README.md

page_type	languages	products	name	urlFragment	description
sample	java	ms-graph azure-active-directory	Enable your Java Spring boot web app to restrict access to routes using security groups with the Microsoft identity platform	ms-identity-java-spring-tutorial	This sample demonstrates a Java Spring Boot web app that authenticates users against Azure AD

Enable your Java Spring boot web app to restrict access to routes using security groups with the Microsoft identity platform

• Overview
• Scenario
• Contents
• Prerequisites
• Setup
  • Clone or download this repository
  • Register the sample application with your Azure Active Directory tenant
  • Choose the Azure AD tenant where you want to create your applications
  • Register the web app (java-spring-webapp-groups)
  • Create Security Groups
  • Configure Security Groups
  • Configure your code sample to use your app registration and security groups (java-spring-webapp-groups)
• Running the sample
• Explore the sample
• We'd love your feedback!
• About the code
  • Project Initialization
  • ID Token Claims
  • Processing Groups claim in the ID token
  • Sign-in and sign-out links
  • Authentication-dependent UI elements
  • Protecting routes with AADWebSecurityConfigurerAdapter
  • The Groups Overage Claim
  • Deploying web app to Azure App Services
• More information
• Community Help and Support
• Contributing

Overview

This sample demonstrates a Java Spring Boot web app that uses the Azure AD Spring Boot Starter client library for Java for authentication, authorization, and token acquisition with the OpenID Connect protocol to sign in users, and restricts access to pages based on Azure Active Directory security group membership.

An Identity Developer session covered Azure AD App roles and security groups, featuring this scenario and how to handle the overage claim. Watch the video Using Security Groups and Application Roles in your apps

Scenario

1. This web application uses Azure AD Spring Boot Starter client library for Java to sign in users an Azure AD tenant and obtains an ID Token from Azure AD.
2. The ID Token contains the groups claim. The application loads these claims into Spring GrantedAuthorities list for the signed-in user. These values determine which pages the user is authorized to access.

Contents

File/folder	Description
AppCreationScripts/	Scripts to automatically configure Azure AD app registrations.
pom.xml	Application dependencies.
src/main/resources/templates/	Thymeleaf Templates for UI.
src/main/resources/application.yml	Application and Azure AD Boot Starter Library Configuration.
src/main/java/com/microsoft/azuresamples/msal4j/msidentityspringbootwebapp/	This directory contains the main application entry point, controller, and config classes.
.../MsIdentitySpringBootWebappApplication.java	Main class.
.../SampleController.java	Controller with endpoint mappings.
.../SecurityConfig.java	Security Configuration (e.g., which routes require authentication?).
.../Utilities.java	Utility Class (e.g., filter ID token claims)
CHANGELOG.md	List of changes to the sample.
CONTRIBUTING.md	Guidelines for contributing to the sample.
LICENSE	The license for the sample.

Prerequisites

• JDK Version 15. This sample has been developed on a system with Java 15 but may be compatible with other versions.
• Maven 3
• Java Extension Pack for Visual Studio Code is recommended for running this sample in VSCode.
• An Azure AD tenant. For more information see: How to get an Azure AD tenant
• A user account in your Azure AD tenant. This sample will not work with a personal Microsoft account. Therefore, if you signed in to the Azure portal with a personal account and have never created a user account in your directory before, you need to do that now.
• Two security groups, named AdminGroup and UserGroup, containing the user(s) with whom you want to sign and test this sample. Or, you may add the user to two existing security groups in your tenant. If you choose to use existing groups, be sure to modify the sample configuration to use your existing security groups' name and object ID.

Setup

Clone or download this repository

From your shell or command line:

    git clone https://github.com/Azure-Samples/ms-identity-java-spring-tutorial.git
    cd ms-identity-java-spring-tutorial
    cd 3-Authorization-II/groups

or download and extract the repository .zip file.

⚠️ To avoid path length limitations on Windows, we recommend cloning into a directory near the root of your drive.

Register the sample application with your Azure Active Directory tenant

There is one project in this sample. To register it, you can:

• follow the steps below for manually register your apps
• or use PowerShell scripts that:
  • automatically creates the Azure AD applications and related objects (passwords, permissions, dependencies) for you.
  • modify the projects' configuration files.

Expand this section if you want to use this automation:

⚠️ If you have never used Azure AD Powershell before, we recommend you go through the App Creation Scripts once to ensure that your environment is prepared correctly for this step.

1. On Windows, run PowerShell as Administrator and navigate to the root of the cloned directory

2. If you have never used Azure AD Powershell before, we recommend you go through the App Creation Scripts once to ensure that your environment is prepared correctly for this step.

3. In PowerShell run:

   Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force

4. Run the script to create your Azure AD application and configure the code of the sample application accordingly.

5. In PowerShell run:

   cd .\AppCreationScripts\
   .\Configure.ps1

   Other ways of running the scripts are described in App Creation Scripts The scripts also provide a guide to automated application registration, configuration and removal which can help in your CI/CD scenarios.

Choose the Azure AD tenant where you want to create your applications

1. Sign in to the Azure portal.
2. If your account is present in more than one Azure AD tenant, select your profile at the top right corner in the menu on top of the page, and then switch directory to change your portal session to the desired Azure AD tenant.

Register the web app (java-spring-webapp-groups)

1. Navigate to the Azure portal and select the Azure AD service.
2. Select the App Registrations blade on the left, then select New registration.
3. In the Register an application page that appears, enter your application's registration information:
   • In the Name section, enter a meaningful application name that will be displayed to users of the app, for example java-spring-webapp-groups.
   • Under Supported account types, select Accounts in this organizational directory only.
   • In the Redirect URI (optional) section, select Web in the combo-box and enter the following redirect URI: http://localhost:8080/login/oauth2/code/.
4. Select Register to create the application.
5. In the app's registration screen, find and note the Application (client) ID. You use this value in your app's configuration file(s) later in your code.
6. Select Save to save your changes.
7. In the app's registration screen, select the Certificates & secrets blade in the left to open the page where you can generate secrets and upload certificates.
8. In the Client secrets section, select New client secret:
   • Type a key description (for instance app secret),
   • Select one of the available key durations (6 months, 12 months or Custom) as per your security posture.
   • The generated key value will be displayed when you select the Add button. Copy and save the generated value for use in later steps.
   • You'll need this key later in your code's configuration files. This key value will not be displayed again, and is not retrievable by any other means, so make sure to note it from the Azure portal before navigating to any other screen or blade.
9. In the app's registration screen, select the API permissions blade in the left to open the page where we add access to the APIs that your application needs.
   • Select the Add a permission button and then,
   • Ensure that the Microsoft APIs tab is selected.
   • In the Commonly used Microsoft APIs section, select Microsoft Graph
   • In the Delegated permissions section, select the GroupMember.Read.All in the list. Use the search box if necessary. This permission is necessary for getting group memberships via Graph if the overage scenario occurs.
   • Click the button to grant admin consent for GroupMember.Read.All.
   • Select the Add permissions button at the bottom.

Create Security Groups

1. Navigate to the Azure portal and select the Azure AD service.
2. Select Groups blade on the left.
3. In the Groups blade, select New Group.
   • For Group Type, select Security
   • For Group Name, enter AdminGroup
   • For Group Description, enter Admin Security Group
   • Add Group Owners and Group Members that you want to use and test in this sample.
   • Select Create.
4. In the Groups blade, select New Group.
   • For Group Type, select Security
   • For Group Name, enter UserGroup
   • For Group Description, enter User Security Group
   • Add Group Owners and Group Members that you want to use and test in this sample.
   • Select Create.

For more information, visit: Create a basic group and add members using Azure AD

Configure Security Groups

You have two different options available to you on how you can further configure your application to receive the groups claim.

1. Receive all the groups that the signed-in user is assigned to in an Azure AD tenant, included nested groups.
2. Receive the groups claim values from a filtered set of groups that your application is programmed to work with (Not available in the Azure AD Free edition).

To get the on-premise group's samAccountName or On Premises Group Security Identifier instead of Group ID, please refer to the document Configure group claims for applications with Azure Active Directory.

Configure your application to receive all the groups the signed-in user is assigned to, including nested groups

1. In the app's registration screen, select the Token Configuration blade in the left to open the page where you can configure the claims provided tokens issued to your application.
2. Select the Add groups claim button on top to open the Edit Groups Claim screen.
3. Select Security groups or the All groups (includes distribution lists but not groups assigned to the application) option. Choosing both negates the effect of Security Groups option.
4. Under the ID section, select Group ID. This will result in Azure AD sending the object id of the groups the user is assigned to in the groups claim of the ID Token that your app receives after signing-in a user.

Configure your application to receive the groups claim values from a filtered set of groups a user may be assigned to

Prerequisites, benefits and limitations of using this option

1. This option is useful when your application is interested in a selected set of groups that a signing-in user may be assigned to and not every security group this user is assigned to in the tenant. This option also saves your application from running into the overage issue.
2. This feature is not available in the Azure AD Free edition.
3. Nested group assignments are not available when this option is utilized.

Steps to enable this option in your app

1. In the app's registration screen, select the Token Configuration blade in the left to open the page where you can configure the claims provided tokens issued to your application.
2. Select the Add groups claim button on top to open the Edit Groups Claim screen.
3. Select Groups assigned to the application.
   1. Choosing additional options like Security Groups or All groups (includes distribution lists but not groups assigned to the application) will negate the benefits your app derives from choosing to use this option.
4. Under the ID section, select Group ID. This will result in Azure AD sending the object id of the groups the user is assigned to in the groups claim of the ID Token that your app receives after signing-in a user.
5. If you are exposing a Web API using the Expose an API option, then you can also choose the Group ID option under the Access section. This will result in Azure AD sending the Object ID of the groups the user is assigned to in the groups claim of the Access Token issued to the client applications of your API.
6. In the app's registration screen, select on the Overview blade in the left to open the Application overview screen. Select the hyperlink with the name of your application in Managed application in local directory (note this field title can be truncated for instance Managed application in ...). When you select this link you will navigate to the Enterprise Application Overview page associated with the service principal for your application in the tenant where you created it. You can navigate back to the app registration page by using the back button of your browser.
7. Select the Users and groups blade in the left to open the page where you can assign users and groups to your application.
   1. Select the Add user button on the top row.
   2. Select User and Groups from the resultant screen.
   3. Choose the groups that you want to assign to this application.
   4. Click Select in the bottom to finish selecting the groups.
   5. Select Assign to finish the group assignment process.
   6. Your application will now receive these selected groups in the groups claim when a user signing in to your app is a member of one or more these assigned groups.
8. Select the Properties blade in the left to open the page that lists the basic properties of your application.Set the User assignment required? flag to Yes.

💡 Important security tip

When you set User assignment required? to Yes, Azure AD will check that only users assigned to your application in the Users and groups blade are able to sign-in to your app. You can assign users directly or by assigning security groups they belong to.

Configure your code sample to use your app registration and security groups (java-spring-webapp-groups)

Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.

In the steps below, "ClientID" is the same as "Application ID" or "AppId".

Open the src\main\resources\application.yml file.

1. Find the key Enter_Your_Tenant_ID_Here and replace the existing value with your Azure AD tenant ID.
2. Find the key Enter_Your_Client_ID_Here and replace the existing value with the application ID (clientId) of java-spring-webapp-groups app copied from the Azure portal.
3. Find the key Enter_Your_Client_Secret_Here and replace the existing value with the key you saved during the creation of java-spring-webapp-groups copied from the Azure portal.
4. Find the key Enter_Your_Admin_Group_ID_Here and replace the existing value with objectId of your AdminGroup.
5. Find the key Enter_Your_User_Group_ID_Here and replace the existing value with the objectId of your UserGroup

Open the src/main/java/com/microsoft/azuresamples/msal4j/msidentityspringbootwebapp/SampleController.java file.

1. Find the key Enter_Your_Admin_Group_ID_Here and replace the existing value with objectId of your AdminGroup.
2. Find the key Enter_Your_User_Group_ID_Here and replace the existing value with the objectId of your UserGroup

Running the sample

To run the sample in Visual Studio Code, ensure that you have installed the Java Extension Pack. To run this sample from the terminal, follow the steps below.

1. Open a terminal or the integrated VSCode terminal.
2. In the same directory as this readme file, run mvn clean compile spring-boot:run.
3. Open your browser and navigate to http://localhost:8080.

Explore the sample

• Note the signed-in or signed-out status displayed at the center of the screen.
• Click the context-sensitive button at the top right (it will read Sign In on first run)
• Alternatively, click the link to token details, admins only or regular users. Since these are protected pages that require authentication, you'll be automatically redirected to the sign-in page.
• Follow the instructions on the next page to sign in with an account in the Azure AD tenant.
• On the consent screen, note the scopes that are being requested.
• Upon successful completion of the sign-in flow, you should be redirected to the home page (sign in status), or one of the other pages, depending on which button triggered your sign-in flow.
• Note the context-sensitive button now says Sign out and displays your username to its left.
• If you are on the home page, you'll see an option to click ID Token Details: click it to see some of the ID token's decoded claims, including groups.
• Click the Admins Only button to view the /admin_only. Only users belonging to the AdminGroup security group will be able to view this page. Otherwise an authorization failure message will be displayed.
• Click the Regular Users button to view the /regular_user page. Only users belonging to the UserGroup security group will be able to view this page. Otherwise an authorization failure message will be displayed.
• You can also use the button on the top right to sign out. The status page will reflect this.

ℹ️ Did the sample not work for you as expected? Then please reach out to us using the GitHub Issues page.

We'd love your feedback!

Were we successful in addressing your learning objective? Consider taking a moment to share your experience with us.

About the code

This sample demonstrates how to use Azure AD Spring Boot Starter client library for Java to sign in users into your Azure AD tenant. It also makes use of Spring Oauth2 Client and Spring Web boot starters. It uses claims from ID Token obtained from Azure Active Directory to display details of the signed-in user, and to restrict access to some pages by using the groups claim for authorization.

Project Initialization

Create a new Java Maven project and copy the pom.xml file from this project, and the src folder of this repository.

If you'd like to create a project like this from scratch, you may use Spring Initializer:

• For Packaging, select Jar
• For Java select version 11
• For Dependencies, add the following:
  • Azure Active Directory
  • Spring Oauth2 Client
  • Spring Web
• Be sure that it comes with Azure SDK version 3.5 or higher. If not, please consider replacing the pre-configured pom.xml with the pom.xml from this repository.

ID Token Claims

To extract token details, make use of Spring Security's AuthenticationPrincipal and OidcUser object in a request mapping. See the Sample Controller for an example of this app making use of ID Token claims.

import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
//...
@GetMapping(path = "/some_path")
public String tokenDetails(@AuthenticationPrincipal OidcUser principal) {
    Map<String, Object> claims = principal.getIdToken().getClaims();
}

Processing Groups claim in the ID token

The name of the the roles that the signed-in user is assigned to is returned in the groups claim of the token.

{
  ...
  "groups": [
    "xyz-id-xyz",
    "xyz-id-xyz",]
  ...
}

A common way to access them is documented in the ID Token Claims section above. Azure AD Boot Starter (v3.5 and above) parses the groups claim automatically and adds each group to the signed in user's Authorities. This allows developers to make use of groups with Spring PrePost condition annotations using the hasAuthority method. For example, you'll find the following @PreAuthorize conditions demonstrated in SampleController.java:

@GetMapping(path = "/admin_only")
@PreAuthorize("hasAuthority('enter-admin-group-id-here')")
public String adminOnly(Model model) {
    // restrict to users who belong to AdminGroup
}
@GetMapping(path = "/regular_user")
@PreAuthorize("hasAnyAuthority('enter-user-group-id-here','enter-admin-group-id-here')")
public String regularUser(Model model) {
    // restrict to users who belong to any of UserGroup or AdminGroup
}

To see a full list of authorities for a given user:

@GetMapping(path = "/some_path")
public String tokenDetails(@AuthenticationPrincipal OidcUser principal) {
   Collection<? extends GrantedAuthority> authorities = principal.getAuthorities();
}

Sign-in and sign-out links

To sign in, you must make a request to the Azure Active Directory sign-in endpoint that is automatically configured by Azure AD Spring Boot Starter client library for Java.

<a class="btn btn-success" href="/oauth2/authorization/azure">Sign In</a>

To sign out, you must make POST request to the logout endpoint.

<form action="#" th:action="@{/logout}" method="post">
  <input class="btn btn-warning" type="submit" value="Sign Out" />
</form>

Authentication-dependent UI elements

This app has some simple logic in the UI template pages for determining content to display based on whether the user is authenticated or not. For example, the following Spring Security Thymeleaf tags may be used:

<div sec:authorize="isAuthenticated()">
  this content only shows to authenticated users
</div>
<div sec:authorize="isAnonymous()">
  this content only shows to not-authenticated users
</div>

Protecting routes with AADWebSecurityConfigurerAdapter

By default, this app protects the ID Token Details, Admins Only and Regular Users pages so that only logged-in users can access them. This app uses configures these routes from the app.protect.authenticated property from the application.yml file. To configure your app's specific requirements, extend AADWebSecurityConfigurationAdapter in one of your classes. For an example, see this app's SecurityConfig class.

@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends AADWebSecurityConfigurerAdapter{
  @Value( "${app.protect.authenticated}" )
  private String[] protectedRoutes;

    @Override
    public void configure(HttpSecurity http) throws Exception {
    // use required configuration form AADWebSecurityAdapter.configure:
    super.configure(http);
    // add custom configuration:
    http.authorizeRequests()
      .antMatchers(protectedRoutes).authenticated()     // limit these pages to authenticated users (default: /token_details, /admin_only, /regular_user)
      .antMatchers("/**").permitAll();                  // allow all other routes.
    }
}

The Groups Overage Claim

To ensure that the token size doesn’t exceed HTTP header size limits, the Microsoft Identity Platform limits the number of object Ids that it includes in the groups claim.

If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens, 6 for single-page applications), then the Microsoft identity platform does not emit the group IDs in the groups claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the MS Graph API to retrieve the user’s group membership.

Azure AD Boot Starter (v3.5 and above) parses the groups claim automatically and adds each group to the signed in user's Authorities. It automatically handles the groups overage scenario.

We strongly advise you use the group filtering feature (if possible) to avoid running into group overages.

Create the Overage Scenario for testing

1. You can use the BulkCreateGroups.ps1 provided in the App Creation Scripts folder to create a large number of groups and assign users to them. This will help test overage scenarios during development. Remember to change the user's objectId provided in the BulkCreateGroups.ps1 script.

When attending to overage scenarios, which requires a call to Microsoft Graph to read the signed-in user's group memberships, your app will need to have the User.Read and GroupMember.Read.All for the getMemberGroups function to execute successfully.

⚠️ For the overage scenario, make sure you have granted Admin Consent for the MS Graph API's GroupMember.Read.All scope for both the Client and the Service apps (see the App Registration steps above).

Deploying web app to Azure App Services

There is one web app in this sample. To deploy it to Azure App Services, you'll need to:

• create an Azure App Service
• publish the projects to the App Services, and
• update its client(s) to call the website instead of the local environment.

Update the Azure AD app registration (java-spring-webapp-groups)

1. Navigate back to to the Azure portal. In the left-hand navigation pane, select the Azure Active Directory service, and then select App registrations (Preview).
2. In the resulting screen, select the java-spring-webapp-groups application.
3. In the app's registration screen, select Authentication in the menu.
   • In the Redirect URIs section, update the reply URLs to match the site URL of your Azure deployment. For example:
     • https://java-spring-webapp-groups.azurewebsites.net/login/oauth2/code/

⚠️ If your app is using an in-memory storage, Azure App Services will spin down your web site if it is inactive, and any records that your app was keeping will emptied. In addition, if you increase the instance count of your website, requests will be distributed among the instances. Your app's records, therefore, will not be the same on each instance.

More information

• Microsoft identity platform (Azure Active Directory for developers)
• Overview of Microsoft Authentication Library (MSAL)
• Quickstart: Register an application with the Microsoft identity platform (Preview)
• Quickstart: Configure a client application to access web APIs (Preview)
• Understanding Azure AD application consent experiences
• Understand user and admin consent
• Application and service principal objects in Azure Active Directory
• National Clouds
• MSAL code samples // Add MSAL-java docs

For more information about how OAuth 2.0 protocols work in this scenario and other scenarios, see Authentication Scenarios for Azure AD.

Community Help and Support

Use Stack Overflow to get support from the community. Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before. Make sure that your questions or comments are tagged with [azure-active-directory azure-ad-b2c ms-identity adal msal].

If you find a bug in the sample, raise the issue on GitHub Issues.

To provide feedback on or suggest features for Azure Active Directory, visit User Voice page.

Contributing

If you'd like to contribute to this sample, see CONTRIBUTING.MD.

This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.