Open 4may-biz opened 2 weeks ago
@chenrujun @moarychan @netyyyy @saragluna
Thank you for your feedback. Tagging and routing to the team member best able to assist.
Hi @4may-biz, which Spring Boot version are you using, and which version of Spring Cloud Azure are you using?
And I think we could try this https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter#configuring-httpsecurity.
Hello @saragluna, thank you for your reply. I'm using these versions. Spring Boot version: 2.7.13 Spring Cloud Azure: 4.9.0
And I think we could try this https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter#configuring-httpsecurity.
@4may-biz, could you try this?
@saragluna , I'm sorry for the late reply. I'm trying below but cannot access health endpoints yet.
@Configuration
@EnableWebSecurity
public class SecurityConfig {
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.authorizeHttpRequests((authz) -> authz
.antMatchers("/actuator/health", "/actuator/beans").permitAll()
.anyRequest().authenticated()
);
return http.build();
}
}
Based on the logs, it seems that the endpoint for health checks is not being recognized as a pattern for exclusion.
2024-06-25 10:18:22.601 DEBUG 3624 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy : Securing GET /actuator/health
2024-06-25 10:18:22.601 DEBUG 3624 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2024-06-25 10:18:22.601 DEBUG 3624 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter : Set SecurityContextHolder to anonymous SecurityContext
2024-06-25 10:18:22.612 DEBUG 3624 --- [nio-8080-exec-3] o.s.s.w.s.HttpSessionRequestCache : Saved request http://localhost:8080/actuator/health to session
2024-06-25 10:18:22.612 DEBUG 3624 --- [nio-8080-exec-3] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@69cfa87c, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]]]
2024-06-25 10:18:22.613 DEBUG 3624 --- [nio-8080-exec-3] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@72106c9e
2024-06-25 10:18:22.613 DEBUG 3624 --- [nio-8080-exec-3] o.s.s.web.DefaultRedirectStrategy : Redirecting to http://localhost:8080/oauth2/authorization/my_userflow
2024-06-25 10:18:22.613 DEBUG 3624 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-06-25 10:18:22.613 DEBUG 3624 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-06-25 10:18:22.613 DEBUG 3624 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2024-06-25 10:18:22.621 DEBUG 3624 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy : Securing GET /oauth2/authorization/my_userflow
2024-06-25 10:18:22.621 DEBUG 3624 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2024-06-25 10:18:22.622 DEBUG 3624 --- [nio-8080-exec-4] o.s.s.web.DefaultRedirectStrategy : Redirecting to https://p24poc.b2clogin.com/p24poc.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code&client_id=my_client_id&scope=my_client_id%20openid%20offline_access&state=t3h5zrqn8nJW9Xtkd6ise99S9DskjkX0KI5-7UEezHY%3D&redirect_uri=http://localhost:8080/login/oauth2/code/&nonce=sKY2RNcdVElsWNQsx5ZKncSrL3_9_NnUDcBRbAAWjJY&p=my_userflow&x-client-SKU=spring-boot-starter
2024-06-25 10:18:22.622 DEBUG 3624 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-06-25 10:18:22.622 DEBUG 3624 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-06-25 10:18:22.622 DEBUG 3624 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
alternatively, we can use "/login" as health endpoint because its already recognized without authentication. do you have any idea?
@4may-biz could you help provide a minimal sample for us to reproduce this issue?
@saragluna we're developing our application based on this guide : https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory-b2c-oidc to execute the application, we must create some adb2c objects something like tenant, userflow, application, ... could you try the guide?
So the only thing you want to ensure is that base on this project, and when accessing the actuator path it won't require authentication?
So the only thing you want to ensure is that base on this project, and when accessing the actuator path it won't require authentication?
Yes.
Query/Question Currently, we are using the spring-cloud-azure-starter-active-directory-b2c for authentication through user flows. However, this authentication is also being applied to the Spring Boot Actuator's health check endpoint, which results in a 302 response when requests come from Azure Frontdoor. Could you please provide a method to disable ADB2C authentication for specific endpoints (for example, /actuator/health)?
I know if we have an App Service with Easy Auth configured, we can specify endpoints we wish to exclude from authentication in the authsettingsv2 > excluded paths. However, I would like to achieve the same thing with Spring Cloud Azure.
Setup (please complete the following information if applicable):
Library/Libraries: com.azure.spring:spring-cloud-azure-starter-active-directory-b2c, org.springframework.boot:spring-boot-starter-actuator
Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report