Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Deprecate AADAppRoleStatelessAuthenticationFilter and AADAuthenticationFilter #17926

Merged
merged 4 commits into from
Dec 11, 2020
Merged

Deprecate AADAppRoleStatelessAuthenticationFilter and AADAuthenticationFilter #17926

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
1ce3337
* Update azure-spring-boot-starter-active-directory readme file
ZhuXiaoBing-cn Dec 2, 2020
5b2f8a2
* Update annotation
ZhuXiaoBing-cn Dec 3, 2020
cf90817
* Update annotation, letting them include our aad starter for resourc…
ZhuXiaoBing-cn Dec 4, 2020
00e26a5
Update description format
ZhuXiaoBing-cn Dec 10, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions sdk/spring/azure-spring-boot-starter-active-directory/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,8 @@ When the session is stateless, use `AADAppRoleStatelessAuthenticationFilter` as

Refer to different samples for different authentication ways.

**Note**: `AADAppRoleStatelessAuthenticationFilter` and `AADAuthenticationFilter` will be deprecated. [Click here](https://github.com/Azure/azure-sdk-for-java/issues/17860) to replace it.

### Authenticate in backend

Please refer to [azure-spring-boot-sample-active-directory-backend](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/README.md) for authenticate in backend. Or [azure-spring-boot-sample-active-directory-backend-v2](https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend-v2/README.md) to use Microsoft Graph API instead of Azure Active Directory Graph API.
Expand Down Expand Up @@ -125,6 +127,7 @@ public class AADAuthenticationFilterConfigSample extends WebSecurityConfigurerAd
* Role-based Authorization with annotation `@PreAuthorize("hasRole('GROUP_NAME')")`
* Role-based Authorization with method `isMemberOf()`


### Authenticate stateless APIs using AAD app roles
This scenario fits best for stateless Spring backends exposing an API to SPAs ([OAuth 2.0 implicit grant flow](https://docs.microsoft.com/azure/active-directory/develop/v1-oauth2-implicit-grant-flow))
or service-to-service access using the [client credentials grant flow](https://docs.microsoft.com/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow).
Expand Down
2 changes: 1 addition & 1 deletion sdk/spring/azure-spring-boot/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# Release History

## 3.0.0-beta.2 (Unreleased)

- Deprecated `AADAppRoleStatelessAuthenticationFilter` and `AADAuthenticationFilter`

## 3.0.0-beta.1 (2020-11-18)
### Breaking Changes
Expand Down
35 changes: 20 additions & 15 deletions ...main/java/com/azure/spring/autoconfigure/aad/AADAppRoleStatelessAuthenticationFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,22 @@

package com.azure.spring.autoconfigure.aad;

import static com.azure.spring.autoconfigure.aad.Constants.DEFAULT_AUTHORITY_SET;
import static com.azure.spring.autoconfigure.aad.Constants.ROLE_PREFIX;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jwt.proc.BadJWTException;
import java.io.IOException;
import java.text.ParseException;
import java.util.Collection;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpHeaders;
Expand All @@ -18,26 +31,18 @@
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.text.ParseException;
import java.util.Collection;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;

import static com.azure.spring.autoconfigure.aad.Constants.DEFAULT_AUTHORITY_SET;
import static com.azure.spring.autoconfigure.aad.Constants.ROLE_PREFIX;
Comment on lines -21 to -34
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do this,change format?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It changes due to the automatic import of IDEA.


/**
* A stateless authentication filter which uses app roles feature of Azure Active Directory. Since it's a stateless
* implementation so the principal will not be stored in session. By using roles claim in the token it will not call
* Microsoft Graph to retrieve users' groups.
* <p>
*
* @deprecated For AADAppRoleStatelessAuthenticationFilter, suggest use spring-security resource-server directly and
* include azure-spring-boot-starter-active-directory dependencies into your project.Automatic configuration of the
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add space before Automatic

* associated AAD will be started, they will work well together.
* See the <a href="https://github.com/Azure/azure-sdk-for-java/issues/17860">Alternative method</a>.
*/
@Deprecated
public class AADAppRoleStatelessAuthenticationFilter extends OncePerRequestFilter {

private static final Logger LOGGER = LoggerFactory.getLogger(AADAppRoleStatelessAuthenticationFilter.class);
Expand Down
30 changes: 17 additions & 13 deletions ...spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,23 @@

package com.azure.spring.autoconfigure.aad;

import static com.azure.spring.autoconfigure.aad.Constants.BEARER_PREFIX;
import com.microsoft.aad.msal4j.MsalServiceException;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.jwk.source.JWKSetCache;
import com.nimbusds.jose.proc.BadJOSEException;
import com.nimbusds.jose.util.ResourceRetriever;
import com.nimbusds.jwt.proc.BadJWTException;
import java.io.IOException;
import java.net.MalformedURLException;
import java.text.ParseException;
import java.util.Optional;
import javax.naming.ServiceUnavailableException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.http.HttpHeaders;
Expand All @@ -19,24 +30,17 @@
import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.naming.ServiceUnavailableException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
import java.net.MalformedURLException;
import java.text.ParseException;
import java.util.Optional;

import static com.azure.spring.autoconfigure.aad.Constants.BEARER_PREFIX;

Comment on lines -22 to -34
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we really need change this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't need.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi, @backwind1233 , It's OK to keep the diff in the PR. The style is same to other java files in sdk/spring folder.

/**
* A stateful authentication filter which uses Microsoft Graph groups to authorize. Both ID token and access token are
* supported. In the case of access token, only access token issued for the exact same application this filter used for
* could be accepted, e.g. access token issued for Microsoft Graph could not be processed by users' application.
* <p>
*
* @deprecated For AADAuthenticationFilter,in normal case, resource-server not support session. So
* AADAuthenticationFilter will not supported in the future. See the
* <a href="https://github.com/Azure/azure-sdk-for-java/issues/17860">Alternative method</a>.
*/
@Deprecated
public class AADAuthenticationFilter extends OncePerRequestFilter {
private static final Logger LOGGER = LoggerFactory.getLogger(AADAuthenticationFilter.class);
private static final String CURRENT_USER_PRINCIPAL = "CURRENT_USER_PRINCIPAL";
Expand Down