Using username/password credentials to access one application from another presents a huge security risk for many reasons. Today, we are announcing the preview of passwordless connections for Java applications to Azure database and eventing services, letting you finally shift away from using passwords.
Security Challenges with Passwords
Passwords should be used with caution, and developers must never place passwords in an unsecured location. Many Java applications connect to backend data, cache, messaging, and eventing services using usernames and passwords, or other sensitive credentials such as access tokens or connection strings. If exposed, the passwords could be used to gain unauthorized access to sensitive information such as a sales catalog that you built for an upcoming campaign, or simply all customer data that must be private.
Embedding passwords in an application itself presents a huge security risk for many reasons, including discovery through a code repository (see Figure 1 below). Many developers externalize such passwords using environment variables so that applications can load them from different environments. However, this only shifts the risk from the code itself to an execution environment. Anyone who gains access to the environment can steal passwords, which in turn, increases your data exfiltration risk.
Figure 1 – shows Java code with an embedded username and password to connect to a database
Our customers can have strict security requirements to connect to Azure services without exposing passwords to developers, operators, or anyone else. They often use a vault to store and load passwords into applications, and they further reduce the risk by adding password-rotation requirements and procedures. This, in turn, increases the operational complexity and can lead to application connection outages.
Passwordless Connections – Zero-Trust
Now you can use passwordless connections in your apps to connect to Azure-based services with a code-free configuration. You no longer need to rotate passwords. Using the principle of "never trust, always verify, and credential-free", Zero-Trust helps to secure all communications by trusting machines or users only after verifying identity before granting them access to backend services.
"Every password and every Key Vault we have is a potential liability, which adds more overhead and management cost. I'm always happy to see more of the authentication and authorization handled for us and shipped as simple integrations into the Java and Spring ecosystem on Azure. And I won't shed any tears when I delete our Key Vault, now PostgreSQL supports passwordless connections." -- Jonathan Jones, Lead Solutions Architect, Swiss Re Management Ltd. (Switzerland)
Using managed identities and Azure RBAC (role-based access control) combination is the recommended authentication option for secure, passwordless connections from Java applications to Azure services. Developers or operators do not need to manually track and manage many different secrets for managed identities because these tasks are securely handled internally by Azure.
You can configure passwordless connections to Azure services using Service Connector (see Figure 2 below), or you can manually configure them. Service Connector enables managed identities in app hosting services like Azure Spring Apps, App Service and Azure Container Apps. It configures backend services with passwordless connections using managed identities and Azure RBAC, and supplies applications with necessary connection information – no more passwords.
Figure 2 – Service Connector configures passwordless connection for a Java app to a PostgreSQL database
If you inspect the running environment of an application configured for passwordless connections, you can see the full connection string. For example, Figure 3 shows how it carries a database server address, database name, and an instruction to delegate authentication to Microsoft Azure’s JDBC authentication plugin.
Figure 3 – datasource configuration “spring.datasource.url” shows passwordless connection
The Java ecosystem is broad, with different technologies including Java SE, Java EE / Jakarta EE, Spring, and numerous application servers and frameworks. Regardless of your Java app type, Azure supports your applications with passwordless connections to Azure services, as shown in Figure 4.
Figure 4 – Passwordless connections work for any Java app type to any database
Let’s consider a Spring Boot application that connects to a PostgreSQL database that uses Spring Cloud Azure starter. The starter composes a connection string without a password for a Spring Data JPA module. From the connection string, the driver understands that it must load the Azure’s JDBC authentication plugin which uses the Azure Identity Client Library to get an access token. The driver logs into a database using the token as password - no more passwords. Similarly, applications built for WebLogic, WebSphere, and JBoss EAP, applications built using Quarkus and Open Liberty can connect to services without passwords.
For local development and testing, developers can use the same arrangement to connect to services without using passwords. You will authenticate through Azure CLI, IntelliJ, or any development tool and use that identity to secure access for the application to connect with Azure services without passwords.
Learn More and Delete Passwords!
You can shift away from using passwords in your apps. Migrate your existing Java applications to use passwordless connections for Azure services today!
Read more about passwordless connections – https://aka.ms/Delete-Passwords
You can use Service Connector to configure passwordless connections from Azure “compute” services such as Azure Spring Apps, App Service, Azure Container Apps, Azure Kubernetes Service, and Virtual Machines to backend services:
Ready to deploy sample code:
Passwordless connections are a language-agnostic feature spanning multiple Azure services. We will continue to enable passwordless connections from Java applications to additional Azure services and enable the same for other languages. Stay tuned.