Need no authentication but only authorization from spring boot 3 to access roles for API exposed

Nimbolkar, Santosh 0 Reputation points
2024-10-25T15:04:25.7633333+00:00

We want to just authorization using spring boot 3 for the APIs exposed for the ROLE that is there in the token issued from another cli client by executing command = az account get-access-token.

We need sample piece of code of spring 3 application that has the application.yaml config as well as class configuration.

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
851 questions
Azure Spring Apps
Azure Spring Apps
An Azure platform as a service for running Spring Boot applications at cloud scale. Previously known as Azure Spring Cloud.
130 questions
{count} votes

1 answer

Sort by: Most helpful
  1. James Hamil 26,486 Reputation points Microsoft Employee
    2024-10-25T21:13:56.3166667+00:00

    Hi @Nimbolkar, Santosh , please reference the following documents:

    If I understand your question correctly, here is an example of the application.yaml and SecurityConfig.java:
    application.yaml:

    server:
      port: 8080
    
    spring:
      security:
        oauth2:
          resourceserver:
            jwt:
              issuer-uri: https://login.microsoftonline.com/{tenant-id}/v2.0
    

    SecurityConfig.java

    import org.springframework.context.annotation.Bean;
    import org.springframework.context.annotation.Configuration;
    import org.springframework.security.config.annotation.web.builders.HttpSecurity;
    import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
    import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
    import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationConverter;
    import org.springframework.security.oauth2.server.resource.authentication.JwtGrantedAuthoritiesConverter;
    
    @Configuration
    @EnableWebSecurity
    public class SecurityConfig extends WebSecurityConfigurerAdapter {
    
        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                .authorizeRequests(authorizeRequests ->
                    authorizeRequests
                        .antMatchers("/api/**").hasRole("YOUR_ROLE")
                        .anyRequest().authenticated()
                )
                .oauth2ResourceServer(oauth2ResourceServer ->
                    oauth2ResourceServer
                        .jwt(jwt ->
                            jwt.jwtAuthenticationConverter(jwtAuthenticationConverter())
                        )
                );
        }
    
        @Bean
        public JwtAuthenticationConverter jwtAuthenticationConverter() {
            JwtGrantedAuthoritiesConverter grantedAuthoritiesConverter = new JwtGrantedAuthoritiesConverter();
            grantedAuthoritiesConverter.setAuthorityPrefix("ROLE_");
            grantedAuthoritiesConverter.setAuthoritiesClaimName("roles");
    
            JwtAuthenticationConverter jwtAuthenticationConverter = new JwtAuthenticationConverter();
            jwtAuthenticationConverter.setJwtGrantedAuthoritiesConverter(grantedAuthoritiesConverter);
            return jwtAuthenticationConverter;
        }
    }
    

    This setup makes sure that only users with the specified role in their token can access the /api/** endpoints.

    Please let me know if this helps. If needed, please post the code that you have and I can fix any issues you have with it.

    Please let me know if you have any questions and I can help you further.

    If this answer helps you please mark "Accept Answer" so other users can reference it.

    Thank you,

    James

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.