An approach to secure multiple integrated SAP CAP java applications with a common XSUAA instance

I am a developer at SAP Labs India.
I tried to secure a set of SAP Cloud Application Programming Model (CAP) java applications which are integrated with each other, with a single SAP Authorization and Trust Management service (XSUAA) instance for authentication and authorization, where each application had its own set of roles for authorization.

I have explained below the approach that I followed as I could not find this approach in any resource.

Let me take an example scenario and explain the steps in that context.

Suppose we have two applications, one to maintain the employee details (calling it as EMP app) and another one to maintain the department details (calling it as DEP app). EMP app has roles ’emp_admin’ which has edit access to the EMP app and the role ’emp_user’ which has only the read access to the EMP app.

Similarly, ‘dep_admin’ has edit/write access to DEP app while ‘dep_user’ has read access to DEP app.

Now, EMP app is dependent on the department details maintained in the DEP app (i,e., when you maintain employee details in the EMP app, assume there is a drop down to select the department to which this employee belongs. This information comes from the DEP service).

We shall now secure both EMP and DEP apps with a common XSUAA instance and allow EMP app to fetch the department information from the DEP service in a secure manner.

1. We define the XSUAA instance in the mta.yaml file as usual and bind it to our application      (service and the AppRouter modules).

mta.yaml

mta.yaml

2. Define the configuration of the XSUAA instance as shown below.

xs-security.json

xs-security.json

3. EMP app depends on the remote service of DEP app to get the department details. The call to the remote service would require forwarding the access token from EMP to DEP and is maintained as shown below in the ‘application.yaml’ file.

application.yaml

application.yaml

4. Assuming that the EMP and DEP apps have their own deployment configuration files, we should maintain exactly the same content related to XSUAA (in mta.yaml and xs-security.json files) as shown in steps 1 and 2 above for both the applications.

Please note, I am trying to only highlight how to have a common XSUAA instance across applications and how to facilitate token forwarding between them. To know how to secure your services using the annotations, please refer https://cap.cloud.sap/docs/guides/authorization
Also, the example here shows only two applications to explain the concept in a simple manner. I have implemented the same for eight applications which are integrated with each other.

I hope this content helps anyone trying to implement a similar scenario. Please comment if there are any other ways to achieve this behavior and that would benefit us all.

Thank you!!