The latest articles on DEV Community by Richard Cowin (@cowinr). https://dev.to/cowinr https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F225405%2F770dc401-49f0-45ff-91d4-ec8bb89716a7.png https://dev.to/cowinr en Richard Cowin Sat, 07 Sep 2019 10:28:37 +0000 https://dev.to/cowinr/setting-up-spring-security-with-azure-active-directory-55l5 https://dev.to/cowinr/setting-up-spring-security-with-azure-active-directory-55l5 <p>Below are the settings to configure a Spring Boot web app to use Azure Active Directory authentication.</p> <p>App is based on <code>spring-boot-starter-parent:2.1.4.RELEASE</code>.</p> <p>POM dependencies snippet:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>com.microsoft.azure<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>azure-active-directory-spring-boot-starter<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;version&gt;</span>2.1.6<span class="nt">&lt;/version&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.boot<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-boot-starter-security<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.security<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-security-oauth2-client<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> <span class="nt">&lt;dependency&gt;</span> <span class="nt">&lt;groupId&gt;</span>org.springframework.security<span class="nt">&lt;/groupId&gt;</span> <span class="nt">&lt;artifactId&gt;</span>spring-security-oauth2-jose<span class="nt">&lt;/artifactId&gt;</span> <span class="nt">&lt;/dependency&gt;</span> </code></pre> </div> <p>Snippet of <code>application.properties</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code># Active Directory Authentication spring.security.oauth2.client.registration.azure.client-id=109a3748-yada-yada-yada-f80c1f30621e spring.security.oauth2.client.registration.azure.client-secret=OBAYaOKp-HwhateverIxFxY@? azure.activedirectory.tenant-id=f447e5ca-yada-yada-yada-370ff157fdb6 azure.activedirectory.user-group.allowed-groups=group1, group2 azure.activedirectory.active-directory-groups=group1, group2 </code></pre> </div> <p><code>AADOAuth2LoginSecurityConfig.java</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight java"><code><span class="nd">@EnableWebSecurity</span> <span class="nd">@EnableGlobalMethodSecurity</span><span class="o">(</span><span class="n">prePostEnabled</span> <span class="o">=</span> <span class="kc">true</span><span class="o">)</span> <span class="kd">public</span> <span class="kd">class</span> <span class="nc">AADOAuth2LoginSecurityConfig</span> <span class="kd">extends</span> <span class="nc">WebSecurityConfigurerAdapter</span> <span class="o">{</span> <span class="nd">@Autowired</span> <span class="kd">private</span> <span class="nc">OAuth2UserService</span><span class="o">&lt;</span><span class="nc">OidcUserRequest</span><span class="o">,</span> <span class="nc">OidcUser</span><span class="o">&gt;</span> <span class="n">oidcUserService</span><span class="o">;</span> <span class="nd">@Override</span> <span class="kd">protected</span> <span class="kt">void</span> <span class="nf">configure</span><span class="o">(</span><span class="nc">HttpSecurity</span> <span class="n">http</span><span class="o">)</span> <span class="kd">throws</span> <span class="nc">Exception</span> <span class="o">{</span> <span class="n">http</span> <span class="o">.</span><span class="na">csrf</span><span class="o">().</span><span class="na">disable</span><span class="o">()</span> <span class="o">.</span><span class="na">authorizeRequests</span><span class="o">()</span> <span class="o">.</span><span class="na">antMatchers</span><span class="o">(</span><span class="s">"/**"</span><span class="o">).</span><span class="na">hasRole</span><span class="o">(</span><span class="s">"group1"</span><span class="o">)</span> <span class="o">.</span><span class="na">anyRequest</span><span class="o">().</span><span class="na">authenticated</span><span class="o">()</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">exceptionHandling</span><span class="o">().</span><span class="na">accessDeniedPage</span><span class="o">(</span><span class="s">"/browse/403"</span><span class="o">)</span> <span class="o">.</span><span class="na">and</span><span class="o">()</span> <span class="o">.</span><span class="na">oauth2Login</span><span class="o">()</span> <span class="o">.</span><span class="na">userInfoEndpoint</span><span class="o">()</span> <span class="o">.</span><span class="na">oidcUserService</span><span class="o">(</span><span class="n">oidcUserService</span><span class="o">);</span> <span class="o">}</span> <span class="o">}</span> </code></pre> </div> <p>I'm stuck with JSPs, so use taglibs, for example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight xml"><code><span class="nt">&lt;security:authorize</span> <span class="na">access=</span><span class="s">"hasRole('group1')"</span><span class="nt">&gt;</span> Authorised users only <span class="nt">&lt;/security:authorize&gt;</span> User's name: <span class="nt">&lt;security:authentication</span> <span class="na">property=</span><span class="s">"name"</span><span class="nt">/&gt;</span> </code></pre> </div> <p>The Azure configuration is where it starts getting odd. There is an associated App Registration, with the Authentication configured as below:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2F8vq22memrva62d1ct4bo.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2F8vq22memrva62d1ct4bo.png" alt="auth"></a></p> <p>I have a <code>localhost</code> setting, which allows the <code>http</code> prefix for local development - nothing wrong there.</p> <p>However for my two app service deployments I have to use <code>http</code> rather than <code>https</code> (NB. my app is configured to accept only HTTPS), and I can only do this by selecting "Public client (mobile &amp; desktop)".</p> <p>If I try to use <code>https</code> with Type of "Web" I get the following error on authenticating:</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fuhbpvclwxl2shwps8mb8.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fthepracticaldev.s3.amazonaws.com%2Fi%2Fuhbpvclwxl2shwps8mb8.png" alt="auth error"></a></p> azure spring java