Deprecate AADAppRoleStatelessAuthenticationFilter and AADAuthenticati…

…onFilter (#17926)
Azure · Dec 11, 2020 · 0e377a8 · 0e377a8
1 parent 908bc27
commit 0e377a8
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 29 deletions.
diff --git a/sdk/spring/azure-spring-boot-starter-active-directory/README.md b/sdk/spring/azure-spring-boot-starter-active-directory/README.md
@@ -91,6 +91,8 @@ Resource server accesses other resource servers which are protected by Azure AD.
 
 Refer to different samples for different authentication ways. 
 
+**Note**: `AADAppRoleStatelessAuthenticationFilter` and `AADAuthenticationFilter` will be deprecated. [Click here](https:/Azure/azure-sdk-for-java/issues/17860) to replace it.
+
 ### Authenticate in backend
 
 Please refer to [azure-spring-boot-sample-active-directory-backend](https:/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend/README.md) for authenticate in backend. Or [azure-spring-boot-sample-active-directory-backend-v2](https:/Azure/azure-sdk-for-java/blob/master/sdk/spring/azure-spring-boot-samples/azure-spring-boot-sample-active-directory-backend-v2/README.md) to use Microsoft Graph API instead of Azure Active Directory Graph API.
@@ -156,6 +158,7 @@ public class AADAuthenticationFilterConfigSample extends WebSecurityConfigurerAd
 * Role-based Authorization with annotation `@PreAuthorize("hasRole('GROUP_NAME')")`
 * Role-based Authorization with method `isMemberOf()`
 
+
 ### Authenticate stateless APIs using AAD app roles
 This scenario fits best for stateless Spring backends exposing an API to SPAs ([OAuth 2.0 implicit grant flow](https://docs.microsoft.com/azure/active-directory/develop/v1-oauth2-implicit-grant-flow)) 
 or service-to-service access using the [client credentials grant flow](https://docs.microsoft.com/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow).

diff --git a/sdk/spring/azure-spring-boot/CHANGELOG.md b/sdk/spring/azure-spring-boot/CHANGELOG.md
@@ -1,7 +1,7 @@
 # Release History
 
 ## 3.0.0-beta.2 (Unreleased)
-
+- Deprecated `AADAppRoleStatelessAuthenticationFilter` and `AADAuthenticationFilter`
 
 ## 3.0.0-beta.1 (2020-11-18)
 ### Breaking Changes

diff --git a/...main/java/com/azure/spring/autoconfigure/aad/AADAppRoleStatelessAuthenticationFilter.java b/...main/java/com/azure/spring/autoconfigure/aad/AADAppRoleStatelessAuthenticationFilter.java
@@ -3,9 +3,22 @@
 
 package com.azure.spring.autoconfigure.aad;
 
+import static com.azure.spring.autoconfigure.aad.Constants.DEFAULT_AUTHORITY_SET;
+import static com.azure.spring.autoconfigure.aad.Constants.ROLE_PREFIX;
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.proc.BadJOSEException;
 import com.nimbusds.jwt.proc.BadJWTException;
+import java.io.IOException;
+import java.text.ParseException;
+import java.util.Collection;
+import java.util.Optional;
+import java.util.Set;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpHeaders;
@@ -18,26 +31,18 @@
 import org.springframework.util.StringUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
-import java.text.ParseException;
-import java.util.Collection;
-import java.util.Optional;
-import java.util.Set;
-import java.util.stream.Collectors;
-import java.util.stream.Stream;
-
-import static com.azure.spring.autoconfigure.aad.Constants.DEFAULT_AUTHORITY_SET;
-import static com.azure.spring.autoconfigure.aad.Constants.ROLE_PREFIX;
-
 /**
  * A stateless authentication filter which uses app roles feature of Azure Active Directory. Since it's a stateless
  * implementation so the principal will not be stored in session. By using roles claim in the token it will not call
  * Microsoft Graph to retrieve users' groups.
+ * <p>
+ *
+ * @deprecated For AADAppRoleStatelessAuthenticationFilter, suggest use spring-security resource-server directly and
+ * include azure-spring-boot-starter-active-directory dependencies into your project. Automatic configuration of the
+ * associated AAD will be started, they will work well together.
+ * See the <a href="https:/Azure/azure-sdk-for-java/issues/17860">Alternative method</a>.
  */
+@Deprecated
 public class AADAppRoleStatelessAuthenticationFilter extends OncePerRequestFilter {
 
  private static final Logger LOGGER = LoggerFactory.getLogger(AADAppRoleStatelessAuthenticationFilter.class);

diff --git a/...spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationFilter.java b/...spring-boot/src/main/java/com/azure/spring/autoconfigure/aad/AADAuthenticationFilter.java
@@ -3,12 +3,23 @@
 
 package com.azure.spring.autoconfigure.aad;
 
+import static com.azure.spring.autoconfigure.aad.Constants.BEARER_PREFIX;
 import com.microsoft.aad.msal4j.MsalServiceException;
 import com.nimbusds.jose.JOSEException;
 import com.nimbusds.jose.jwk.source.JWKSetCache;
 import com.nimbusds.jose.proc.BadJOSEException;
 import com.nimbusds.jose.util.ResourceRetriever;
 import com.nimbusds.jwt.proc.BadJWTException;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.text.ParseException;
+import java.util.Optional;
+import javax.naming.ServiceUnavailableException;
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpSession;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpHeaders;
@@ -19,24 +30,17 @@
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.web.filter.OncePerRequestFilter;
 
-import javax.naming.ServiceUnavailableException;
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
-import java.io.IOException;
-import java.net.MalformedURLException;
-import java.text.ParseException;
-import java.util.Optional;
-
-import static com.azure.spring.autoconfigure.aad.Constants.BEARER_PREFIX;
-
 /**
  * A stateful authentication filter which uses Microsoft Graph groups to authorize. Both ID token and access token are
  * supported. In the case of access token, only access token issued for the exact same application this filter used for
  * could be accepted, e.g. access token issued for Microsoft Graph could not be processed by users' application.
+ * <p>
+ *
+ * @deprecated For AADAuthenticationFilter, in normal case, resource-server not support session. So
+ * AADAuthenticationFilter will not supported in the future.
+ * See the <a href="https:/Azure/azure-sdk-for-java/issues/17860">Alternative method</a>.
  */
+@Deprecated
 public class AADAuthenticationFilter extends OncePerRequestFilter {
  private static final Logger LOGGER = LoggerFactory.getLogger(AADAuthenticationFilter.class);
  private static final String CURRENT_USER_PRINCIPAL = "CURRENT_USER_PRINCIPAL";