1. 技术文章
  2. Spring Boot azureAD filter autoconfiguration

Spring Boot azureAD filter autoconfiguration

狂风中的少年 提交于 2021-02-08 10:14:44

问题


I few days ago I was able to configure the integration with Azure AD and spring boot. I'm usisng the following dependencies to achieve that:

<dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-oauth2-client</artifactId>
        </dependency>
        <dependency>
            <groupId>com.microsoft.azure</groupId>
            <artifactId>azure-active-directory-spring-boot-starter</artifactId>
        </dependency>
        <dependency>
            <groupId>com.microsoft.azure</groupId>
            <artifactId>msal4j</artifactId>
        </dependency>
</dependencies>

It works so nice and I was able to get the expected result, but now the problem. I have to Security configurations. Each one are configured with spring profiles, for example:

spring:
  profiles:
    active: DDBBSecurized, local

This one enables the sucurity with DDBB and it was configuired before the integration with AzureAD, It works perfect

I also have 

spring:
  profiles:
    active: ADDSecurized, local

that enables the integration of azure AD.

Before configuring Azure AD integration if I use DDBBSecurized it works nice and I also had a option that if I dont configure anyThing. spring.profiles.active: local, for example, it disable the security:

the way to achive that is the following:

@EnableWebSecurity
@Profile( "DDBBSecurized" )
public class DDBBSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private RestAuthenticationExceptionHandler restAuthenticationExceptionHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable().sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );
        http.headers().frameOptions().disable();

        //Filtro de autenticacion de peticiones
        http.addFilterAfter( new JWTAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class );

        //Filtros CORS
        http.addFilterBefore( new CorsFilter(), ChannelProcessingFilter.class );

        //Manejador de excpeciones de login
        http.exceptionHandling().authenticationEntryPoint( restAuthenticationExceptionHandler );

        //Configuracion Endpoints
        http.authorizeRequests().antMatchers( HttpMethod.POST, "/auth/login**" ).permitAll()
            .antMatchers( "/v2/api-docs", "/configuration/**","/swagger*/**","/webjars/**" ).permitAll()
            .antMatchers( "/actuator/**" ).permitAll()
            .anyRequest().authenticated();
    }
}

I have my own JWT filter and login endpoint and I also had:

@EnableWebSecurity
@Profile( "!DDBBSecurized & !AzureAdSecurized" )
public class NonSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private RestAuthenticationExceptionHandler restAuthenticationExceptionHandler;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable().sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );
        http.headers().frameOptions().disable();

        //Filtros CORS
        http.addFilterBefore( new CorsFilter(), ChannelProcessingFilter.class );

        //Manejador de excpeciones de login
        http.exceptionHandling().authenticationEntryPoint( restAuthenticationExceptionHandler );

        //Configuracion Endpoints
        http.authorizeRequests().anyRequest().permitAll();
    }
}

That works Perfect.

Now If i use ADDSecurized everything works perfect.

@EnableWebSecurity
@Profile("AzureAdSecurized")
public class AzureSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private RestAuthenticationExceptionHandler restAuthenticationExceptionHandler;

    @Autowired
    private AADAppRoleStatelessAuthenticationFilter aadAuthenticationFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.csrf().disable().sessionManagement().sessionCreationPolicy( SessionCreationPolicy.STATELESS );
        http.headers().frameOptions().disable();

        //Filtro de autenticacion de peticiones
        http.addFilterAfter( aadAuthenticationFilter, UsernamePasswordAuthenticationFilter.class );
        http.addFilterAfter( new AzureTokenGetFilter(), UsernamePasswordAuthenticationFilter.class );

        //Filtros CORS
        http.addFilterBefore( new CorsFilter(), ChannelProcessingFilter.class );

        //Manejador de excpeciones de login
        http.exceptionHandling().authenticationEntryPoint( restAuthenticationExceptionHandler );

        //Configuracion Endpoints
        http.authorizeRequests().antMatchers( HttpMethod.POST,  "/auth/login**" ).permitAll()
            .antMatchers( "/v2/api-docs", "/configuration/**", "/swagger*/**", "/webjars/**" ).permitAll()
            .antMatchers( "/actuator/**" ).permitAll().anyRequest().authenticated();
    }
}

But if I change to DDBBSecurized profile it is still passing the aadAuthenticationFilter filter of azure. even if this configuration is disable. It seems its autoconfigure and WebSecurityAdpater by its Own or something like That.

the properties I also have are:

security:
    oauth2:
      client:
        registration:
          azure:
            client-id: XXXX-XXXX-XXXX-XXXX-XXXXXXXX

azure:
  activedirectory:
    tenant-id: XXXX-XXXX-XXXX-XXXX-XXXXXXXX
    client-id: XXXX-XXXX-XXXX-XXXX-XXXXXXXX
    scope: /User.Read
    session-stateless: true
    authority-url: https://login.microsoftonline.com/

Now for example I have configured DDBBSecurized And I can see in the log that the filter is being applied:

STARTUPLOG:

2020-03-26 20:10:02,279 INFO class=org.springframework.boot.StartupInfoLogger  Starting Application on gggarrido10 with PID 8760 (D:\Proyectos\EvoSago\SOM-Back\admin-user\target\classes started by gggarrido in D:\Proyectos\EvoSago\SOM-Back)
2020-03-26 20:10:11,378 INFO class=org.springframework.boot.SpringApplication  The following profiles are active: DDBBSecurized,local
2020-03-26 20:10:31,479 INFO class=org.springframework.context.support.PostProcessorRegistrationDelegate$BeanPostProcessorChecker  Bean 'org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration' of type [org.springframework.transaction.annotation.ProxyTransactionManagementConfiguration$$EnhancerBySpringCGLIB$$2e0e67bf] is not eligible for getting processed by all BeanPostProcessors (for example: not eligible for auto-proxying)
2020-03-26 20:10:33,267 INFO class=org.springframework.boot.web.embedded.tomcat.TomcatWebServer  Tomcat initialized with port(s): 8080 (http)
2020-03-26 20:10:34,434 INFO class=org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext  Root WebApplicationContext: initialization completed in 22895 ms
2020-03-26 20:10:39,649 INFO class=org.springframework.boot.actuate.endpoint.web.ServletEndpointRegistrar  Registered '/actuator/jolokia' to jolokia-actuator-endpoint
2020-03-26 20:10:42,925 INFO class=org.springframework.boot.actuate.endpoint.web.EndpointLinksResolver  Exposing 17 endpoint(s) beneath base path '/actuator'
2020-03-26 20:10:43,850 INFO class=org.springframework.security.web.DefaultSecurityFilterChain  Creating filter chain: any request, [es.indra.som.common.utilities.CorsFilter@26f5e45d, org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter@704c3bdf, org.springframework.security.web.context.SecurityContextPersistenceFilter@1e6d30c0, org.springframework.security.web.header.HeaderWriterFilter@5529522f, org.springframework.security.web.authentication.logout.LogoutFilter@4d2f9e3c, es.indra.som.security.filter.JWTAuthenticationFilter@37986daf, org.springframework.security.web.savedrequest.RequestCacheAwareFilter@69d667a5, org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter@7ab1ad9, org.springframework.security.web.authentication.AnonymousAuthenticationFilter@c82d925, org.springframework.security.web.session.SessionManagementFilter@1b60d324, org.springframework.security.web.access.ExceptionTranslationFilter@43a59289, org.springframework.security.web.access.intercept.FilterSecurityInterceptor@61993d18]
2020-03-26 20:10:45,610 INFO class=org.springframework.scheduling.concurrent.ExecutorConfigurationSupport  Initializing ExecutorService 'applicationTaskExecutor'
2020-03-26 20:10:48,503 INFO class=org.springframework.scheduling.concurrent.ExecutorConfigurationSupport  Initializing ExecutorService
2020-03-26 20:10:51,398 INFO class=org.springframework.boot.web.embedded.tomcat.TomcatWebServer  Tomcat started on port(s): 8080 (http) with context path ''
2020-03-26 20:10:51,407 INFO class=org.springframework.boot.StartupInfoLogger  Started Application in 53.341 seconds (JVM running for 56.018)

ERROR LOG BECAUSE THE ADD FILTER IS BEING APPLIED WHEN IT SHOULD'T

2020-03-26 20:11:16,144 ERROR class=com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter  Failed to initialize UserPrincipal.
com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:384)
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:330)
    at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:321)
    at com.microsoft.azure.spring.autoconfigure.aad.UserPrincipalManager.buildUserPrincipal(UserPrincipalManager.java:83)
    at com.microsoft.azure.spring.autoconfigure.aad.AADAppRoleStatelessAuthenticationFilter.doFilterInternal(AADAppRoleStatelessAuthenticationFilter.java:58)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166)
    at org.springframework.boot.actuate.web.trace.servlet.HttpTraceFilter.doFilterInternal(HttpTraceFilter.java:88)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter

The point is that before only with DDBBSecurized and NoSecurity ot works perfect. Why for ADDfilter even if I disable it by profile is appliying the filter?

I also tried to 

@SpringBootApplication(exclude = {SecurityAutoConfiguration.class , SecurityFilterAutoConfiguration.class,
    AADAuthenticationFilterAutoConfiguration.class})

I also tried to delete the full AzureSecurityConfiguration.... but it didnt work, event if I delete the full class it pass the filter

But it did not work and also the app doesnt start because it need AADAuthenticationFilterAutoConfiguration to autoconfigure the filters provided by the library with the properties set in applicacion.yaml avoid the user to manually configure them.

Thanks in advance.

来源:https://stackoverflow.com/questions/60874517/spring-boot-azuread-filter-autoconfiguration

标签
spring-boot
filter
azure-active-directory
autoconf
disable
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!