Version: 2.0.0

Overview

WorkNet is a Spring Boot 3.5.9 microservice (Java 17) that acts as a unified task aggregation and action platform. It pulls tasks from multiple enterprise systems (SAP BTP, Flowable, SuccessFactors, DocuSign, Adobe Sign, Ariba, SAP Concur, Salesforce, S/4HANA, ECC, and more), normalizes them into a common database schema, and provides APIs for users to take actions on those tasks. It is part of the CherryWork product suite developed by Incture Technologies.

Terminology

Abbreviation	Full Form	What It Is
CherryWork	-	Incture's enterprise automation platform (product name)
CAF	CherryWork Application Framework	The microservices framework that CherryWork apps are built on
ITM	Intelligent Task Management	The Task Center service that aggregates and displays tasks to end users
IWM	Intelligent Work Manager	The broader platform WorkNet belongs to - manages unified task workflows
WorkNet	-	This service - the backend engine that pulls, stores, and acts on tasks
Composite API	-	Internal API orchestration layer that chains multiple REST calls together
XSUAA	SAP Authorization and Trust Management	SAP's OAuth2/JWT identity service
BTP	Business Technology Platform	SAP's cloud platform (where apps are deployed)
ACR	Azure Container Registry	Docker image storage on Azure
AKS	Azure Kubernetes Service	Managed Kubernetes on Azure
CF	Cloud Foundry	PaaS runtime on SAP BTP
SSE	Server-Sent Events	Real-time push technology for browser updates
WorkAccess	-	CherryWork's user/group management service (alternative to SAP IAS)
SPI	Service Provider Interface	Java interface pattern used for pluggable service implementations

The service handles:

Scheduled task pulling from 10+ enterprise systems
Task normalization into a common database schema
Task actions (approve, reject, claim, forward, release, send_back, resubmit, cancel)
Cache eviction for the ITM Task Center
Notification dispatching via messaging service
DocuSign/Salesforce JWT assertion token generation for API authentication
Draft process management
YAML configuration management
Server-Sent Events for real-time UI updates

Technology Stack

Component	Technology	Version
Language	Java	17
Framework	Spring Boot	3.5.9
Database	SAP HANA + MySQL	ngdbc 2.23.10, mysql-connector-j
Security	Spring Security + OAuth2 (via iwm-security-adapter)	0.0.3-SNAPSHOT
Composite API	worknet-composite-api	0.0.7-SNAPSHOT
HTTP Client	Spring WebFlux WebClient + RestTemplate	-
AOP	Spring AOP (AspectJ)	-
Config	Spring Cloud Config	2025.0.0
JSON	Jackson (with JavaTimeModule)	-
Crypto	BouncyCastle (RSA JWT assertions)	-
JWT Creation	auth0 java-jwt (for DocuSign/Salesforce)	-
Text Utils	Apache Commons Text	1.15.0
Monitoring	Spring Boot Actuator	-
Cloud Platform	SAP BTP Cloud Foundry / Kubernetes	-
Build	Maven	-
Container	Docker	-
Annotations	Lombok	-

Project Structure

com.cherrywork.worknet/
|- WorknetApplication.java              # Entry point: @EnableScheduling, @EnableAspectJAutoProxy, ObjectMapper bean
|- aspect/
|  |- AspectUtil.java                   # @After advice on task actions -> triggers async cache eviction
|  |- AsyncExecuter.java                # Async operations: cache evict, notifications, token management, WorkAccess calls
|  |- CustomAsyncExceptionHandler.java  # Global async exception handler
|  |- SpringAsyncConfig.java            # Async thread pool configuration
|  '- SSEController.java                # Server-Sent Events: /send/{userName}, /subscribe
|- config/
|  |- ApiConfig.java                    # @ConfigurationProperties for external API URLs (prefix: app)
|  |- ApplicationConstants.java         # Data type constants (NVARCHAR, DATE, etc.) + action constants
|  |- CloudDatabaseConfig.java          # Profile "vcapDB": DataSource from VCAP_SERVICES
|  |- DatabaseConfiguration.java        # Additional DB config
|  |- DestinationApiConfig.java         # SAP Destination Service API integration
|  |- DestinationDatabaseConfig.java    # DB config via SAP Destination Service
|  |- DestinationURLConfig.java         # Resolves ITM URL from SAP Destination Service or config
|  |- SpringConfiguration.java          # ThreadPoolTaskScheduler (pool=10)
|  |- VcapConfigDetails.java            # Parses VCAP_SERVICES environment variable
|  '- YamlPropertySourceFactory.java    # Custom YAML property source loader
|- custom/
|  |- CustomDeligate.java               # Interface for custom action implementations
|  '- IntakeImplementation.java         # JnJ-specific custom action handler (IntakeRequest)
|- parser/
|  |- controller/
|  |  |- APIResponseController.java              # /api - External API config endpoints
|  |  |- CompositeApiParserController.java       # /worknet/composite-api/parser - Core job/sync APIs
|  |  |- CPIResponseController.java              # /v1/cpi - CPI response processing
|  |  |- DraftProcessController.java             # /v1/draft - Draft process CRUD
|  |  |- PlatFormController.java                 # /v1/platform - VCAP credentials
|  |  |- SystemSchedularMasterController.java    # /system-schedule - Scheduler config
|  |  |- TaskActionController.java               # /task - Task actions (approve, reject, etc.)
|  |  |- TaskCreationController.java             # /task - Task creation
|  |  |- WorkAccessTestController.java           # /api/v1/test/work-access - WorkAccess test APIs
|  |  '- YamlController.java                     # /v1/yaml - YAML file management
|  |- dto/
|  |  |- APIDetailsDto.java
|  |  |- CompositeDto.java
|  |  |- DbYamlDto.java
|  |  |- DestinationDto.java
|  |  |- FetchSystemsConfigsDto.java
|  |  |- FileDto.java
|  |  |- ForceUpdateRequest.java
|  |  |- ForwardOwnerDto.java
|  |  |- GroupDetailsResponse.java
|  |  |- GroupInfo.java
|  |  |- JobLogDto.java
|  |  |- LastRunOnDto.java
|  |  |- ProcessDbMapping.java
|  |  |- ResponseMessage.java
|  |  |- ScimResponseGroup.java
|  |  |- ScimResponseUserDetails.java
|  |  |- SendEventDto.java
|  |  |- SignUrlPayloadDto.java
|  |  |- SignUrlResponseDto.java
|  |  |- SystemMasterDto.java
|  |  |- SystemSchedularConfigDto.java
|  |  |- TaskCreationDto.java
|  |  |- UserGroupData.java
|  |  |- VcapDetailsDto.java
|  |  '- YamlDto.java
|  |- entity/
|  |  |- CreateTaskDo.java
|  |  |- DraftProcessAttributeIdDo.java
|  |  |- DraftProcessAttributesDo.java
|  |  |- DraftProcessDetailsDto.java
|  |  |- DraftProcessDo.java
|  |  |- JobLogDo.java
|  |  |- ProcessDo.java
|  |  |- SystemMasterDo.java
|  |  |- SystemSchedularConfigDo.java
|  |  |- SystemSchedularConfigDoPk.java
|  |  |- TaskAttributeIdDo.java
|  |  |- TaskAttributesDo.java
|  |  |- TaskAudit.java
|  |  |- TaskDo.java
|  |  |- TaskIdDo.java
|  |  |- TaskOwnerDo.java
|  |  |- TaskOwnerIdDo.java
|  |  '- YamlEntity.java
|  |- helper/
|  |  |- ActionDto.java
|  |  |- ProcessActionDto.java
|  |  '- TaskDto.java
|  |- repo/
|  |  |- CrudRepository.java
|  |  |- DraftProcessAttributesRepository.java
|  |  |- DraftProcessRepository.java
|  |  |- JdbcBatchRepository.java
|  |  |- JdbcBatchRepositoryImpl.java
|  |  |- JdbcRepository.java
|  |  |- JdbcRepositoryImpl.java
|  |  |- JobLogRepo.java
|  |  |- ProcessRepository.java
|  |  |- SystemMasterRepo.java
|  |  |- SystemSchedularConfigRepo.java
|  |  |- TaskAttributesRepository.java
|  |  |- TaskAuditRepo.java
|  |  |- TaskOwerRepository.java
|  |  |- TaskRepository.java
|  |  |- YamlRepository.java
|  |  '- YamlService.java
|  |- scheduler/
|  |  |- SchedulerConfig.java
|  |  '- SchedulerServiceImpl.java
|  |- service/
|  |  |- APIResponseService.java
|  |  |- AribaAPIService.java
|  |  |- AribaBlockingAPIService.java
|  |  |- CompositeApiParserServiceImpl.java
|  |  |- CreateTaskService.java
|  |  |- CustomCompositeAPIService.java
|  |  |- DraftProcessService.java
|  |  |- FetchSystemconfigImpl.java
|  |  |- MessagingSchedulerService.java
|  |  |- SapIasWorkAccessServiceImpl.java
|  |  |- SystemMasterServiceImpl.java
|  |  |- SystemSchedularConfigServiceImpl.java
|  |  |- TaskActionServiceImpl.java
|  |  |- TaskCreationServiceImpl.java
|  |  '- WorkAccessServiceImpl.java
|  '- util/
|     |- ConfigUtil.java
|     |- CrudApiRest.java
|     |- FlatMapUtil.java
|     '- ScpActionUtil.java
'- spi/
	|- CompositeApiParserService.java
	|- SystemMasterService.java
	|- SystemSchedularConfigService.java
	|- TaskActionService.java
	|- TaskCreationService.java
	'- WorkAccessService.java

Configuration & Profiles

Configuration Strategy

WorkNet uses Spring Cloud Config Server for centralized configuration. The app connects on startup and loads environment-specific properties.

# application.properties
spring.config.import=optional:configserver:https://cw-caf-configserver-sbx-dev.cfapps.eu10-004.hana.ondemand.com
spring.application.name=sbx-worknet-dev
spring.profiles.active=configDB,readUrlFromConfig,readYamlFromConfig,enableCache
islocal=true

Active Profiles

Profile	What It Controls
`configDB`	Database DataSource is configured from properties (not VCAP_SERVICES)
`vcapDB`	Database DataSource is auto-configured from Cloud Foundry VCAP_SERVICES
`readUrlFromConfig`	Service URLs (ITM, WorkAccess, etc.) are read from config server properties
`readYamlFromConfig`	YAML config files are loaded from config server instead of local resources
`enableCache`	Enables cache eviction in ITM after task actions

Key Configuration Properties

# Platform
app.platform=SAP

# Service URLs
itm-core-url=https://<itm-url>
workaccess-api-url=https://<wa-url>
workaccess-api2-url=https://<wa-url>
notification-api-url=https://<notify-url>
flowableCustomURL=https://<flowable-url>

# SAP XSUAA (for service-to-service tokens)
sap.token.clientid=<client_id>
sap.token.clientsecret=<client_secret>
sap.token.url=<token_url>

# SAP Destination Service
itmDestination=<destination_name>
IWAdestination=<destination_name>

# Database
db.type=hana

# Admin
itm.admin.userID=<admin_user>
itm.admin.mailId=<admin_email>

# Feature Flags
messagingEnabled=true
readYamlFromRepo=false
bpa.systemIds=SCP
forwardType=user
taskId=false

Deployment

Docker:

FROM openjdk:17
ADD target/*.jar worknet.jar
ENTRYPOINT ["java", "-jar", "worknet.jar"]

Cloud Foundry (manifest.yml):

Memory and Docker image configured per environment
Config injected via SPRING_APPLICATION_JSON or Config Server
Docker image: wblnd.azurecr.io/worknet:<tag>

Kubernetes (app.yaml):

Deployment: port 8080
Service: ClusterIP
Image from Azure Container Registry

Security Architecture

Authentication

WorkNet uses the iwm-security-adapter (0.0.3-SNAPSHOT) library for JWT-based authentication. This library provides:

TokenUtil - JWT token decoder and validator
Security filter chain configuration
Support for both SAP XSUAA and Keycloak (WorkAccess) identity providers

Token Resolution Flow

Request -> Security Filter (from iwm-security-adapter)
|
|- Path whitelisted? -> Pass through
|
|- Extract "Authorization" header
|  |- No token -> 401 Unauthorized
|  '- Has Bearer token:
|     |- Platform = SAP: Validate against XSUAA JWKS
|     '- Platform = WORK_ACCESS: Validate against Keycloak JWKS
|     '- Valid? -> Extract user_name, email -> Continue

Service-to-Service Authentication

For outbound calls to ITM, WorkAccess, and other services:

Platform	Token Acquisition
SAP XSUAA	`client_credentials` grant -> `/oauth/token` with client_id + client_secret
WorkAccess (Keycloak)	`GET /api/v1/keycloak/userToken` -> returns token

SAP Destination Service Integration

When running on SAP BTP, WorkNet can resolve service URLs and exchange tokens via the SAP Destination Service:

Fetch destination access token using client_credentials
Call Destination Service API to get destination configuration
Extract URL and exchanged token
Use exchanged token for calls to the target service

Terminology​

Technology Stack​

Project Structure​

Configuration & Profiles​

Configuration Strategy​

Active Profiles​

Key Configuration Properties​

Deployment​

Security Architecture​

Authentication​

Token Resolution Flow​

Service-to-Service Authentication​

SAP Destination Service Integration​