Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article shows how to configure Java-specific security settings in App Service. Java applications that run in App Service have the same set of security best practices as other applications.
Azure App Service runs Java web applications in three types on a fully managed service:
- Java Standard Edition (SE). Java SE can run an app deployed as a Java archive (JAR) package that contains an embedded server, such as Spring Boot, Quarkus, Dropwizard, or an app with an embedded Tomcat or Jetty server.
- Tomcat. The built-in Tomcat server can run an app deployed as a web application archive (WAR) package.
- JBoss Enterprise Application Platform (EAP): The built-in JBoss EAP server can run an app deployed as a WAR or enterprise archive (EAR) package. This option is supported for Linux apps in a set of pricing tiers that include Free, Premium v3, and Isolated v2.
Note
JBoss EAP on App Service now supports Bring Your Own License (BYOL) billing. BYOL enables customers who have existing Red Hat subscriptions to apply those licenses directly to their JBoss EAP deployments on Azure App Service. For more information, see BYOL Support for JBoss EAP on App Service.
Authenticate users (Easy Auth)
Set up app authentication in the Azure portal with the Authentication and Authorization option. From there, you can enable authentication using Microsoft Entra ID or social sign-ins like Facebook, Google, or GitHub. Azure portal configuration only works when configuring a single authentication provider. For more information, see Configure your App Service app to use Microsoft Entra sign-in and the related articles for other identity providers. If you need to enable multiple sign-in providers, see Customize sign-ins and sign-outs.
Spring Boot developers can use the Microsoft Entra Spring Boot starter to secure applications using familiar Spring Security annotations and APIs. Be sure to increase the maximum header size in your application.properties file. We suggest a value of 16384.
Your Tomcat application can access the user's claims directly from the servlet by casting the Principal object to a Map object. The Map object maps each claim type to a collection of the claims for that type. In the following code example, request is an instance of HttpServletRequest.
Map<String, Collection<String>> map = (Map<String, Collection<String>>) request.getUserPrincipal();
Now you can inspect the Map object for any specific claim. For example, the following code snippet iterates through all the claim types and prints the contents of each collection.
for (Object key : map.keySet()) {
Object value = map.get(key);
if (value != null && value instanceof Collection {
Collection claims = (Collection) value;
for (Object claim : claims) {
System.out.println(claims);
}
}
}
To sign out users, use the /.auth/ext/logout path. To perform other actions, see Customize sign-ins and sign-outs. There's also official documentation on the Tomcat HttpServletRequest interface and its methods. The following servlet methods are also hydrated based on your App Service configuration:
public boolean isSecure()
public String getRemoteAddr()
public String getRemoteHost()
public String getScheme()
public int getServerPort()
To disable this feature, create an Application Setting named WEBSITE_AUTH_SKIP_PRINCIPAL with a value of 1. To disable all servlet filters added by App Service, create a setting named WEBSITE_SKIP_FILTERS with a value of 1.
For JBoss EAP, see the Tomcat tab.
Configure TLS
To upload an existing TLS certificate and bind it to your application's domain name, see Enable HTTPS for a custom domain in Azure App Service. You can also configure the app to enforce TLS.
Use Azure Key Vault references
Azure Key Vault provides centralized secret management with access policies and audit history. You can store secrets, such as passwords or connection strings, in a key vault. You can access these secrets in your application through environment variables.
First, grant your app access to a key vault and make a Key Vault reference to your secret in an Application Setting. You can validate that the reference resolves to the secret by printing the environment variable while remotely accessing the App Service terminal.
For Spring configuration files, see Externalized Configuration.
To inject these secrets in your Spring configuration file, use environment variable injection syntax (${MY_ENV_VAR}).
To inject these secrets in your Tomcat configuration file, use environment variable injection syntax (${MY_ENV_VAR}).
Use the Java key store in Linux
By default, any public or private certificates uploaded to App Service Linux are loaded into the respective Java key stores when the container starts. After uploading your certificate, you'll need to restart your App Service for it to load into the Java key store. Public certificates are loaded into the key store at $JRE_HOME/lib/security/cacerts. Private certificates are stored in $JRE_HOME/lib/security/client.jks.
More configuration might be necessary for encrypting your JDBC connection with certificates in the Java key store:
Initialize the Java key store in Linux
To initialize the import java.security.KeyStore object, load the keystore file with the password. The default password for both key stores is changeit.
KeyStore keyStore = KeyStore.getInstance("jks");
keyStore.load(
new FileInputStream(System.getenv("JRE_HOME")+"/lib/security/cacerts"),
"changeit".toCharArray());
KeyStore keyStore = KeyStore.getInstance("pkcs12");
keyStore.load(
new FileInputStream(System.getenv("JRE_HOME")+"/lib/security/client.jks"),
"changeit".toCharArray());
Manually load the key store in Linux
You can load certificates manually to the key store. To disable App Service from loading the certificates into the key store automatically, create an app setting, SKIP_JAVA_KEYSTORE_LOAD, with a value of 1. All public certificates uploaded to App Service by using the Azure portal are stored under /var/ssl/certs/. Private certificates are stored under /var/ssl/private/.
To interact or debug the Java Key Tool, open an SSH connection to your App Service and run the command keytool. See the Key Tool documentation for a list of commands. For more information on the KeyStore API, see Class KeyStore.
Related content
Visit the Azure for Java Developers center to find Azure quickstarts, tutorials, and Java reference documentation.