As support for Spring Boot 2.x and Spring Framework 5.x comes to an end, we will also discontinue support for our Spring-dependent artifacts. This means that, beyond the end of support date for affected libraries, we will not provide any bug fixes nor security patches.
We recommend upgrading to our 3.x major release, which supports Spring Boot 3.x, Spring Framework 6.x, and Java 17. For assistance with the migration process, please refer to our migration guide.
| ArtifactId | Version | End of Support |
|---|---|---|
| spring-xsuaa | 2.x | Dec, 2025 |
| spring-xsuaa-test | 2.x | Dec, 2025 |
| xsuaa-spring-boot-starter | 2.x | Nov, 2023 |
| spring-security | 2.x | Dec, 2025 |
| resourceserver-security-spring-boot-starter | 2.x | Nov, 2023 |
Authentication services provided by the xsuaa service on SAP Cloud Platform or SAP HANA XS Advanced rely on usage of the OAuth 2.0 protocol and OAuth 2.0 access tokens.
Typical UI5 applications consist of a server providing the HTML content and one or more application serving REST APIs used by the application. Web application use the OAuth Authorization Code Flow for interactive authentication:
- A user accesses the web application using a browser or mobile device
- The web application (in typical SAP Cloud Platform applications, this is an application router) acts as OAuth client and redirects to the OAuth server for authorization
- Upon authentication, the web application uses the code issued by the authorization server to request an access token
- The web application uses the access token to request data from the OAuth resource server. The OAuth resource server validates the token using online or offline validation.
OAuth resource servers (as the one in step 4) require libraries for validating access tokens.
The SAP Java Buildpack integrates token validation into the tomcat server. Application developers requiring authentication and authorization information in their application use the interfaces defined in java-api to obtain information like user name and scopes.
- Java 8 or 11
- maven 3.3.9 or later
- You use
sap_java_buildpack(e.g. in yourmanifest.yml)
See sap-java-builpack-api-usage for an example.
The former SAP Java Buildpack versions have used deprecated (Spring) Security libraries and had to be updated. Starting with version 1.26.0 SAP Java Buildpack uses the java-security library. Please consider these (migration) guides:
Applications requiring access tokens (Jwt) use the Token Flows API defined in token-client to obtain Jwt tokens for their clients (applications) or for their users.
- Java 8 or 11
- maven 3.3.9 or later
- See java-tokenclient-usage for an example.
- See spring-security-xsuaa-usage for an example.
Application developers requiring authentication and authorization information in their application use the libraries defined in java-security to obtain token information like user name.
- Java 8 or 11
- maven 3.3.9 or later
See java-security-usage for an example.
- java-security-test offers test utilities to generate custom JWT tokens for the purpose of tests. It pre-configures a WireMock web server to stub outgoing calls to the identity service (OAuth resource-server), e.g. to provide token keys for offline token validation. Its use is only intended for JUnit tests.
Spring Boot provides OAuth resource servers. Application developers requiring authentication and authorization information in their application use the libraries defined in spring-security to obtain token information like user name and scopes.
- Java 8 or 11
- maven 3.3.9 or later
- starting with version 2.6.1 Spring Boot >= 2.2 is required. Consequently, it also requires Spring Security version >= 5.2
- See spring-security-hybrid-usage for an example.
- See spring-security-basic-auth for an example demonstrating how a user can access Rest API via basic authentication (user/password) using spring-xsuaa.
- java-security-test offers test utilities to generate custom JWT tokens for the purpose of tests. It pre-configures a WireMock web server to stub outgoing calls to the identity service (OAuth resource-server), e.g. to provide token keys for offline token validation. Its use is only intended for JUnit tests.
Build results are published to maven central: https://search.maven.org/search?q=com.sap.cloud.security
To download and install this project clone this repository via:
git clone https://github.com/SAP/cloud-security-xsuaa-integration
cd cloud-security-xsuaa-integration
mvn clean install
Note: Use this if you want to enhance this xsuaa integration libraries. The build results are also available on maven central.
Libraries and information provided here is around the topic of integrating with the SAP xsuaa and identity service. General integration into other OAuth authorization servers is not the primary focus.
Open an issue in GitHub.
Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.