Setting up Spring Security with Azure Active Directory

Below are the settings to configure a Spring Boot web app to use Azure Active Directory authentication.

App is based on spring-boot-starter-parent:2.1.4.RELEASE.

POM dependencies snippet:

<dependency>
    <groupId>com.microsoft.azure</groupId>
    <artifactId>azure-active-directory-spring-boot-starter</artifactId>
    <version>2.1.6</version>
</dependency>

<dependency>
    <groupId>org.springframework.boot</groupId>
    <artifactId>spring-boot-starter-security</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-client</artifactId>
</dependency>

<dependency>
    <groupId>org.springframework.security</groupId>
    <artifactId>spring-security-oauth2-jose</artifactId>
</dependency>

Enter fullscreen mode Exit fullscreen mode

Snippet of application.properties:

# Active Directory Authentication
spring.security.oauth2.client.registration.azure.client-id=109a3748-yada-yada-yada-f80c1f30621e
spring.security.oauth2.client.registration.azure.client-secret=OBAYaOKp-HwhateverIxFxY@?
azure.activedirectory.tenant-id=f447e5ca-yada-yada-yada-370ff157fdb6
azure.activedirectory.user-group.allowed-groups=group1, group2
azure.activedirectory.active-directory-groups=group1, group2

Enter fullscreen mode Exit fullscreen mode

AADOAuth2LoginSecurityConfig.java:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class AADOAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private OAuth2UserService<OidcUserRequest, OidcUser> oidcUserService;

    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http
                .csrf().disable()
                .authorizeRequests()
                .antMatchers("/**").hasRole("group1")
                .anyRequest().authenticated()
                .and()
                .exceptionHandling().accessDeniedPage("/browse/403")
                .and()
                .oauth2Login()
                .userInfoEndpoint()
                .oidcUserService(oidcUserService);
    }

}

Enter fullscreen mode Exit fullscreen mode

I’m stuck with JSPs, so use taglibs, for example:

<security:authorize access="hasRole('group1')">
    Authorised users only
</security:authorize>

User's name: <security:authentication property="name"/>

Enter fullscreen mode Exit fullscreen mode

The Azure configuration is where it starts getting odd. There is an associated App Registration, with the Authentication configured as below:

I have a localhost setting, which allows the http prefix for local development – nothing wrong there.

However for my two app service deployments I have to use http rather than https (NB. my app is configured to accept only HTTPS), and I can only do this by selecting “Public client (mobile & desktop)”.

If I try to use https with Type of “Web” I get the following error on authenticating:

原文链接：Setting up Spring Security with Azure Active Directory