Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

For AAD resource-server, create grantedAuthority by both "roles" and "claims" by default. #19412

Merged
merged 8 commits into from
Mar 5, 2021
Merged

For AAD resource-server, create grantedAuthority by both "roles" and "claims" by default. #19412

merged 8 commits into from
Mar 5, 2021

Conversation

ZhuXiaoBing-cn
Copy link
Contributor

For AAD resource-server, create grantedAuthority by both "roles" and "claims" by default.

@ghost ghost added the azure-spring All azure-spring related issues label Feb 24, 2021
backwind1233
backwind1233 reviewed Feb 24, 2021
View reviewed changes
...spring-boot/src/main/java/com/azure/spring/aad/webapi/AADJwtGrantedAuthoritiesConverter.java Outdated
Comment on lines 37 to 40
for (String claimName : WELL_KNOWN_AUTHORITIES_CLAIM_NAMES) {
if (jwt.containsClaim(claimName)) {
Object authorities = jwt.getClaim(claimName);
if (authorities instanceof String) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

how about

if ( jwt.getClaim(claimName) instanceof String)

@ZhuXiaoBing-cn
Update the code:
50cf55d 
* Simplify the code, remove unnecessary variables.
@saragluna saragluna added the azure-spring-aad Spring active directory related issues. label Mar 3, 2021
@ZhuXiaoBing-cn
* Avoid breaking change.
e82614d 
* Update unit tests.
@ZhuXiaoBing-cn
* Modify the no-argument constructor.
ff0fd55 
* Remove setJwtGrantedAuthoritiesConverter method.
@ZhuXiaoBing-cn
Merge branch 'master' into create_grantedAuthority_by_both_roles_and_…
1c7ff30 
…claims_by_default
@ZhuXiaoBing-cn ZhuXiaoBing-cn requested a review from stliu as a code owner March 4, 2021 08:18
saragluna
saragluna requested changes Mar 4, 2021
View reviewed changes
.../src/test/java/com/azure/spring/aad/webapi/AADJwtBearerTokenAuthenticationConverterTest.java Show resolved Hide resolved
.../src/test/java/com/azure/spring/aad/webapi/AADJwtBearerTokenAuthenticationConverterTest.java Show resolved Hide resolved
.../src/test/java/com/azure/spring/aad/webapi/AADJwtBearerTokenAuthenticationConverterTest.java Outdated
when(jwt.containsClaim("roles")).thenReturn(true);
AADJwtBearerTokenAuthenticationConverter converter = new AADJwtBearerTokenAuthenticationConverter("roles", "ROLE_");
AADJwtBearerTokenAuthenticationConverter converter = new AADJwtBearerTokenAuthenticationConverter("roles",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We use roles + "APPROLE_" as a default, maybe we should use another combination here.

@saragluna
Copy link
Member

/azp run java - spring - tests

@azure-pipelines
Copy link

Azure Pipelines successfully started running 1 pipeline(s).

@saragluna
Copy link
Member

IT failed for port already in use error, so merging this PR now.

https://dev.azure.com/azure-sdk/internal/_build/results?buildId=767263&view=logs&j=33a2a0fe-e3d6-52cb-a715-0d6e82684ee6&t=61962a86-9832-5837-a509-be34c34373e6&l=291

@saragluna
Copy link
Member

/check-enforcer override

@saragluna saragluna merged commit 0373b50 into Azure:master Mar 5, 2021
@saragluna saragluna added this to the [2021] April milestone Mar 22, 2021
@mattstrain
Copy link

mattstrain commented Jun 7, 2021
edited
Loading

Hi just wondering why you chose
private static final String DEFAULT_ROLES_AUTHORITY_PREFIX = "APPROLE_";
and not
private static final String DEFAULT_ROLES_AUTHORITY_PREFIX = "ROLE_";

The affect of this is that you now MUST use @PreAuthorize("hasAuthority(‘APPROLE_ADMIN')") and NOT @PreAuthorize("hasRole('ADMIN')") as it will no longer work. This means we have to refactor a lot of our codebase :-(!

From https://www.baeldung.com/spring-security-expressions

Roles and authorities are similar in Spring.

The main difference is that, roles have special semantics – starting with Spring Security 4, the ‘ROLE_‘ prefix is automatically added (if it's not already there) by any role related method.

So hasAuthority(‘ROLE_ADMIN') is similar to hasRole(‘ADMIN') because the ‘ROLE_‘ prefix gets added automatically.

@mattstrain
Copy link

ok no bigggie so i worked out we can pass our own converter in AADResourceServerWebSecurityConfigurerAdapter like this http.oauth2ResourceServer().jwt().jwtAuthenticationConverter(tokenConverter); and then created a converter which maps to ROLE_

azure-sdk pushed a commit to azure-sdk/azure-sdk-for-java that referenced this pull request Jun 23, 2022
@uditmisra52 @jashsing-mic
@creepyghost @AndriiKalinichenko @ankaliniMS @vinaymundada27 @kaushik-ms @snagpal99 @kumaam @Satya-anshu @yanfa317 @gitlwh @anchalkpr @Gizachew-Eshetie
CodeGen from PR 19412 in Azure/azure-rest-api-specs
467605a 
Mitryakh/network 2022 01 01 (Azure#19412)

* Adds base for updating Microsoft.Network from version stable/2021-08-01 to version 2022-01-01

* Updates readme

* Updates API version in new specs and examples

* Updated Explicit proxy settings by adding one boolean field to it (Azure#19011)

* API for provider port (Azure#19041)

* Update readme.md

* Create expressRouteProviderPort.json

* Create expressRouteProviderPortList.json

* Create expressRouteProviderPort.json

* Update custom-words.txt

* Update expressRouteProviderPort.json

* Update expressRouteProviderPortList.json

* Update expressRouteProviderPort.json

* Add WAF match variable operators (Azure#18925)

### webapplicationfirewall.json
* Add GreaterThanOrEquals operator and Any operator to custom rule
  match conditions in WAF policy spec

* Add VirtualHub Router autoscale configuration (Azure#19131)

Co-authored-by: Andrii Kalinichenko <[email protected]>

* Adding rule priority to Tls Proxy routing rule object model (Azure#19135)

Co-authored-by: Vinay Mundada <[email protected]>

* swagger changes for new ssl policies (Azure#19183)

* Update Swagger Spec for VMSS Packet Capture (Azure#19202)

* Update Swagger Spec for VMSS Packet Capture

* Remove extra line

* Update Swagger spec for Connection Monitor VMSS (Azure#19203)

* Adding new endpoint in ConnectionMonitor

* Changing ConnectionMonitor endpoints order

* Add flushConnection to NSG (Azure#19085)

* Merge NetworkManger into 2022-01-01 (Azure#19169)

* Merge NetworkManger into 2022-01-01

* Remove EffectiveVnet APIs

* Remove SecurityUser Resource

* update readme

* Fix as comments

* fix as comments

* remove network group type

* Add new parameter noInternetAdvertise to CustomIPPrefix (Azure#19340)

* fix

* fix

Co-authored-by: Weiheng Li <[email protected]>

* Route Server Integration feature swagger changes (Azure#19215)

* Route Server Integration feature swagger changes

* prettier run changes

* updating api version in examples file

* fixing test errors

* fixing test errors

* fixing modelvalidation errors

* fixing test errors

* fixing modelvalidation errors

* changes based on review comments

* fixing lintdiff failure

* updating examples

* update wrong enum value for customipprefix (Azure#19382)

* fix

* fix

* fix

Co-authored-by: Weiheng Li <[email protected]>

* Updated ExplicitProxySettings to ExplicitProxy on Firewall Policy ver2022-01-01 (Azure#19299)

Co-authored-by: Gizachew Eshetie <[email protected]>

* Add resource type (Azure#19434)

Co-authored-by: Andrii Kalinichenko <[email protected]>

* Fix prettier errors (Azure#19462)

Co-authored-by: Andrii Kalinichenko <[email protected]>

Co-authored-by: uditmisra52 <[email protected]>
Co-authored-by: jashsing-mic <[email protected]>
Co-authored-by: Anurag Kishore <[email protected]>
Co-authored-by: AndriiKalinichenko <[email protected]>
Co-authored-by: Andrii Kalinichenko <[email protected]>
Co-authored-by: Vinay Jayant Mundada <[email protected]>
Co-authored-by: Vinay Mundada <[email protected]>
Co-authored-by: kaushik-ms <[email protected]>
Co-authored-by: snagpal99 <[email protected]>
Co-authored-by: kumaam <[email protected]>
Co-authored-by: Satya-anshu <[email protected]>
Co-authored-by: yanfa317 <[email protected]>
Co-authored-by: Weiheng Li <[email protected]>
Co-authored-by: Weiheng Li <[email protected]>
Co-authored-by: Anchal Kapoor <[email protected]>
Co-authored-by: Gizachew-Eshetie <[email protected]>
Co-authored-by: Gizachew Eshetie <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@backwind1233 backwind1233 backwind1233 left review comments

@saragluna saragluna saragluna approved these changes

@chenrujun chenrujun Awaiting requested review from chenrujun

@jialindai jialindai Awaiting requested review from jialindai

@yiliuTo yiliuTo Awaiting requested review from yiliuTo

@stliu stliu Awaiting requested review from stliu

Assignees

@backwind1233 backwind1233

@saragluna saragluna

Labels
azure-spring All azure-spring related issues azure-spring-aad Spring active directory related issues.
Projects
None yet
Milestone
[2021] April
Development

Successfully merging this pull request may close these issues.
4 participants
@ZhuXiaoBing-cn @saragluna @mattstrain @backwind1233