From 6ba135dbc13598467fc8f6bfabc8acbca94bfcc1 Mon Sep 17 00:00:00 2001 From: Rujun Chen Date: Tue, 30 Jun 2020 14:26:56 +0800 Subject: [PATCH 1/5] Not let our sample down if property 'azure.activedirectory.tenant-id' is not confugured. --- .../com/microsoft/azure/aad/controller/HomeController.java | 2 ++ .../azure/aad/security/AADOAuth2LoginSecurityConfig.java | 2 ++ .../src/main/resources/application.properties | 7 ------- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/controller/HomeController.java b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/controller/HomeController.java index 6a0e802ea30a..c0ac526c1cf6 100644 --- a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/controller/HomeController.java +++ b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/controller/HomeController.java @@ -4,6 +4,7 @@ package com.microsoft.azure.aad.controller; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.security.oauth2.client.OAuth2AuthorizedClient; import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService; @@ -13,6 +14,7 @@ import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.ResponseBody; +@ConditionalOnProperty(prefix = "azure.activedirectory", value = "tenant-id") @Controller public class HomeController { @Autowired diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/AADOAuth2LoginSecurityConfig.java b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/AADOAuth2LoginSecurityConfig.java index b07f305f3d45..dee2f0268b37 100644 --- a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/AADOAuth2LoginSecurityConfig.java +++ b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/AADOAuth2LoginSecurityConfig.java @@ -4,6 +4,7 @@ package com.microsoft.azure.aad.security; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; @@ -12,6 +13,7 @@ import org.springframework.security.oauth2.client.userinfo.OAuth2UserService; import org.springframework.security.oauth2.core.oidc.user.OidcUser; +@ConditionalOnProperty(prefix = "azure.activedirectory", value = "tenant-id") @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) public class AADOAuth2LoginSecurityConfig extends WebSecurityConfigurerAdapter { diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/resources/application.properties b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/resources/application.properties index 00957319d578..e69de29bb2d1 100644 --- a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/resources/application.properties +++ b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/resources/application.properties @@ -1,7 +0,0 @@ -spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx -spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx - -azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx -# It's suggested the logged in user should at least belong to one of the below groups -# If not, the logged in user will not be able to access any authorization controller rest APIs -azure.activedirectory.active-directory-groups=group1, group2 From 2e881f2ba6d5a71b87359a49bca8b771e3f3626a Mon Sep 17 00:00:00 2001 From: Rujun Chen Date: Wed, 1 Jul 2020 09:54:29 +0800 Subject: [PATCH 2/5] Add NoLoginSecurityConfig to disable login. --- .../aad/security/NoLoginSecurityConfig.java | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/NoLoginSecurityConfig.java diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/NoLoginSecurityConfig.java b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/NoLoginSecurityConfig.java new file mode 100644 index 000000000000..88d5d426f745 --- /dev/null +++ b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/NoLoginSecurityConfig.java @@ -0,0 +1,23 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. + +package com.microsoft.azure.aad.security; + +import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean; +import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity; +import org.springframework.security.config.annotation.web.builders.HttpSecurity; +import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; +import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; + +@ConditionalOnMissingBean(AADOAuth2LoginSecurityConfig.class) +@EnableWebSecurity +@EnableGlobalMethodSecurity(prePostEnabled = true) +public class NoLoginSecurityConfig extends WebSecurityConfigurerAdapter { + + @Override + protected void configure(HttpSecurity http) throws Exception { + http.authorizeRequests() + .antMatchers("/**") + .permitAll(); + } +} From 8f86c1c495a6e61a142b4bc71fe819a4a1812712 Mon Sep 17 00:00:00 2001 From: Rujun Chen Date: Wed, 1 Jul 2020 10:11:13 +0800 Subject: [PATCH 3/5] Add comment to explain what NoLoginSecurityConfig used for. --- .../com/microsoft/azure/aad/security/NoLoginSecurityConfig.java | 2 ++ 1 file changed, 2 insertions(+) diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/NoLoginSecurityConfig.java b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/NoLoginSecurityConfig.java index 88d5d426f745..7880d4c43c68 100644 --- a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/NoLoginSecurityConfig.java +++ b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/java/com/microsoft/azure/aad/security/NoLoginSecurityConfig.java @@ -9,6 +9,8 @@ import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter; +// If "azure.activedirectory.tenant-id" is not configured, +// this bean will take effect to disable login. @ConditionalOnMissingBean(AADOAuth2LoginSecurityConfig.class) @EnableWebSecurity @EnableGlobalMethodSecurity(prePostEnabled = true) From 85f5f5db62c7d9e679714d74e682b115621e4c5e Mon Sep 17 00:00:00 2001 From: Rujun Chen Date: Wed, 1 Jul 2020 10:17:32 +0800 Subject: [PATCH 4/5] Recover application.properties. --- .../src/main/resources/application.properties | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/resources/application.properties b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/resources/application.properties index e69de29bb2d1..00957319d578 100644 --- a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/resources/application.properties +++ b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/src/main/resources/application.properties @@ -0,0 +1,7 @@ +spring.security.oauth2.client.registration.azure.client-id=xxxxxx-your-client-id-xxxxxx +spring.security.oauth2.client.registration.azure.client-secret=xxxxxx-your-client-secret-xxxxxx + +azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx +# It's suggested the logged in user should at least belong to one of the below groups +# If not, the logged in user will not be able to access any authorization controller rest APIs +azure.activedirectory.active-directory-groups=group1, group2 From b5264c78c8f5946e2b90eb900edd587f38c115ed Mon Sep 17 00:00:00 2001 From: Rujun Chen Date: Wed, 1 Jul 2020 10:28:48 +0800 Subject: [PATCH 5/5] Update readme to explain what 'NoLoginSecurityConfig' is used for. --- .../README.md | 3 +++ 1 file changed, 3 insertions(+) diff --git a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/README.md b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/README.md index aa6fecd9d496..cf791d11705d 100644 --- a/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/README.md +++ b/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/README.md @@ -26,6 +26,9 @@ azure.activedirectory.tenant-id=xxxxxx-your-tenant-id-xxxxxx azure.activedirectory.active-directory-groups=group1, group2 ``` +If `azure.activedirectory.tenant-id` is configured, `AADOAuth2LoginSecurityConfig` will take effect and this app will use AAD to authentication and authorization. +If `azure.activedirectory.tenant-id` is **NOT** configured, `NoLoginSecurityConfig` will take effect and this app will **NOT** use AAD to authentication and authorization. + ### Run with Maven ```shell # Under sdk/spring project root directory