best-practise to secure a spring boot ressource api with aad?

Brass Contributor

What ist the best-practise to secure a spring boot ressource api with aad?

 

I would like to implement it with spring-boot-starter-webflux for a reactive api.

It seems like there are two possible ways.

 

Can webflux be used with any of the two aproaches?

 

1. Using azure spring cloud dependencies:

You could install the Maven dependency:

<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter-active-directory</artifactId>
<version>4.1.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>

And configure the properties like:

spring:
cloud
:
azure:
active-directory:
app-id-uri: api://<client_id>
credential:
client-id: <client_id>
enabled: true

 Then you just need to setup the WebSecurityAdapter and everything just works:

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends AadResourceServerWebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.cors().and()
.csrf().disable().authorizeRequests()
.and()
.authorizeRequests().antMatchers(
"/actuator/health/**"
).permitAll()
.anyRequest().authenticated();
}
}

 

2. Do it the Spring way

This repository "azure-spring-boot-samples/aad/spring-security/servlet/oauth2/client-access-resource-server/resource-..." seems to just use the Spring Security properties like:

 

spring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys
issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0
audience: ${RESOURCE_SERVER_1_CLIENT_ID} 
1 Reply
Thanks for this question - this AMA has ended, but I'll be moving your question to our Apps on Azure discussion space: https://techcommunity.microsoft.com/t5/apps-on-azure/bd-p/AppsonAzure