'Spring Azure authorization - DEV vs PROD environments

I apologize for the long question, I can't think of a way to be clear enough in a shorter post. I found one or two existing posts on similar but much more specific topics, nothing covering the complete DEV vs PROD issue.

Context: Azure AD is fairly new in my organization but there are already several .NET applications using it for 2-step authentication. I just completed a Java proof of concept using the Spring Boot Azure starter and I am starting to migrate my first real application.

In my original apps (that I am trying to migrate):

  • All environment-specific information is in a single .properties file, including a deployEnv property that indicates if the deployment is to DEV or PROD.
  • Access rights groups are defined in the old internal AD as DEV_ or PROD_.
  • My authenticators and userDetailServices translate those DEV_/PROD_ groups to ROLE_*, so that they end up in the request's Principal.GrantedAuhorities as ROLE_ and I can use spring security to control access to folders, pages and even features inside a page.

In my proof of concept:

  • I see one Azure AD instance (PROD).
  • I can associate a group to a role in Azure, then after login I see the roles in the request's Principal.GrantedAuthorities in the form APPROLE_.
  • I do NOT yet have a way to differentiate between DEV and PROD groups.

QUESTIONS:

  1. Is there a way in Azure to dynamically map the DEV/PROD_group to the role? If yes, how can my app tell Azure that it needs to map the DEV vs PROD group to the role? Is there perhaps a property that can be set in application.properties?
  2. Alternatively, is there a way to (A) Override the Spring Boot Azure starter's authenticator with my own, then in the custom authenticator (B) Read the application's roles, identify the mapped groups (i.e., the PROD_), if it is not the correct "deploy environment group prefix" locate the equivalent group for the desired deploy env, determine if the user is in those groups, and set my own granted authorities as ROLE? If yes, where can I find documentation and any helpful information to achieve that goal? (Yes, I know this is horribly convoluted, but if I implement this code once... it still makes life a lot easier when I have to port 30-50 applications)
  3. Or is the only "simple" option to setup a DEV Azure AD, and duplicate all of the Azure setup except for the DEV group members, then use the correct DEV/PROD Azure values in application.properties? If so, is there a way to "clone" the setup for an app from DEV to PROD... so that we only need to modify the group being used?
spring-bootspring-securitydeploymentazure-active-directory


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

maven : deploy artifact file name

How do I move my service from alpha to sitetest3

Deploying NetFwTypeLib to manage the Windows Firewall

Problem with passing parameters in a shell function

How to force jboss to load classes from jars in webapp's lib

React app deployment to Netlify : Module not found: Error: Can't resolve './pages/HomePage' in '/opt/build/repo/src'

error activating .wsp file in sharepoint server 2010

Deploy Strapi on AWS - ERROR: "Knex: Timeout acquiring a connection. The pool is probably full. Are you missing a .transacting(trx) call?"

How to get Jenkins to perform deletes on remote server

RShiny Deployment, CMake issue

deploy with deployer fails

I tried to deploy a smart contract with address argument in ropsten, but the account is complained to be invalid

Heroku doesn't see my changes after git push

Use pex with poetry pyproject.toml

PyCharm AWS Toolkit/SAM Deploy parameter override doesn't work