| page_type | languages | products | urlFragment | description | |||||
|---|---|---|---|---|---|---|---|---|---|
sample |
|
|
msal-java-deploy-spring-boot |
This sample demonstrates how to use Azure App Service to deploy to Azure Cloud a Java Spring Boot web application that utilizes the Microsoft Entra ID Spring Boot Starter client library for Java to sign in users and call Graph. |
- Overview
- Prerequisites
- Setup
- Registration
- Deployment
- We'd love your feedback!
- More information
- Community Help and Support
- Contributing
- Code of Conduct
This sample demonstrates how to use Azure App Service to deploy to Azure Cloud a Java Spring Boot web application that utilizes the Microsoft Entra ID Spring Boot Starter client library for Java to sign in users and call Graph. It is recommended that you clone the repository Tutorial: Enable your Java Spring Boot web app to sign in users and call APIs with the Microsoft identity platform and use the sample in the 2-Authorization-I/call-graph directory for deployment. You may choose to use these steps to help you deploy a different sample or your own project, noting that the instructions here are specific to the sample listed.
-
a Microsoft Entra tenant. For more information on how to get a Microsoft Entra tenant, see How to get a Microsoft Entra tenant
-
A user account in your Microsoft Entra ID tenant.
-
Visual Studio Code is recommended for running and editing this sample.
-
VS Code Azure Tools Extension extension is recommended for interacting with Azure through VS Code interface.
-
An Azure subscription. This sample uses the free tier of Azure App Service.
-
Maven 3.6 or higher installed and set up in path environment (i.e., callable via
mvncommand)
Follow the setup instructions in Enable your Java Spring Boot web app to sign in users and call Microsoft Graph with the Microsoft identity platform sample.
Use a Microsoft Entra application registration and its matching sample that that you have completed previously. If you have not completed a sample yet, we recommend you proceed to complete Enable your Java Spring Boot web app to sign in users and call Microsoft Graph with the Microsoft identity platform sample and use the app registration from it.
This guide is for deploying to Azure App Service via VS Code Azure Tools Extension. Follow these steps in a VSCode window with the workspace set to your copy of the Enable your Java Spring Boot web app to sign in users and call Microsoft Graph with the Microsoft identity platform.
In order to deploy your app, you must:
- Prepare the app service and obtain a website URI in the form of
https://example-domain.azurewebsites.net. - Update your Microsoft Entra app Registration's redirect URIs from the Microsoft Entra admin center, in order to include the redirect URI of your Azure App Service hosted Java web application.
- Prepare your web app for deployment.
- Deploy to Azure App Service.
- Open the VSCode command palette (ctrl+shift+P on Windows and command+shift+P on Mac).
- Choose
Azure App Service: Create New Web App... - Enter a globally unique name for your web app (e.g.
example-domain) and press enter. Make a note of this name. If you choseexample-domainfor your app name, your app's domain name will behttps://example-domain.azurewebsites.net - Select
Java 11for your runtime stack. - Select
Java SE (Embedded Web Server)for your Java web server stack. - If you are asked for an OS, choose
Linux. - Select
Freeor any other option for your pricing tier.
You must first modify the configuration files in your application. Go to your app's properties file(src/main/resources/application.yml).
-
Change the value of
post-logout-redirect-uri: http://localhost:8080to your deployed app's domain name. For example, if you choseexample-domainfor your app name in Step 1: Create a new app on Azure App Service, you must now use the valuepost-logout-redirect-uri=https://example-domain.azurewebsites.net. Be sure that you have also changed the protocol fromhttptohttps.# the default value was: # post-logout-redirect-uri: http://localhost:8080 # the correct format for the new value is as follows: azure: activedirectory: # ... post-logout-redirect-uri: https://example-domain.azurewebsites.net # ...
-
Add the following values for server configuration in order to properly handle the redirect URI. This tells the embedded Tomcat server that it is behind a reverse proxy (e.g., Azure App Service) and to correctly identify incoming requests as https.
server: forward-headers-strategy: native tomcat: remoteip: protocol-header: "X-Forwarded-Proto" remote-ip-header: "X-Forwarded-For" internal-proxies: ".*"
You may skip the rest of this step if you are doing a test deployment with a development Microsoft Entra app registration that does not have any sensitive data. It is not secure to deploy secrets in a config file to a production application. To deploy your app more securely, you must:
-
Supply a config file that omits secrets (i.e.,
application.ymlthat does not containazure.activedirectory.client-secret) -
You may import the secrets from a secure location such as:
-
Azure Key Vault. You may use the Azure Key Vault Secrets Spring Boot starter client library for Java. Set the client secret value in vault, naming it
azure.activedirectory.client-secret. -
Environment Variables You may configure an environment variable from Microsoft Entra admin center or use the Azure Tools extension for VSCode.
- Microsoft Entra admin center: Microsoft Entra admin center > App Services > YourAppName (e.g. example-domain) > Configuration.
- VSCode: Azure Tools tab > App Service Blade > Your subscription > YourAppName (e.g. example-domain) > Application Settings > Right Click > New setting... .
Set an environment variable named
azure.activedirectory.client_secret. Once you deploy your app, the secret will be loaded automatically. Note that the dash (-) from the config file must be replaced with an underscore (_) as follows:azure.activedirectory.client_secret=`YOUR CLIENT SECRET VALUE`
-
-
If you are sure you want to continue, proceed to Deploy the web app
This guide is for deploying to Azure App Service via Azure Maven web app plugin.
-
Set up the configuration for the azure webapp maven plugin.
-
Open a terminal window in the base directory of your Java Spring 5 project and enter the following command:
mvn com.microsoft.azure:azure-webapp-maven-plugin:1.13.0:config
-
You will be asked to choose a Java SE Web App. Enter the option number corresponding to the app you created in the section Create a new app on Azure App Service, e.g., the option number corresponding to
example-domain (linux, java 11-java11). Press enter. Confirm that the details are correct and press enter again to continue. This will add deployment configuration settings in yourpom.xmlfile.
-
-
Deploy the web app using the azure webapp maven plugin.
-
In the terminal window, enter the following command:
mvn clean package azure-webapp:deploy
Note that the above package step requires the
spring-boot-maven-pluginplugin and itsrepackagegoal defined in theproject/build/pluginssection of thepom.xml. If you don't have this plugin and goal defined in your project, use this command instead:mvn clean package spring-boot:repackage azure-webapp:deploy.
-
-
The deployment should be finished in a few minutes. A status message will appear at the bottom right of your VSCode window.You will be notified when the deployment completes.
-
Navigate to the home page of your deployed app; take note of and copy the redirect_uri displayed on the home page.
-
Navigate back to to the Microsoft Entra admin center.
-
In the left-hand navigation pane, select the Microsoft Entra ID service, and then select App registrations.
-
In the resulting screen, select the name of your application.
-
In the Authentication blade, paste the URI you copied earlier from your deployed app instance. If the app had multiple redirect URIs, make sure to add new corresponding entries using the App service's full domain in lieu of
http://localhost:8080for each redirect URI. For example, this might behttps://example-domain.azurewebsites.net/login/oauth2/code/. Save the configuration. -
From the Branding menu, update the Home page URL, to the address of your service, for example
https://example-domain.azurewebsites.net/. Save the configuration. -
Disable App Service's default authentication:
Navigate to the Azure App Service Portal and locate your project. Once you do, click on the Authentication/Authorization blade. There, make sure that the App Services Authentication is switched off (and nothing else is checked), as this sample is using MSAL for authentication.
-
You're done! Try navigating to the hosted app (e.g.,
https://example-domain.azurewebsites.net/!
Were we successful in addressing your learning objective? Consider taking a moment to share your experience with us.
For more information about how OAuth 2.0 protocols work in this scenario and other scenarios, see Authentication Scenarios for Microsoft Entra ID.
Use Stack Overflow to get support from the community.
Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
Make sure that your questions or comments are tagged with [azure-ad azure-ad-b2c ms-identity msal, java].
If you find a bug in the sample, please raise the issue on GitHub Issues.
To provide a recommendation, visit the following User Voice page.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.