Skip to content
Branch: master
Find file History
ramya25 and Incarnation-p-lee Updated README.md (#685)
* Included step by step process to run this sample.
Latest commit 8309b09 Jul 4, 2019
Permalink
Type Name Latest commit message Commit time
..
Failed to load latest commit information.
src/main fix logout feature in active directory sample with a redirect (#364) (#… Jun 30, 2018
README.md Updated README.md (#685) Jul 4, 2019
build.gradle Gradlew version fix (#345) Jun 4, 2018
pom.xml fix wrong lombok dependency config (#349) Jun 4, 2018

README.md

topic languages products
sample
java
javascript
azure-active-directory
java spring boot

About this sample

Overview

This sample illustrates how to use azure-active-directory-spring-boot-starter package to plugin JWT token filter into Spring Security filter chain. The filter injects UserPrincipal object that is associated with the thread of the current user request. User's AAD membership info, along with token claimsset, JWS object etc. are accessible from the object which can be used for role based authorization. Methods like isMemberOf is also supported.

Get started

The sample is composed of two layers: Angular JS client and Spring Boot RESTful Web Service. You need to make some changes to get it working with your Azure AD tenant on both sides.

How to run this sample

To run this sample, you'll need:

  • JDK 1.8 and above
  • Maven 3.0 and above
  • An Intenet connection
  • A Windows machine (necessary if you want to run the app on Windows)
  • An OS X machine (necessary if you want to run the app on Mac)
  • A Linux machine (necessary if you want to run the app on Linux)
  • An Azure Active Directory (Azure AD) tenant. For more information on how to get an Azure AD tenant, see How to get an Azure AD tenant
  • A user account in your Azure AD tenant. This sample will not work with a Personal Microsoft account (formerly Windows Live account). Therefore, if you signed in to the Azure portal with a Microsoft account and have never created a user account in your directory before, you need to do that now.
  • A client secret for the registered application.
  • Configure groups in your Azure AD tenant with your users in that groups, see how to create groups
  • The sample retrieves user's group membership using Azure AD graph API which requires the registered app to have Direcory.AccessAsUser.All "Access the directory as the signed-in user" under Delegated Permissions. You need AAD admin privilege to be able to grant the permission in API ACCESS -> Required permission.

Note

  • If you are not the admin, you need consent from your admin for the the Directory.AccessAsUser.All permission. For details see Directory Permissions

Step 1: Clone or download this repository

From your command line:

git clone https://github.com/microsoft/azure-spring-boot.git

or download and extract the repository .zip file, and navigate to azure-active-directory-spring-boot-sample from the list of samples.

Step 2: Register the sample with your Azure Active Directory tenant

To register it follow the steps below or follow the guide here.

Choose the Azure AD tenant where you want to create your applications

As a first step you'll need to:

  1. Sign in to the Azure portal using either a work or school account.
  2. If your account is present in more than one Azure AD tenant, select your account name at the top right corner in the menu on top of the page, and switch your portal session to the desired Azure AD tenant.
  3. In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations

Register the client app

  1. Navigate to the Microsoft identity platform for developers App registrations page.

  2. Select New registration.

    • In the Name section, enter a meaningful application name that will be displayed to users of the app, for example Spring Boot Sample.
    • In the Supported account types section, select Accounts in any organizational directory.
    • Add http://localhost:8080 as the Reply URL under Redirect URI.
    • Select Register to create the application.
  3. On the app Overview page, find the Application (client) ID value and record it for later. You'll need it to configure the application.properties file for this project.

  4. On selecting your application from the the registered applcations you can see Certificates & secrets in left navigation pane, go to that page and in the Client secrets section, choose New client secret:

    • Type a key description (of instance app secret),
    • Select a key duration of either In 1 year, In 2 years, or Never Expires.
    • When you press the Add button, the key value will be displayed, copy, and save the value in a safe location.
    • You'll need this key later to configure the project. This key value will not be displayed again, nor retrievable by any other means, so record it as soon as it is visible from the Azure portal.
  5. In the list of pages for the app, select API permissions

    • Click the Add a permission button and then,
    • Ensure that the Microsoft APIs tab is selected
    • In the Commonly used Microsoft APIs section, click on Microsoft Graph
    • In the Delegated permissions section, ensure that the right permissions are checked: Directory.AccessAsUser.All
    • Select the Add permissions button
  6. At this stage permissions are assigned correctly but the client app does not allow interaction. Therefore no consent can be presented via a UI and accepted to use the service app. Click the Grant/revoke admin consent for {tenant} button, and then select Yes when you are asked if you want to grant consent for the requested permissions for all account in the tenant. You need to be an Azure AD tenant admin to do this.

Step 3: Configure the sample to use your Azure AD tenant

In the steps below, "ClientID" is the same as "Application ID" or "AppId".

Open application.properties in your project to configure

Configure Application Properties

  1. If your azure account follows format xxx@xxx.partner.onmschina.cn, configure property azure.activedirectory.environment=cn to use Azure China, the default value is global.
  2. Put Application ID and client-secret in client-id and client-secret respectively e.g. azure.activedirectory.client-id=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx azure.activedirectory.client-secret=ABCDEFGHIJKLMNOOPQRSTUVWXYZABCDEFGHIJKLMNOPQ
  3. List all the AAD groups ActiveDirectoryGroups that you want to have a Spring Security role object mapping to it. The role objects can then be used to manage access to resources that is behind Spring Security. e.g. azure.activedirectory.active-directory-groups=group1,group2 (groups that you created in your Azure AD tenant)

Step 4: Change Role_group1 to your group

  1. You can use @PreAuthorize annotation or UserPrincipal to manage access to web API based on user's group membership. You will need to change ROLE_group1 to groups you want to allow to access the API in TodoListController.java or you will get "Access is denied".

Step 5: Angular JS

In app.js, make following changes. The client leverages Azure AD library for JS to handle AAD authentication in single page application. The following snippet of code configures adal provider for your registered app.

        adalProvider.init(
            {
                instance: 'https://login.microsoftonline.com/',
                tenant: 'your-aad-tenant',
                clientId: 'your-application-id',
                extraQueryParameter: 'nux=1',
                cacheLocation: 'localStorage',
            },
            $httpProvider
        );

Step 6: Give it a run

  • Use Maven

    mvn clean install
    cd azure-active-directory-spring-boot-sample
    mvn spring-boot:run
    
  • Use Gradle

    gradle clean bootRepackage
    java -jar build/libs/azure-active-directory-spring-boot-sample-0.0.1-SNAPSHOT.jar
    
  • If running locally, browse to http://localhost:8080 and click Login or Todo List, your browser will be redirected to https://login.microsoftonline.com/ for authentication.
  • Upon successful login, Todo List will give you a default item and you can perform add, update or delete operation. The backend RESTful API will accept or deny your request based on authenticated user roles.
You can’t perform that action at this time.