Request for Developer Support: Security Filter with Spring Boot 3.+

[BillyBolton]

Query/Question
Note: I have also asked this question on StackOverflow here

I would like to use SecurityFilters instead of fine grain annotations for protecting a resource server's endpoints. However, it does not seem easily possible to add a whitelist to some of these endpoints doing so. Either both will be blocked or both will be permitted.

I'm wondering what I may be doing wrong with the following example:

Gradle dependencies:

implementation 'com.azure.spring:spring-cloud-azure-starter-active-directory:5.1.0'
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.1.0'

application.properties

# ...
spring.cloud.azure.active-directory.enabled=true
spring.cloud.azure.active-directory.credential.client-id=${client-id}
spring.cloud.azure.active-directory.app-id-uri=${app-id-uri}

Example AadOAuth2ResourceServerSecurityConfig

@Configuration(proxyBeanMethods = false)
@EnableWebSecurity
@EnableMethodSecurity
public class AadOAuth2ResourceServerSecurityConfig {

    @Bean
    public SecurityFilterChain apiFilterChain(HttpSecurity http) throws Exception {
        http.apply(AadResourceServerHttpSecurityConfigurer.aadResourceServer())
                .and()
                .authorizeHttpRequests()
                .requestMatchers("/api/docs/**").permitAll()
                .requestMatchers("/api/**").hasRole("ADMIN") // any other than "/api/docs/**"
        ;
        return http.build();
    }
}

Why is this not a Bug or a feature Request?
This is a request for support from Azure developers.

Setup (please complete the following information if applicable):

• OS: MacOS 13.4
• IDE: IntelliJ
• Sample Path:

Note: this seems old for Spring Boot 3.+
https://github.com/Azure-Samples/azure-spring-boot-samples/blob/main/aad/spring-cloud-azure-starter-active-directory/aad-resource-server-by-filter/src/main/java/com/azure/spring/sample/aad/security/WebSecurityConfig.java

However, I've followed the documentation here:
https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/secure-your-restful-api-using-spring-cloud-azure

• Library/Libraries:

implementation 'com.azure.spring:spring-cloud-azure-starter-active-directory:5.1.0'
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server:3.1.0'

Information Checklist

• Query Added
• Setup information Added

[cheikh-diop]

Hello @BillyBolton it s working for me with the following configuration : http.apply(AadResourceServerHttpSecurityConfigurer.aadResourceServer())
.and()
.authorizeHttpRequests((requests) -> requests
.requestMatchers( "url to allow").permitAll()
.anyRequest().authenticated());
// @Formatter:on
return http.build();

[BillyBolton]

Hi @cheikh-diop , thanks for the response.

Your response is similar to the example that is not working for me, but excluding the other endpoint that I need have a specific Role/Permission/Scope for.

In my example, either both endpoints will be permitted or both will be blocked (when attempting different things).

[moarychan]

Hi @BillyBolton thanks for using Spring Cloud Azure!

You can try to config a bean WebSecurityCustomizer for path /api/docs/**, see more from https://docs.spring.io/spring-security/reference/5.8/migration/servlet/config.html#_publish_a_websecuritycustomizer_bean