Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[QUERY] How to use AadAuthenticationFilter with spring-cloud-azure-starter-active-directory #43749

Open
nacron opened this issue Jan 9, 2025 · 2 comments
Open

[QUERY] How to use AadAuthenticationFilter with spring-cloud-azure-starter-active-directory #43749

nacron opened this issue Jan 9, 2025 · 2 comments
Assignees
@rujche
Labels
azure-spring All azure-spring related issues Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that

Comments

@nacron
Copy link

nacron commented Jan 9, 2025
edited
Loading

Query/Question
I am trying to use AadAuthenticationFilter since I am trying to do a custom SecurityFilterChain with two possible ways of authentication.
Under the path /aad/*** the user will be authenticated using the AadAuthenticationFilter
Under the path /jwt/*** the user will be authenticated using a custom JWT filter

My current implementation looks like this:


@EnableWebSecurity()
@EnableMethodSecurity
@Configuration()
@RequiredArgsConstructor
public class WebSecurityConfig {

    private final AadAuthenticationFilter aadAuthenticationFilter;
    private final JWTAuthenticationFilter jwtAuthenticationFilter;

    @Bean
    public FilterRegistrationBean<AadAuthenticationFilter> registerAAD(
            AadAuthenticationFilter filter) {
        FilterRegistrationBean<AadAuthenticationFilter> registration =
                new FilterRegistrationBean(filter);
        registration.setEnabled(false);
        return registration;
    }

    @Bean
    public FilterRegistrationBean<JWTAuthenticationFilter> registerJWT(
            JWTAuthenticationFilter filter) {
        FilterRegistrationBean<JWTAuthenticationFilter> registration =
                new FilterRegistrationBean(filter);
        registration.setEnabled(false);
        return registration;
    }

    @Bean
    @Order(2)
    public SecurityFilterChain configureAAD(HttpSecurity httpSecurity) throws Exception {
        // Disable Cors
        httpSecurity
                .securityMatcher("/aad/**")
                .cors(cors -> cors.disable())
                .csrf(csrf -> csrf.disable())
                // Disable Cache Controll
                .requestCache(cache -> cache.disable())
                // Disable Session Creation

                .sessionManagement(
                        session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(authorize -> authorize.anyRequest().authenticated())
                .addFilterBefore(
                        aadAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        return httpSecurity.build();
    }

    @Bean
    @Order(1)
    public SecurityFilterChain configureJWT(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .securityMatcher("/jwt/**")
                .cors(cors -> cors.disable())
                .csrf(csrf -> csrf.disable())
                // Disable Cache Controll
                .requestCache(cache -> cache.disable())
                // Disable Session Creation

                .sessionManagement(
                        session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
                .authorizeHttpRequests(
                        authorize ->
                                authorize
                                        .requestMatchers("/error")
                                        .permitAll()
                                        .requestMatchers("/aad/**")
                                        .permitAll()
                                        .anyRequest()
                                        .authenticated())
                .addFilterBefore(
                        jwtAuthenticationFilter, UsernamePasswordAuthenticationFilter.class);
        return httpSecurity.build();
    }

With it I am getting the following Error:
[Failed to initialize UserPrincipal.] with root cause com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found

I am using the current version of spring-cloud-azure-starter-active-directory: 5.19.0
Spring boot version is: 3.3.4

Packages I use:

implementation "org.springframework.boot:spring-boot-starter-web:$springBootVersion"
implementation "org.springframework.boot:spring-boot-starter-validation:$springBootVersion"
implementation "org.springframework.boot:spring-boot-starter-security:$springBootVersion"
implementation "org.springframework.boot:spring-boot-starter-jdbc:$springBootVersion"
implementation "org.springframework.boot:spring-boot-starter-oauth2-client:$springBootVersion"
implementation "com.auth0:java-jwt:$javaJwtVersion"

implementation "com.azure.spring:spring-cloud-azure-starter-active-directory:$activeDirectoryVersion"
implementation "com.azure.spring:spring-cloud-azure-autoconfigure:$activeDirectoryVersion"

Configuration:
spring.cloud.azure.active-directory.enabled=true
spring.cloud.azure.active-directory.session-stateless=false
spring.cloud.azure.active-directory.credential.client-id=${TM_APS_AD_CLIENT_ID}
spring.cloud.azure.active-directory.credential.client-secret=${TM_APS_AD_CLIENT_SECRET}
spring.cloud.azure.active-directory.profile.tenant-id=${TM_APS_AD_TENANT_ID}
spring.cloud.azure.active-directory.app-id-uri=api://...../default/use.basic
spring.cloud.azure.active-directory.authorization-clients.graph.scopes[0]=https://graph.microsoft.com/User.Read

Why is this not a Bug or a feature Request?
Because I need guidance with how to use / configure certain parts of the software.

Setup (please complete the following information if applicable):

  • OS: OSX
  • IDE: IntelliJ
  • Library/Libraries:

com.azure.spring:spring-cloud-azure-starter-active-directory:5.19.0
org.springframework.boot:spring-boot-starter-web:3.3.4

More detailed stacktrace of Error I am getting:

ERROR org.apache.juli.logging.DirectJDKLog:175 - Servlet.service() for servlet [dispatcherServlet] in context with path [] threw exception [Failed to initialize UserPrincipal.] with root cause com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:394)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:340)
at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:331)
at com.azure.spring.cloud.autoconfigure.implementation.aad.filter.UserPrincipalManager.buildUserPrincipal(UserPrincipalManager.java:151)
at com.azure.spring.cloud.autoconfigure.implementation.aad.filter.AadAuthenticationFilter.doFilterInternal(AadAuthenticationFilter.java:158)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)<nl> at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:107)
at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:93)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)<nl> at org.springframework.security.web.header.HeaderWriterFilter.doHeadersAfter(HeaderWriterFilter.java:90)
at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:75)
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:116)
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:374)<nl> at org.springframework.security.web.context.SecurityContextHolderFilter.doFilter(SecurityContextHolderFilter.java:82)<nl>
@github-actions github-actions bot added azure-spring All azure-spring related issues Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that labels Jan 9, 2025
@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 9, 2025

@moarychan @Netyyyy @rujche @saragluna

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 9, 2025

Thank you for your feedback. Tagging and routing to the team member best able to assist.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@rujche rujche

Labels
azure-spring All azure-spring related issues Client This issue points to a problem in the data-plane of the library. customer-reported Issues that are reported by GitHub users external to the Azure organization. needs-team-attention Workflow: This issue needs attention from Azure service team or SDK team question The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Projects
Spring Cloud Azure
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nacron @rujche