page_type | languages | products | urlFragment | description | ||||
---|---|---|---|---|---|---|---|---|
sample |
|
|
msal-java-spring-boot-groups |
This sample demonstrates a Java Spring Boot web app that authenticates users against Microsoft Entra ID |
Enable your Java Spring boot web app to restrict access to routes using security groups with the Microsoft identity platform
- Overview
- Scenario
- Contents
- Prerequisites
- Setup
- Clone or download this repository
- Register the sample application with your Microsoft Entra tenant
- Choose the Microsoft Entra tenant where you want to create your applications
- Register the web app (java-spring-webapp-groups)
- Create Security Groups
- Configure Security Groups
- Configure your code sample to use your app registration and security groups (java-spring-webapp-groups)
- Running the sample
- Explore the sample
- We'd love your feedback!
- About the code
- More information
- Community Help and Support
- Contributing
This sample demonstrates a Java Spring Boot web app that uses the Microsoft Entra ID Spring Boot Starter client library for Java for authentication, authorization, and token acquisition with the OpenID Connect protocol to sign in users, and restricts access to pages based on Microsoft Entra ID security group membership.
An Identity Developer session covered Microsoft Entra app roles and security groups, featuring this scenario and how to handle the overage claim. Watch the video Using Security Groups and Application Roles in your apps
- This web application uses Microsoft Entra ID Spring Boot Starter client library for Java to sign in users a Microsoft Entra tenant and obtains an ID Token from Microsoft Entra ID.
- The ID Token contains the groups claim. The application loads these claims into Spring GrantedAuthorities list for the signed-in user. These values determine which pages the user is authorized to access.
File/folder | Description |
---|---|
AppCreationScripts/ |
Scripts to automatically configure Microsoft Entra app registrations. |
pom.xml |
Application dependencies. |
src/main/resources/templates/ |
Thymeleaf Templates for UI. |
src/main/resources/application.yml |
Application and Microsoft Entra ID Boot Starter Library Configuration. |
src/main/java/com/microsoft/azuresamples/msal4j/msidentityspringbootwebapp/ |
This directory contains the main application entry point, controller, and config classes. |
.../MsIdentitySpringBootWebappApplication.java |
Main class. |
.../SampleController.java |
Controller with endpoint mappings. |
.../SecurityConfig.java |
Security Configuration (e.g., which routes require authentication?). |
.../Utilities.java |
Utility Class (e.g., filter ID token claims) |
CHANGELOG.md |
List of changes to the sample. |
CONTRIBUTING.md |
Guidelines for contributing to the sample. |
LICENSE |
The license for the sample. |
- JDK Version 15. This sample has been developed on a system with Java 15 but may be compatible with other versions.
- Maven 3
- Java Extension Pack for Visual Studio Code is recommended for running this sample in VSCode.
- An Microsoft Entra ID tenant. For more information see: How to get a Microsoft Entra tenant
- A user account in your Microsoft Entra ID tenant. This sample will not work with a personal Microsoft account. Therefore, if you signed in to the Microsoft Entra admin center with a personal account and have never created a user account in your directory before, you need to do that now.
- Two security groups, named AdminGroup and UserGroup, containing the user(s) with whom you want to sign and test this sample. Or, you may add the user to two existing security groups in your tenant. If you choose to use existing groups, be sure to modify the sample configuration to use your existing security groups' name and object ID.
From your shell or command line:
git clone https://github.com/Azure-Samples/ms-identity-java-spring-tutorial.git
cd ms-identity-java-spring-tutorial
cd 3-Authorization-II/groups
or download and extract the repository .zip file.
⚠️ To avoid path length limitations on Windows, we recommend cloning into a directory near the root of your drive.
There is one project in this sample. To register it, you can:
- follow the steps below for manually register your apps
- or use PowerShell scripts that:
- automatically creates the Microsoft Entra applications and related objects (passwords, permissions, dependencies) for you.
- modify the projects' configuration files.
Expand this section if you want to use this automation:
⚠️ If you have never used Azure AD Powershell before, we recommend you go through the App Creation Scripts once to ensure that your environment is prepared correctly for this step.
-
On Windows, run PowerShell as Administrator and navigate to the root of the cloned directory
-
If you have never used Azure AD Powershell before, we recommend you go through the App Creation Scripts once to ensure that your environment is prepared correctly for this step.
-
In PowerShell run:
Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope Process -Force
-
Run the script to create your Microsoft Entra application and configure the code of the sample application accordingly.
-
In PowerShell run:
cd .\AppCreationScripts\ .\Configure.ps1
Other ways of running the scripts are described in App Creation Scripts The scripts also provide a guide to automated application registration, configuration and removal which can help in your CI/CD scenarios.
- Sign in to the Microsoft Entra admin center.
- If your account is present in more than one Microsoft Entra tenant, select your profile at the top right corner in the menu on top of the page, and then switch directory to change your portal session to the desired Microsoft Entra tenant.
- Navigate to the Microsoft Entra admin center and select the Microsoft Entra ID service.
- Select the App Registrations blade on the left, then select New registration.
- In the Register an application page that appears, enter your application's registration information:
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
java-spring-webapp-groups
. - Under Supported account types, select Accounts in this organizational directory only.
- In the Redirect URI (optional) section, select Web in the combo-box and enter the following redirect URI:
http://localhost:8080/login/oauth2/code/
.
- In the Name section, enter a meaningful application name that will be displayed to users of the app, for example
- Select Register to create the application.
- In the app's registration screen, find and note the Application (client) ID. You use this value in your app's configuration file(s) later in your code.
- Select Save to save your changes.
- In the app's registration screen, select the Certificates & secrets blade in the left to open the page where you can generate secrets and upload certificates.
- In the Client secrets section, select New client secret:
- Type a key description (for instance
app secret
), - Select one of the available key durations (6 months, 12 months or Custom) as per your security posture.
- The generated key value will be displayed when you select the Add button. Copy and save the generated value for use in later steps.
- You'll need this key later in your code's configuration files. This key value will not be displayed again, and is not retrievable by any other means, so make sure to note it from the Microsoft Entra admin center before navigating to any other screen or blade.
- Type a key description (for instance
- In the app's registration screen, select the API permissions blade in the left to open the page where we add access to the APIs that your application needs.
- Select the Add a permission button and then,
- Ensure that the Microsoft APIs tab is selected.
- In the Commonly used Microsoft APIs section, select Microsoft Graph
- In the Delegated permissions section, select the GroupMember.Read.All in the list. Use the search box if necessary. This permission is necessary for getting group memberships via Graph if the overage scenario occurs.
- Click the button to grant admin consent for GroupMember.Read.All.
- Select the Add permissions button at the bottom.
- Navigate to the Microsoft Entra admin center and select the Microsoft Entra ID service.
- Select Groups blade on the left.
- In the Groups blade, select New Group.
- For Group Type, select Security
- For Group Name, enter AdminGroup
- For Group Description, enter Admin Security Group
- Add Group Owners and Group Members that you want to use and test in this sample.
- Select Create.
- In the Groups blade, select New Group.
- For Group Type, select Security
- For Group Name, enter UserGroup
- For Group Description, enter User Security Group
- Add Group Owners and Group Members that you want to use and test in this sample.
- Select Create.
For more information, visit: Create a basic group and add members using Microsoft Entra ID
You have two different options available to you on how you can further configure your application to receive the groups
claim.
- Receive all the groups that the signed-in user is assigned to in a Microsoft Entra tenant, included nested groups.
- Receive the groups claim values from a filtered set of groups that your application is programmed to work with (Not available in the Microsoft Entra ID Free edition).
To get the on-premise group's
samAccountName
orOn Premises Group Security Identifier
instead of Group ID, please refer to the document Configure group claims for applications with Microsoft Entra ID.
Configure your application to receive all the groups the signed-in user is assigned to, including nested groups
- In the app's registration screen, select the Token Configuration blade in the left to open the page where you can configure the claims provided tokens issued to your application.
- Select the Add groups claim button on top to open the Edit Groups Claim screen.
- Select
Security groups
or theAll groups (includes distribution lists but not groups assigned to the application)
option. Choosing both negates the effect ofSecurity Groups
option. - Under the ID section, select
Group ID
. This will result in Microsoft Entra ID sending the object id of the groups the user is assigned to in the groups claim of the ID Token that your app receives after signing-in a user.
Configure your application to receive the groups
claim values from a filtered set of groups a user may be assigned to
- This option is useful when your application is interested in a selected set of groups that a signing-in user may be assigned to and not every security group this user is assigned to in the tenant. This option also saves your application from running into the overage issue.
- This feature is not available in the Microsoft Entra ID Free edition.
- Nested group assignments are not available when this option is utilized.
- In the app's registration screen, select the Token Configuration blade in the left to open the page where you can configure the claims provided tokens issued to your application.
- Select the Add groups claim button on top to open the Edit Groups Claim screen.
- Select
Groups assigned to the application
.- Choosing additional options like
Security Groups
orAll groups (includes distribution lists but not groups assigned to the application)
will negate the benefits your app derives from choosing to use this option.
- Choosing additional options like
- Under the ID section, select
Group ID
. This will result in Microsoft Entra ID sending the object id of the groups the user is assigned to in thegroups
claim of the ID Token that your app receives after signing-in a user. - If you are exposing a Web API using the Expose an API option, then you can also choose the
Group ID
option under the Access section. This will result in Microsoft Entra ID sending the Object ID of the groups the user is assigned to in thegroups
claim of the Access Token issued to the client applications of your API. - In the app's registration screen, select on the Overview blade in the left to open the Application overview screen. Select the hyperlink with the name of your application in Managed application in local directory (note this field title can be truncated for instance
Managed application in ...
). When you select this link you will navigate to the Enterprise Application Overview page associated with the service principal for your application in the tenant where you created it. You can navigate back to the app registration page by using the back button of your browser. - Select the Users and groups blade in the left to open the page where you can assign users and groups to your application.
- Select the Add user button on the top row.
- Select User and Groups from the resultant screen.
- Choose the groups that you want to assign to this application.
- Click Select in the bottom to finish selecting the groups.
- Select Assign to finish the group assignment process.
- Your application will now receive these selected groups in the
groups
claim when a user signing in to your app is a member of one or more these assigned groups.
- Select the Properties blade in the left to open the page that lists the basic properties of your application.Set the User assignment required? flag to Yes.
💡 Important security tip
When you set User assignment required? to Yes, Microsoft Entra ID will check that only users assigned to your application in the Users and groups blade are able to sign-in to your app. You can assign users directly or by assigning security groups they belong to.
Configure your code sample to use your app registration and security groups (java-spring-webapp-groups)
Open the project in your IDE (like Visual Studio or Visual Studio Code) to configure the code.
In the steps below, "ClientID" is the same as "Application ID" or "AppId".
Open the src\main\resources\application.yml
file.
- Find the key
Enter_Your_Tenant_ID_Here
and replace the existing value with your Microsoft Entra tenant ID. - Find the key
Enter_Your_Client_ID_Here
and replace the existing value with the application ID (clientId) ofjava-spring-webapp-groups
app copied from the Microsoft Entra admin center. - Find the key
Enter_Your_Client_Secret_Here
and replace the existing value with the key you saved during the creation ofjava-spring-webapp-groups
copied from the Microsoft Entra admin center. - Find the key
Enter_Your_Admin_Group_ID_Here
and replace the existing value with objectId of your AdminGroup. - Find the key
Enter_Your_User_Group_ID_Here
and replace the existing value with the objectId of your UserGroup
Open the src/main/java/com/microsoft/azuresamples/msal4j/msidentityspringbootwebapp/SampleController.java
file.
- Find the key
Enter_Your_Admin_Group_ID_Here
and replace the existing value with objectId of your AdminGroup. - Find the key
Enter_Your_User_Group_ID_Here
and replace the existing value with the objectId of your UserGroup
To run the sample in Visual Studio Code, ensure that you have installed the Java Extension Pack. To run this sample from the terminal, follow the steps below.
- Open a terminal or the integrated VSCode terminal.
- In the same directory as this readme file, run
mvn clean compile spring-boot:run
. - Open your browser and navigate to
http://localhost:8080
.
- Note the signed-in or signed-out status displayed at the center of the screen.
- Click the context-sensitive button at the top right (it will read
Sign In
on first run) - Alternatively, click the link to
token details
,admins only
orregular users
. Since these are protected pages that require authentication, you'll be automatically redirected to the sign-in page. - Follow the instructions on the next page to sign in with an account in the Microsoft Entra tenant.
- On the consent screen, note the scopes that are being requested.
- Upon successful completion of the sign-in flow, you should be redirected to the home page (
sign in status
), or one of the other pages, depending on which button triggered your sign-in flow. - Note the context-sensitive button now says
Sign out
and displays your username to its left. - If you are on the home page, you'll see an option to click ID Token Details: click it to see some of the ID token's decoded claims, including groups.
- Click the Admins Only button to view the
/admin_only
. Only users belonging to the AdminGroup security group will be able to view this page. Otherwise an authorization failure message will be displayed. - Click the Regular Users button to view the
/regular_user
page. Only users belonging to the UserGroup security group will be able to view this page. Otherwise an authorization failure message will be displayed. - You can also use the button on the top right to sign out. The status page will reflect this.
ℹ️ Did the sample not work for you as expected? Then please reach out to us using the GitHub Issues page.
Were we successful in addressing your learning objective? Consider taking a moment to share your experience with us.
This sample demonstrates how to use Microsoft Entra ID Spring Boot Starter client library for Java to sign in users into your Microsoft Entra tenant. It also makes use of Spring Oauth2 Client and Spring Web boot starters. It uses claims from ID Token obtained from Microsoft Entra ID to display details of the signed-in user, and to restrict access to some pages by using the groups claim for authorization.
Create a new Java Maven project and copy the pom.xml
file from this project, and the src
folder of this repository.
If you'd like to create a project like this from scratch, you may use Spring Initializer:
- For Packaging, select
Jar
- For Java select version
11
- For Dependencies, add the following:
- Microsoft Entra ID
- Spring Oauth2 Client
- Spring Web
- Be sure that it comes with Azure SDK version 3.5 or higher. If not, please consider replacing the pre-configured
pom.xml
with thepom.xml
from this repository.
To extract token details, make use of Spring Security's AuthenticationPrincipal
and OidcUser
object in a request mapping. See the Sample Controller for an example of this app making use of ID Token claims.
import org.springframework.security.oauth2.core.oidc.user.OidcUser;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
//...
@GetMapping(path = "/some_path")
public String tokenDetails(@AuthenticationPrincipal OidcUser principal) {
Map<String, Object> claims = principal.getIdToken().getClaims();
}
The name of the the roles that the signed-in user is assigned to is returned in the groups
claim of the token.
{
...
"groups": [
"xyz-id-xyz",
"xyz-id-xyz",]
...
}
A common way to access them is documented in the ID Token Claims section above.
Microsoft Entra ID Boot Starter (v3.5 and above) parses the groups claim automatically and adds each group to the signed in user's Authorities. This allows developers to make use of groups with Spring PrePost condition annotations using the hasAuthority
method. For example, you'll find the following @PreAuthorize
conditions demonstrated in SampleController.java
:
@GetMapping(path = "/admin_only")
@PreAuthorize("hasAuthority('enter-admin-group-id-here')")
public String adminOnly(Model model) {
// restrict to users who belong to AdminGroup
}
@GetMapping(path = "/regular_user")
@PreAuthorize("hasAnyAuthority('enter-user-group-id-here','enter-admin-group-id-here')")
public String regularUser(Model model) {
// restrict to users who belong to any of UserGroup or AdminGroup
}
To see a full list of authorities for a given user:
@GetMapping(path = "/some_path")
public String tokenDetails(@AuthenticationPrincipal OidcUser principal) {
Collection<? extends GrantedAuthority> authorities = principal.getAuthorities();
}
To sign in, you must make a request to the Microsoft Entra ID sign-in endpoint that is automatically configured by Microsoft Entra ID Spring Boot Starter client library for Java.
<a class="btn btn-success" href="/oauth2/authorization/azure">Sign In</a>
To sign out, you must make POST request to the logout endpoint.
<form action="#" th:action="@{/logout}" method="post">
<input class="btn btn-warning" type="submit" value="Sign Out" />
</form>
This app has some simple logic in the UI template pages for determining content to display based on whether the user is authenticated or not. For example, the following Spring Security Thymeleaf tags may be used:
<div sec:authorize="isAuthenticated()">
this content only shows to authenticated users
</div>
<div sec:authorize="isAnonymous()">
this content only shows to not-authenticated users
</div>
By default, this app protects the ID Token Details, Admins Only and Regular Users pages so that only logged-in users can access them. This app uses configures these routes from the app.protect.authenticated
property from the application.yml
file. To configure your app's specific requirements, extend Microsoft Entra IDWebSecurityConfigurationAdapter
in one of your classes. For an example, see this app's SecurityConfig class.
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfig extends aadwebsecurityconfigureradapter{
@Value( "${app.protect.authenticated}" )
private String[] protectedRoutes;
@Override
public void configure(HttpSecurity http) throws Exception {
// use required configuration form Microsoft Entra IDWebSecurityAdapter.configure:
super.configure(http);
// add custom configuration:
http.authorizeRequests()
.antMatchers(protectedRoutes).authenticated() // limit these pages to authenticated users (default: /token_details, /admin_only, /regular_user)
.antMatchers("/**").permitAll(); // allow all other routes.
}
}
To ensure that the token size doesn’t exceed HTTP header size limits, the Microsoft Identity Platform limits the number of object Ids that it includes in the groups claim.
If a user is member of more groups than the overage limit (150 for SAML tokens, 200 for JWT tokens, 6 for single-page applications), then the Microsoft identity platform does not emit the group IDs in the groups
claim in the token. Instead, it includes an overage claim in the token that indicates to the application to query the MS Graph API to retrieve the user’s group membership.
Microsoft Entra ID Boot Starter (v3.5 and above) parses the groups claim automatically and adds each group to the signed in user's Authorities. It automatically handles the groups overage scenario.
We strongly advise you use the group filtering feature (if possible) to avoid running into group overages.
- You can use the
BulkCreateGroups.ps1
provided in the App Creation Scripts folder to create a large number of groups and assign users to them. This will help test overage scenarios during development. Remember to change the user's objectId provided in theBulkCreateGroups.ps1
script.
When attending to overage scenarios, which requires a call to Microsoft Graph to read the signed-in user's group memberships, your app will need to have the User.Read and GroupMember.Read.All for the getMemberGroups function to execute successfully.
⚠️ For the overage scenario, make sure you have granted Admin Consent for the MS Graph API's GroupMember.Read.All scope for both the Client and the Service apps (see the App Registration steps above).
There is one web app in this sample. To deploy it to Azure App Services, you'll need to:
- create an Azure App Service
- publish the projects to the App Services, and
- update its client(s) to call the website instead of the local environment.
- Navigate back to to the Microsoft Entra admin center. In the left-hand navigation pane, select the Microsoft Entra ID service, and then select App registrations (Preview).
- In the resulting screen, select the
java-spring-webapp-groups
application. - In the app's registration screen, select Authentication in the menu.
- In the Redirect URIs section, update the reply URLs to match the site URL of your Azure deployment. For example:
https://java-spring-webapp-groups.azurewebsites.net/login/oauth2/code/
- In the Redirect URIs section, update the reply URLs to match the site URL of your Azure deployment. For example:
⚠️ If your app is using an in-memory storage, Azure App Services will spin down your web site if it is inactive, and any records that your app was keeping will emptied. In addition, if you increase the instance count of your website, requests will be distributed among the instances. Your app's records, therefore, will not be the same on each instance.
- Microsoft identity platform (Microsoft Entra ID for developers)
- Overview of Microsoft Authentication Library (MSAL)
- Quickstart: Register an application with the Microsoft identity platform (Preview)
- Quickstart: Configure a client application to access web APIs (Preview)
- Understanding Microsoft Entra application consent experiences
- Understand user and admin consent
- Application and service principal objects in Microsoft Entra ID
- National Clouds
- MSAL code samples // Add MSAL-java docs
For more information about how OAuth 2.0 protocols work in this scenario and other scenarios, see Authentication Scenarios for Microsoft Entra ID.
Use Stack Overflow to get support from the community.
Ask your questions on Stack Overflow first and browse existing issues to see if someone has asked your question before.
Make sure that your questions or comments are tagged with [microsoft-entra-id
azure-ad-b2c
ms-identity
adal
msal
].
If you find a bug in the sample, raise the issue on GitHub Issues.
To provide feedback on or suggest features for Microsoft Entra ID, visit User Voice page.
If you'd like to contribute to this sample, see CONTRIBUTING.MD.
This project has adopted the Microsoft Open Source Code of Conduct. For more information, see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.