DEV Community

Richard Cowin
Richard Cowin

Posted on

Setting up Spring Security with Azure Active Directory

Below are the settings to configure a Spring Boot web app to use Azure Active Directory authentication.

App is based on spring-boot-starter-parent:2.1.4.RELEASE.

POM dependencies snippet:

<dependency>
    <groupId>com.microsoft.azure</groupId>
    <artifactId>azure-active-directory-spring-boot-starter</artifactId>
    <version>2.1.6</version>
</dependency>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-client</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

Snippet of application.properties:

# Active Directory Authentication
spring.security.oauth2.client.registration.azure.client-id=109a3748-yada-yada-yada-f80c1f30621e
spring.security.oauth2.client.registration.azure.client-secret=OBAYaOKp-HwhateverIxFxY@?
azure.activedirectory.tenant-id=f447e5ca-yada-yada-yada-370ff157fdb6
azure.activedirectory.user-group.allowed-groups=group1, group2
azure.activedirectory.active-directory-groups=group1, group2

AADOAuth2LoginSecurityConfig.java:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AADOAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/**").hasRole("group1")
                .anyRequest().authenticated()
                .and()
                .exceptionHandling().accessDeniedPage("/browse/403")
                .and()
                .oauth2Login()
                .userInfoEndpoint()
                .oidcUserService(oidcUserService);
    }

}

I'm stuck with JSPs, so use taglibs, for example:

<security:authorize access="hasRole('group1')">
    Authorised users only
</security:authorize>

User's name: <security:authentication property="name"/>

The Azure configuration is where it starts getting odd. There is an associated App Registration, with the Authentication configured as below:

auth

I have a localhost setting, which allows the http prefix for local development - nothing wrong there.

However for my two app service deployments I have to use http rather than https (NB. my app is configured to accept only HTTPS), and I can only do this by selecting "Public client (mobile & desktop)".

If I try to use https with Type of "Web" I get the following error on authenticating:

auth error

Top comments (3)

Collapse
 
swissbuechi profile image
Raphael Büchi • Edited

Please take a look at my answer:
stackoverflow.com/a/69827324/12172680

"With the new azure-spring-boot-starter-active-directory dependency for Spring you can add the azure.activedirectory.redirect-uri-template propertie."

Collapse
 
jrnjerin profile image
jrnjerin

Hello,

Can somebody help me with this issue?
I have a made a spring boot app with Azure AD integration using the spring boot azure ad starter and deployed to aws. I had secured only one url to test everything is working. But when I try to load the url from the browser it is not at all loading. It is just getting timed out. Everything is working fine in localhost. Problems is only when deploy to real server.

Collapse
 
motolola profile image
Motolola

This is exactly what I am currently getting as I set up a local app on localhost.
I am stuck here, but I need to keep trying if I can brute force my way out of errors ...