Configuring the Spring Security Framework 

The Spring Security framework is supported and implemented in SAP Commerce Cloud, managing the:

• Limitation of specific resources’ access based on predefined user roles.

• Delegation of authentication and authorization to secure web applications.

• Provision of services like 'remember me', login pages, and so on.

This framework is generally employed across multiple web applications in Commerce Cloud, including but not limited to:

• Backoffice: Manages access to a variety of functionalities and modules within this area.

• OCC (Omni Commerce Connect) Web Services: Offers a secure environment for executing various operations like checkout, cart, promotions, etc.

• HAC (SAP Commerce Cloud Administration Console): Provides user management capabilities and protects sensitive information.

In each of these applications that utilizes Spring Security, you will generally find a file that configures Spring Security. This file is commonly named spring-security-config.xml, ﹤extension_name﹥-spring-security.xml, ﹤extension_name﹥-spring-security-config.xml, or simply, security-spring.xml. A typical example of this file is illustrated here:

Please note that:

1. The Spring Security schema is in use.
2. The intercept-url tags define access rules. For example:
   • All users can access the login page via https.
   • Only the members of the customer group can access the my-account page via https.
3. The default CoreAuthenticationProvider with the bean named coreAuthenticationProvider is recommended for consistent authentication across all applications.

   As an alternative, you can extend this provider to establish your own authentication mechanism. Here is a simple example:

Based on the code presented above, you can observe that:

1. The BackofficeAuthenticationProvider extends the standard CoreAuthenticationProvider.
2. The authenticate method has been overridden to adapt the default authentication mechanism.
3. Initially, an extra verification step, the checkBackofficeAccess method, verifies the "disabled Backoffice login" property unique to each Employee user.
4. After this initial verification, the standard username and password verification continues via the default coreAuthenticate method.

Now that you understand the basics of Spring Security and its application in managing access to your web application, let's dive into a practical example: integrating Spring Security with HAC (SAP Commerce Cloud Administration Console).

Let’s proceed to the following video for a practical demonstration.

Let's review the details of the video demonstration:

Out-of-the-box, Spring Security is configured to control access to HAC. Based on assigned roles, users are granted access to specific HAC tabs or actions (e.g., 'Clear cache').

HAC offers multiple predefined roles, represented as UserGroup entries. You can locate these groups in Backoffice by searching for names that start with 'hac':

As mentioned previously, you can configure the related Spring Security XML file to use these user groups to control access to HAC. Here are two examples from the standard spring-security-config.xml in the HAC extension:

As you can see:

1. The pattern defines the URL that is restricted for access.
2. The access specifies the user groups that are permitted to access the designated URL.

Combining these two examples, we get the following:

• Users in the admin group and the hac_monitoring_cache group can both view the cache page and clear the cache.
• Users in the hac_monitoring_cache_limited group can only view the cache page.

That is it for a brief introduction to the application and support of Spring Security in SAP Commerce Cloud. For more information on additional Spring Security implementations, please refer to the ServiceLayer Security help page.