Securing Spring Boot REST API for different endpoints using AAD and AWS Cognito
php editor Baicao has carefully written a Java Q&A article for you about using AAD and AWS Cognito to protect Spring Boot REST API. In this article, we will explore how to leverage these two authentication services to protect different endpoints and ensure that your API is safe and secure. Follow our guide and learn how to implement authentication and authorization in your Spring Boot project to make your REST API more powerful and reliable.
Question content
Hopefully someone can help me here as I can't find any resources on this topic anywhere.
I have a spring boot restapi, and the current configuration has two routes: 1. Unauthorized 2. Authorized through the bearer of aad/entra
My configuration method is currently set up as follows:
@override
protected void configure(httpsecurity http) throws exception {
super.configure(http);
http.csrf().disable();
http.authorizerequests(requests -> requests
.antmatchers(httpmethod.options, "/**/**").permitall()
.antmatchers("/api/protected/**").fullyauthenticated()
.anyrequest().permitall()
);
}
It is wrapped in a class that extends aadresourceserverwebsecurityconfigureradapter.
By configuring our api in this way, we are able to secure our routes as follows:
@preauthorize("hasauthority('approle_appname.rolename')")
@getmapping(value = "/some-method", produces = mediatype.application_json_value)
public responseentity<list<string>> getstrings() {
return responseentity.ok(...);
}
Our api should now be extended to allow new types of users to use the authorization endpoint. These users are managed by aws cognito. How do I set up my websecurityconfigureradapter to allow some paths to be unauthorized, some paths to be protected via aad, and some paths to be protected via aws cognito?
The main problem I seem to be having is aadresourceserverwebsecurityconfigureradapter configuring jwt validation in such a way that it only works with bearers provided by microsoft.
Ideally I would like something like this:
@configuration
@enablewebsecurity
@enableglobalmethodsecurity(prepostenabled = true)
public class securityconfig extends websecurityconfigureradapter {
@configuration
@order(1)
public static class azureadsecurityconfig extends aadresourceserverwebsecurityconfigureradapter {
@override
protected void configure(httpsecurity http) throws exception {
http.authorizerequests(requests -> requests
.antmatchers("/api/aad/**").fullyauthenticated()
);
http.oauth2resourceserver().jwt([utilize aad jwt validation]);
}
}
@configuration
@order(2)
public static class awscognitosecurityconfig extends websecurityconfigureradapter {
@override
protected void configure(httpsecurity http) throws exception {
http.authorizerequests(requests -> requests
.antmatchers("/api/cognito/**").fullyauthenticated()
);
http.oauth2resourceserver().jwt([utilize aws cognito jwt validation]);
}
}
@configuration
@order(3)
public static class defaultsecurityconfig extends websecurityconfigureradapter {
@override
protected void configure(httpsecurity http) throws exception {
http.csrf().disable();
http.authorizerequests(requests -> requests
.antmatchers(httpmethod.options, "/**/**").permitall()
.anyrequest().permitall()
);
}
}
}
Another issue I found is that aadresourceserverwebsecurityconfigureradapter automatically sets all possible prefixes for the jwtclaimnames "roles" and "scp" to "scope_" and "approle_". Ideally I would like them to be different for aad and aws cognito so that I prefix "aad_scope_", "aad_approle_" and "cognito_group_".
I found some information explaining how to implement multi-tenant jwt authentication for spring boot, but they all only use sql database to implement password/user based authentication.
Is there a way to basically have to re-implement all the aad logic so that I can mix in the validation of the jwt given by aws cognito, or is there a way to make the decision based on routing?
I already know that you can use the oauth2resourceserver() function on httpsecurity to configure jwt usage, but I only found information on how to implement that functionality for a single tenant.
If anyone has successfully implemented this specific or similar case, or can push me in the right direction, I would be very grateful. Or maybe my idea is completely wrong, so please tell me.
Using Working Solutions Update (January 25, 2024)
Thanks to @ch4mp for the answer, I have succeeded. >Working Answers<
My implementation is now highly simplified and looks like this:
application.yml
com:
c4-soft:
springaddons:
oidc:
ops:
- iss: https://cognito-idp.<region>.amazonaws.com/<cognito-pool>
authorities:
- path: $.cognito:groups
prefix: cognito_group_
- iss: https://sts.windows.net/<entra objectid>/
authorities:
- path: $.roles.*
prefix: aad_approle_
- path: $.scp
prefix: aad_scope_
aud: <enterprise application id>
resource-server:
permit-all:
- /api/route/noauth
Security Configuration
package some.package;
import org.springframework.context.annotation.configuration;
import org.springframework.security.config.annotation.method.configuration.enablemethodsecurity;
import org.springframework.security.config.annotation.web.configuration.enablewebsecurity;
@enablewebsecurity
@enablemethodsecurity
@configuration
public class securityconfig { }
My controller now looks like this:
package some.package;
import org.springframework.http.responseentity;
import org.springframework.security.access.prepost.preauthorize;
import org.springframework.security.core.context.securitycontextholder;
import org.springframework.security.oauth2.jwt.jwt;
import org.springframework.web.bind.annotation.getmapping;
import org.springframework.web.bind.annotation.requestmapping;
import org.springframework.web.bind.annotation.restcontroller;
@restcontroller
@requestmapping("/api/route")
public class jwttestcontroller {
@getmapping("/aadauth")
@preauthorize("hasauthority('aad_approle_grantedapprole.xxx')")
public responseentity<string> aadauthrole() {
jwt jwt = (jwt) securitycontextholder.getcontext().getauthentication().getprincipal();
return responseentity.ok(jwt.getclaims().tostring());
}
@getmapping("/aadauth")
@preauthorize("hasauthority('aad_scope_grantedscope.xxx')")
public responseentity<string> aadauthscope() {
jwt jwt = (jwt) securitycontextholder.getcontext().getauthentication().getprincipal();
return responseentity.ok(jwt.getclaims().tostring());
}
@preauthorize("hasauthority('cognito_group_somegroup')")
@getmapping("/cognitoauth")
public responseentity<string> cognitoauth() {
jwt jwt = (jwt) securitycontextholder.getcontext().getauthentication().getprincipal();
return responseentity.ok(jwt.getclaims().tostring());
}
@getmapping("/noauth")
public responseentity<string> noauth() {
return responseentity.ok("hello world!");
}
}
Build.gradle
implementation 'org.springframework.boot:spring-boot-starter-oauth2-resource-server'
implementation 'com.c4-soft.springaddons:spring-addons-starter-oidc:7.3.5'This is not the official launcher of spring, but the oss implementation: https://www.php.cn/link/49844ba129a1cbc3d964703fcdb756ba
I'll update again if I run into any other issues, but for now it's working.
Solution
I'm going to expose a solution here using my starter since it's easier.
If you prefer to build a secure configuration using only the "official" spring boot launcher, you must provide your own authenticationmanagerresolver<httpservletrequest> using the iss declaration, per authentication manager Each server has its own authentication converter and its own permissions converter to handle the origin claims and prefixes you want. Browse my tutorials or official documentation for examples and implementation tips. This other answer may also help (the permission mapping requirements are completely different, but the Authentication Manager resolver is similar).
Use boot 3.2.2 and spring-addons
<?xml version="1.0" encoding="utf-8"?>
<project xmlns="http://maven.apache.org/pom/4.0.0" xmlns:xsi="http://www.w3.org/2001/xmlschema-instance"
xsi:schemalocation="http://maven.apache.org/pom/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelversion>4.0.0</modelversion>
<parent>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-parent</artifactid>
<version>3.2.2</version>
<relativepath/> <!-- lookup parent from repository -->
</parent>
<groupid>com.c4-soft.demo</groupid>
<artifactid>multi-tenant-resource-server</artifactid>
<version>0.0.1-snapshot</version>
<properties>
<java.version>21</java.version>
<spring-addons.version>7.3.5</spring-addons.version>
</properties>
<dependencies>
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-oauth2-resource-server</artifactid>
</dependency>
<dependency>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-starter-web</artifactid>
</dependency>
<dependency>
<groupid>com.c4-soft.springaddons</groupid>
<artifactid>spring-addons-starter-oidc</artifactid>
<version>${spring-addons.version}</version>
</dependency>
<dependency>
<groupid>com.c4-soft.springaddons</groupid>
<artifactid>spring-addons-starter-oidc-test</artifactid>
<version>${spring-addons.version}</version>
<scope>test</scope>
</dependency>
</dependencies>
<build>
<plugins>
<plugin>
<groupid>org.springframework.boot</groupid>
<artifactid>spring-boot-maven-plugin</artifactid>
</plugin>
</plugins>
</build>
</project>
@configuration
@enablemethodsecurity
public class securityconf {
}
Edit the following application.yaml to place your own publisher:
com:
c4-soft:
springaddons:
oidc:
ops:
- iss: https://cognito-idp.us-west-2.amazonaws.com/us-west-2_rzhmglwjl
authorities:
- path: $.cognito:groups
prefix: cognito_group_
- iss: https://sts.windows.net/0a962d63-6b23-4416-81a6-29f88c553998/
authorities:
- path: $.approles.*.displayname
prefix: aad_approle_
- path: $.scope
prefix: aad_scope_
resourceserver:
# spring-addons whitelist is for permitall() (rather than isauthenticated())
# which is probably much safer
permit-all:
- /actuator/health/readiness
- /actuator/health/liveness
- /v3/api-docs/**
- /api/public/**
The value of path above is the json path. You can use tools such as jsonpath.com to test path expressions against your own token payload (extracted using tools such as jwt.io).
Yes, it's that simple. No, I didn't omit any yaml properties or java configuration (if you don't believe me, just test it in a new project).
示例控制器
@restcontroller
public class greetcontroller {
@getmapping("/greet")
@preauthorize("isauthenticated()")
public string getgreet(authentication auth) {
return "hello %s! you are granted with %s.".formatted(auth.getname(), auth.getauthorities());
}
@getmapping(value = "/strings")
@preauthorize("hasanyauthority('aad_approle_admin', 'cognito_group_admin')")
public list<string> getstrings() {
return list.of("protected", "strings");
}
}
示例测试
@webmvctest(controllers = greetcontroller.class)
@autoconfigureaddonswebmvcresourceserversecurity
@import(securityconf.class)
class greetcontrollertest {
@autowired
mockmvcsupport api;
@test
@withanonymoususer
void givenuserisanonymous_whengetgreet_thenunauthorized() throws unsupportedencodingexception, exception {
api.get("/greet").andexpect(status().isunauthorized());
}
@test
@withjwt("aad_admin.json")
void givenuserisaadadmin_whengetgreet_thenok() throws unsupportedencodingexception, exception {
final var actual = api.get("/greet").andexpect(status().isok()).andreturn().getresponse().getcontentasstring();
assertequals(
"hello aad-admin! you are granted with [aad_approle_msiam_access, aad_approle_admin, aad_scope_openid, aad_scope_profile, aad_scope_machin:truc].",
actual);
}
@test
@withjwt("cognito_admin.json")
void givenuseriscognitoadmin_whengetgreet_thenok() throws unsupportedencodingexception, exception {
final var actual = api.get("/greet").andexpect(status().isok()).andreturn().getresponse().getcontentasstring();
assertequals("hello amazon-cognito-admin! you are granted with [cognito_group_admin, cognito_group_machin:truc].", actual);
}
@test
@withjwt("aad_machin-truc.json")
void givenuserisaadmachintruc_whengetgreet_thenok() throws unsupportedencodingexception, exception {
final var actual = api.get("/greet").andexpect(status().isok()).andreturn().getresponse().getcontentasstring();
assertequals("hello aad-user! you are granted with [aad_approle_msiam_access, aad_scope_openid, aad_scope_profile, aad_scope_machin:truc].", actual);
}
@test
@withjwt("cognito_machin-truc.json")
void givenuseriscognitomachintruc_whengetgreet_thenok() throws unsupportedencodingexception, exception {
final var actual = api.get("/greet").andexpect(status().isok()).andreturn().getresponse().getcontentasstring();
assertequals("hello amazon-cognito-user! you are granted with [cognito_group_machin:truc].", actual);
}
@test
@withanonymoususer
void givenuserisanonymous_whengetstrings_thenunauthorized() throws unsupportedencodingexception, exception {
api.get("/strings").andexpect(status().isunauthorized());
}
@test
@withjwt("aad_admin.json")
void givenuserisaadadmin_whengetstrings_thenok() throws unsupportedencodingexception, exception {
final var actual = api.get("/strings").andexpect(status().isok()).andreturn().getresponse().getcontentasstring();
assertequals("[\"protected\",\"strings\"]", actual);
}
@test
@withjwt("cognito_admin.json")
void givenuseriscognitoadmin_whengetstrings_thenok() throws unsupportedencodingexception, exception {
final var actual = api.get("/strings").andexpect(status().isok()).andreturn().getresponse().getcontentasstring();
assertequals("[\"protected\",\"strings\"]", actual);
}
@test
@withjwt("aad_machin-truc.json")
void givenuserisaadmachintruc_whengetstrings_thenforbidden() throws unsupportedencodingexception, exception {
api.get("/strings").andexpect(status().isforbidden());
}
@test
@withjwt("cognito_machin-truc.json")
void givenuseriscognitomachintruc_whengetstrings_thenforbidden() throws unsupportedencodingexception, exception {
api.get("/strings").andexpect(status().isforbidden());
}
}
使用此测试资源:
aad_admin.json
{
"sub": "aad-admin",
"iss": "https://sts.windows.net/0a962d63-6b23-4416-81a6-29f88c553998/",
"approles": [
{
"allowedmembertypes": [
"user"
],
"description": "msiam_access",
"displayname": "msiam_access",
"id": "ef7437e6-4f94-4a0a-a110-a439eb2aa8f7",
"isenabled": true,
"origin": "application",
"value": null
},
{
"allowedmembertypes": [
"user"
],
"description": "administrators only",
"displayname": "admin",
"id": "4f8f8640-f081-492d-97a0-caf24e9bc134",
"isenabled": true,
"origin": "serviceprincipal",
"value": "administrator"
}
],
"scope": "openid profile machin:truc"
}
aad_machin-truc.json
{
"sub": "aad-user",
"iss": "https://sts.windows.net/0a962d63-6b23-4416-81a6-29f88c553998/",
"approles": [
{
"allowedmembertypes": [
"user"
],
"description": "msiam_access",
"displayname": "msiam_access",
"id": "ef7437e6-4f94-4a0a-a110-a439eb2aa8f7",
"isenabled": true,
"origin": "application",
"value": null
}
],
"scope": "openid profile machin:truc"
}
cognito_admin.json
{
"sub": "amazon-cognito-admin",
"iss": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_rzhmglwjl",
"cognito:groups": ["admin", "machin:truc"],
"scope": "openid profile cog:scope"
}
cognito_machin-truc.json
{
"sub": "amazon-cognito-user",
"iss": "https://cognito-idp.us-west-2.amazonaws.com/us-west-2_RzhmgLwjl",
"cognito:groups": ["machin:truc"],
"scope": "openid profile cog:scope"
}
The above is the detailed content of Securing Spring Boot REST API for different endpoints using AAD and AWS Cognito. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
The price of Bitcoin since its birth 2009-2025 The most complete summary of BTC historical prices
Jan 15, 2025 pm 08:11 PM
Since its inception in 2009, Bitcoin has become a leader in the cryptocurrency world and its price has experienced huge fluctuations. To provide a comprehensive historical overview, this article compiles Bitcoin price data from 2009 to 2025, covering major market events, changes in market sentiment, and important factors influencing price movements.
What to do if the time is gone in the lower right corner of Windows 11_What to do if the time is gone in the lower right corner of Windows 11
May 06, 2024 pm 01:20 PM
1. First, right-click on the blank space of the taskbar at the bottom of Windows 11 and select [Taskbar Settings]. 2. Find [taskbarcorneroverflow] on the right in the taskbar settings. 3. Then find [clock] or [Clock] above it and select to turn it on. Method 2: 1. Press the keyboard shortcut [win+r] to call up run, enter [regedit] and press Enter to confirm. 2. Open the registry editor, find [HKEY_CURRENT_USERControlPanel] in it, and delete it. 3. After deletion, restart the computer and you will be prompted for configuration. When you return to the system, the time will be displayed.
Are there any community forums or discussion groups for Java functions where I can ask questions and discuss them?
Apr 28, 2024 pm 02:12 PM
Answer: The following community forums and discussion groups are available for Java functional programming questions: StackOverflow: The world's largest programming Q&A website with a community of Java functional programming experts. JavaFunctionalProgramming: A community forum focused on Java functional programming, providing discussions on concepts, language features, and best practices. Redditr/functionaljava: A subreddit focused on functional programming in Java, focusing on tools, libraries, and technologies. Discord: JavaFunctional Programming: Discord service that provides real-time discussion, code sharing and collaboration
How to use other people's code in python
May 05, 2024 pm 07:54 PM
How do I use other people's Python code? Find code repositories: Find the code you need on platforms like PyPI and GitHub. Installation code: Use pip or clone the GitHub repository to install. Import modules: Use the import statement in your script to import installed modules. Working with code: Access functions and classes in modules. (Optional) Adapt the code: Modify the code as needed to fit your project.
What should I do if the time on my win11 computer is always wrong? How to adjust the wrong time on Windows 11 computer
May 03, 2024 pm 09:20 PM
What should I do if the time on my win11 computer is always wrong? We all set the time or calendar when using win11 system, but many users are asking that the computer time is always wrong, so what is going on? Users can directly click on the taskbar below, and then find taskbarcorneroverflow to set it up. Let this site introduce to users in detail how to adjust the time error on Win11 computers. How to adjust the computer time error in Windows 11. Method 1: 1. We first right-click on the blank space of the taskbar below and select Taskbar Settings. Method 2: 1. Press the keyboard shortcut win+r to call up run, enter regedit and press Enter to confirm.
Common exception types and their repair measures in Java function development
May 03, 2024 pm 02:09 PM
Common exception types and their repair measures in Java function development During the development of Java functions, various exceptions may be encountered, which affect the correct execution of the function. The following are common exception types and their repair measures: 1. NullPointerException Description: Thrown when accessing an object that has not been initialized. Fix: Make sure you check the object for non-null before using it. Sample code: try{Stringname=null;System.out.println(name.length());}catch(NullPointerExceptione){
What does overflow mean in css
Apr 28, 2024 pm 03:15 PM
overflow is a property of CSS that is used to control the display mode of element content when it exceeds the container. Available values include: visible: the content is visible, the overflow container is hidden: the overflow content is cut scroll: the scroll bar is displayed to view the overflow content auto: the browser automatically determines Whether to display the scroll bar inherit: inherit the overflow attribute of the parent element
Doesn't anyone take care of Douyin's random accounts? Can I appeal a second time?
May 03, 2024 am 09:37 AM
As a world-renowned short video platform, Douyin has a huge user base and content creators. However, as the platform rules are constantly updated and improved, some users may encounter account bans. This has raised public questions about the transparency and fairness of platform management. This article will discuss the issue of Douyin account bans and whether users have ways to appeal after their accounts are banned. There may be many reasons for being banned on the Douyin platform, including but not limited to illegal content, violation of platform regulations, infringement of other people's rights, etc. In order to maintain the order of the platform and the interests of users, Douyin has set up a series of rules and review mechanisms. When some users violate the rules, their accounts may be banned. However, some users may question or be dissatisfied with the reasons for the ban