I have a frontend application (Vue.js) secured with @azure/msal-browser. I have an "app registration" in Azure validating if a user is part of our AD and if he/she is allowed to acces the webpage. This works fine. A user needs to authenticate first before he/she can access the webpages.
The webpage itself executes several AJAX calls towards a REST API, which is nothing more than a Spring Boot application with Spring Web enabled. This backend is not secured ... yet (!).
Goal:
I want to secure the backend so that you can only query the REST API if you have a valid access token. The frontend will add the Authentication: Bearer XXX token when performing calls towards the backend.
I had a look at the examples over here: https://github.com/Azure/azure-sdk-for-java/tree/master/sdk/spring/azure-spring-boot-samples and I see 4 options:
The first 2 seem a bit outdated, because if I run them locally, I get all deprecated warnings. But which of these examples would cover my usecase?
Summarized:
I want to ...
msal-browserThanks for any feedback!
@Jochen Hebbrecht,
I'm the developer of azure-spring-boot-starter-active-directory.
I think you should choose the last one: azure-spring-boot-sample-active-directory-resource-server.
Besides, now I suggest you choose another solution: Use spring-security-oauth2-resource-server instead of azure-spring-boot-starter-active-directory.
Here are the samples: https://github.com/Azure-Samples/azure-spring-boot-samples/tree/0eb5046b48298c9bd681133f4746b9b263becdc9/AzureActiveDirectory/OAuth2
The sample 03-resource-server is what you want, I think. You can go through these sample one by one to get more information about how to protect your REST API.
If you have any questions, please create an issue here: https://github.com/Azure-Samples/azure-spring-boot-samples/issues/new
cc: @Jean-François Fabre, I updated previous answer, but I can not undelete previous answer. So I created a new one.