search

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
MIT License
2.25k stars 1.93k forks source link

[QUERY] A way to bypass authentication for specific endpoints when using spring-cloud-azure-starter-active-directory-b2c #40576

Open 4may-biz opened 2 weeks ago

4may-biz commented 2 weeks ago

Query/Question Currently, we are using the spring-cloud-azure-starter-active-directory-b2c for authentication through user flows. However, this authentication is also being applied to the Spring Boot Actuator's health check endpoint, which results in a 302 response when requests come from Azure Frontdoor. Could you please provide a method to disable ADB2C authentication for specific endpoints (for example, /actuator/health)?

I know if we have an App Service with Easy Auth configured, we can specify endpoints we wish to exclude from authentication in the authsettingsv2 > excluded paths. However, I would like to achieve the same thing with Spring Cloud Azure.

Setup (please complete the following information if applicable):

github-actions[bot] commented 2 weeks ago

@chenrujun @moarychan @netyyyy @saragluna

github-actions[bot] commented 2 weeks ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

saragluna commented 2 weeks ago

Hi @4may-biz, which Spring Boot version are you using, and which version of Spring Cloud Azure are you using?

saragluna commented 2 weeks ago

And I think we could try this https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter#configuring-httpsecurity.

4may-biz commented 2 weeks ago

Hello @saragluna, thank you for your reply. I'm using these versions. Spring Boot version: 2.7.13 Spring Cloud Azure: 4.9.0

saragluna commented 2 weeks ago

And I think we could try this https://spring.io/blog/2022/02/21/spring-security-without-the-websecurityconfigureradapter#configuring-httpsecurity.

@4may-biz, could you try this?

4may-biz commented 4 days ago

@saragluna , I'm sorry for the late reply. I'm trying below but cannot access health endpoints yet. 

@Configuration
@EnableWebSecurity
public class SecurityConfig {
    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
            .authorizeHttpRequests((authz) -> authz
                .antMatchers("/actuator/health", "/actuator/beans").permitAll()
                .anyRequest().authenticated()
            );

        return http.build();
    }
}

Based on the logs, it seems that the endpoint for health checks is not being recognized as a pattern for exclusion.

2024-06-25 10:18:22.601 DEBUG 3624 --- [nio-8080-exec-3] o.s.security.web.FilterChainProxy        : Securing GET /actuator/health
2024-06-25 10:18:22.601 DEBUG 3624 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2024-06-25 10:18:22.601 DEBUG 3624 --- [nio-8080-exec-3] o.s.s.w.a.AnonymousAuthenticationFilter  : Set SecurityContextHolder to anonymous SecurityContext
2024-06-25 10:18:22.612 DEBUG 3624 --- [nio-8080-exec-3] o.s.s.w.s.HttpSessionRequestCache        : Saved request http://localhost:8080/actuator/health to session
2024-06-25 10:18:22.612 DEBUG 3624 --- [nio-8080-exec-3] s.w.a.DelegatingAuthenticationEntryPoint : Trying to match using And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], Not [And [Or [Ant [pattern='/login'], Ant [pattern='/favicon.ico']], And [Not [RequestHeaderRequestMatcher [expectedHeaderName=X-Requested-With, expectedHeaderValue=XMLHttpRequest]], MediaTypeRequestMatcher [contentNegotiationStrategy=org.springframework.web.accept.HeaderContentNegotiationStrategy@69cfa87c, matchingMediaTypes=[application/xhtml+xml, image/*, text/html, text/plain], useEquals=false, ignoredMediaTypes=[*/*]]]]]]
2024-06-25 10:18:22.613 DEBUG 3624 --- [nio-8080-exec-3] s.w.a.DelegatingAuthenticationEntryPoint : Match found! Executing org.springframework.security.web.authentication.LoginUrlAuthenticationEntryPoint@72106c9e
2024-06-25 10:18:22.613 DEBUG 3624 --- [nio-8080-exec-3] o.s.s.web.DefaultRedirectStrategy        : Redirecting to http://localhost:8080/oauth2/authorization/my_userflow
2024-06-25 10:18:22.613 DEBUG 3624 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-06-25 10:18:22.613 DEBUG 3624 --- [nio-8080-exec-3] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-06-25 10:18:22.613 DEBUG 3624 --- [nio-8080-exec-3] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request
2024-06-25 10:18:22.621 DEBUG 3624 --- [nio-8080-exec-4] o.s.security.web.FilterChainProxy        : Securing GET /oauth2/authorization/my_userflow
2024-06-25 10:18:22.621 DEBUG 3624 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Set SecurityContextHolder to empty SecurityContext
2024-06-25 10:18:22.622 DEBUG 3624 --- [nio-8080-exec-4] o.s.s.web.DefaultRedirectStrategy        : Redirecting to https://p24poc.b2clogin.com/p24poc.onmicrosoft.com/oauth2/v2.0/authorize?response_type=code&client_id=my_client_id&scope=my_client_id%20openid%20offline_access&state=t3h5zrqn8nJW9Xtkd6ise99S9DskjkX0KI5-7UEezHY%3D&redirect_uri=http://localhost:8080/login/oauth2/code/&nonce=sKY2RNcdVElsWNQsx5ZKncSrL3_9_NnUDcBRbAAWjJY&p=my_userflow&x-client-SKU=spring-boot-starter
2024-06-25 10:18:22.622 DEBUG 3624 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-06-25 10:18:22.622 DEBUG 3624 --- [nio-8080-exec-4] w.c.HttpSessionSecurityContextRepository : Did not store empty SecurityContext
2024-06-25 10:18:22.622 DEBUG 3624 --- [nio-8080-exec-4] s.s.w.c.SecurityContextPersistenceFilter : Cleared SecurityContextHolder to complete request

alternatively, we can use "/login" as health endpoint because its already recognized without authentication. do you have any idea?

saragluna commented 3 days ago

@4may-biz could you help provide a minimal sample for us to reproduce this issue?

4may-biz commented 3 days ago

@saragluna we're developing our application based on this guide : https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-active-directory-b2c-oidc to execute the application, we must create some adb2c objects something like tenant, userflow, application, ... could you try the guide?

saragluna commented 3 days ago

So the only thing you want to ensure is that base on this project, and when accessing the actuator path it won't require authentication?

4may-biz commented 2 days ago

So the only thing you want to ensure is that base on this project, and when accessing the actuator path it won't require authentication?

Yes.