Jun 08 2022 02:52 AM - last edited on Jun 08 2022 01:56 PM by EricStarker
Jun 08 2022 02:52 AM - last edited on Jun 08 2022 01:56 PM by EricStarker
What ist the best-practise to secure a spring boot ressource api with aad?
I would like to implement it with spring-boot-starter-webflux for a reactive api.
It seems like there are two possible ways.
Can webflux be used with any of the two aproaches?
1. Using azure spring cloud dependencies:
You could install the Maven dependency:
<dependency>
<groupId>com.azure.spring</groupId>
<artifactId>spring-cloud-azure-starter-active-directory</artifactId>
<version>4.1.0</version>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
</dependency>
And configure the properties like:
spring:
cloud:
azure:
active-directory:
app-id-uri: api://<client_id>
credential:
client-id: <client_id>
enabled: true
Then you just need to setup the WebSecurityAdapter and everything just works:
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class WebSecurityConfig extends AadResourceServerWebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
super.configure(http);
http.cors().and()
.csrf().disable().authorizeRequests()
.and()
.authorizeRequests().antMatchers(
"/actuator/health/**"
).permitAll()
.anyRequest().authenticated();
}
}
2. Do it the Spring way
This repository "azure-spring-boot-samples/aad/spring-security/servlet/oauth2/client-access-resource-server/resource-..." seems to just use the Spring Security properties like:
spring:
security:
oauth2:
resourceserver:
jwt:
jwk-set-uri: https://login.microsoftonline.com/${TENANT_ID}/discovery/v2.0/keys
issuer-uri: https://login.microsoftonline.com/${TENANT_ID}/v2.0
audience: ${RESOURCE_SERVER_1_CLIENT_ID}
Jun 08 2022 11:08 AM