
I guess authentication is not configured yet as explained here: https://blogs.sap.com/2017/07/18/step-7-with-sap-s4hana-cloud-sdk-secure-your-application-on-sap-cloud-platform-cloudfoundry/
Have you secured your app so that the user has to log in first?
In contrast to Basic Authentication, for OAuth2SAMLBEARER or any other propagation of the user principle, the user has to be logged in into the application beforehand. Only then, the user can be propagated.
You logs indicate that the application fails to extract the JWT token from the request, which should be passed from the approuter.
回答2:
The issue was solved by having app router send the JWT token to Java application. There are set of files like xs-app.json that needs to be configured with the correct regular expression for the map to destinations created in manisfest.yml of your app router. The specific destination created in the manifest should point to your java service with "forward-token: true".
Apart from this, your XSUAA service instance created should have proper auth scopes defined in xs-secuity.json as required by your application.
For above error, if we call the java service with bearer token as received from app router it works fine. You can also access the app directly from app router by configuring proper regex in xs-app.json.
来源:https://stackoverflow.com/questions/52216943/problem-accessing-s4hana-system-when-assessing-via-oauth2bearer-assertion-authen