Refactor security configuration for development and production profiles; update application properties for JWT validation and Azure settings

Author: emmanuelknafo

sample-app/api/applicationinsights.log

@@ -10,3 +10,51 @@ No connection string provided
 Action:
 Please provide connection string: https://go.microsoft.com/fwlink/?linkid=2153358
 
+2026-04-20 21:07:02.812-04:00 INFO  c.m.a.a.i.c.ConfigurationBuilder - Some telemetry may be sampled out because a default sampling configuration was added in version 3.4.0 to reduce the default billing cost. You can set the sampling configuration explicitly: https://learn.microsoft.com/azure/azure-monitor/app/java-standalone-config#sampling
+2026-04-20 21:07:03.048-04:00 ERROR c.m.applicationinsights.agent - 
+*************************
+Application Insights Java Agent 3.7.8 startup failed (PID 60188)
+*************************
+
+Description:
+No connection string provided
+
+Action:
+Please provide connection string: https://go.microsoft.com/fwlink/?linkid=2153358
+
+2026-04-21 21:11:47.647-04:00 INFO  c.m.a.a.i.c.ConfigurationBuilder - Some telemetry may be sampled out because a default sampling configuration was added in version 3.4.0 to reduce the default billing cost. You can set the sampling configuration explicitly: https://learn.microsoft.com/azure/azure-monitor/app/java-standalone-config#sampling
+2026-04-21 21:11:47.857-04:00 ERROR c.m.applicationinsights.agent - 
+*************************
+Application Insights Java Agent 3.7.8 startup failed (PID 36416)
+*************************
+
+Description:
+No connection string provided
+
+Action:
+Please provide connection string: https://go.microsoft.com/fwlink/?linkid=2153358
+
+2026-04-21 21:16:48.841-04:00 INFO  c.m.a.a.i.c.ConfigurationBuilder - Some telemetry may be sampled out because a default sampling configuration was added in version 3.4.0 to reduce the default billing cost. You can set the sampling configuration explicitly: https://learn.microsoft.com/azure/azure-monitor/app/java-standalone-config#sampling
+2026-04-21 21:16:49.076-04:00 ERROR c.m.applicationinsights.agent - 
+*************************
+Application Insights Java Agent 3.7.8 startup failed (PID 77224)
+*************************
+
+Description:
+No connection string provided
+
+Action:
+Please provide connection string: https://go.microsoft.com/fwlink/?linkid=2153358
+
+2026-04-21 21:18:40.872-04:00 INFO  c.m.a.a.i.c.ConfigurationBuilder - Some telemetry may be sampled out because a default sampling configuration was added in version 3.4.0 to reduce the default billing cost. You can set the sampling configuration explicitly: https://learn.microsoft.com/azure/azure-monitor/app/java-standalone-config#sampling
+2026-04-21 21:18:41.088-04:00 ERROR c.m.applicationinsights.agent - 
+*************************
+Application Insights Java Agent 3.7.8 startup failed (PID 18328)
+*************************
+
+Description:
+No connection string provided
+
+Action:
+Please provide connection string: https://go.microsoft.com/fwlink/?linkid=2153358
+

sample-app/api/pom.xml

@@ -19,21 +19,8 @@
 
     <properties>
         <java.version>17</java.version>
-        <spring-cloud-azure.version>7.2.0</spring-cloud-azure.version>
     </properties>
 
-    <dependencyManagement>
-        <dependencies>
-            <dependency>
-                <groupId>com.azure.spring</groupId>
-                <artifactId>spring-cloud-azure-dependencies</artifactId>
-                <version>${spring-cloud-azure.version}</version>
-                <type>pom</type>
-                <scope>import</scope>
-            </dependency>
-        </dependencies>
-    </dependencyManagement>
-
     <dependencies>
         <!-- Spring Boot -->
         <dependency>
@@ -45,12 +32,6 @@
             <artifactId>spring-boot-starter-oauth2-resource-server</artifactId>
         </dependency>
 
-        <!-- Spring Cloud Azure AD -->
-        <dependency>
-            <groupId>com.azure.spring</groupId>
-            <artifactId>spring-cloud-azure-starter-active-directory</artifactId>
-        </dependency>
-
         <!-- Azure Storage -->
         <dependency>
             <groupId>com.azure</groupId>

sample-app/api/src/main/java/com/example/evidence/config/SecurityConfig.java

@@ -3,6 +3,7 @@
 import org.springframework.beans.factory.annotation.Value;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.core.GrantedAuthority;
@@ -26,7 +27,25 @@ public class SecurityConfig {
     @Value("${app.cors.allowed-origins:http://localhost:4200}")
     private String allowedOrigins;
 
+    /**
+     * Dev profile: permit all requests so the API is explorable before Entra ID
+     * app registrations are configured. Participants enable real auth in Exercise 1.
+     */
     @Bean
+    @Profile("dev")
+    public SecurityFilterChain devFilterChain(HttpSecurity http) throws Exception {
+        http
+            .cors(cors -> cors.configurationSource(corsConfigurationSource()))
+            .csrf(csrf -> csrf.disable())
+            .authorizeHttpRequests(auth -> auth.anyRequest().permitAll());
+        return http.build();
+    }
+
+    /**
+     * Non-dev profiles: full JWT validation with scope and role enforcement.
+     */
+    @Bean
+    @Profile("!dev")
     public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
         http
             .cors(cors -> cors.configurationSource(corsConfigurationSource()))

sample-app/api/src/main/java/com/example/evidence/controller/CaseController.java

@@ -6,6 +6,7 @@
 import com.example.evidence.service.CaseService;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
 import org.springframework.security.oauth2.server.resource.authentication.JwtAuthenticationToken;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -14,6 +15,7 @@
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
 
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
@@ -69,12 +71,19 @@ public ResponseEntity<CaseDetailResponse> createCase(@RequestBody Case newCase)
     }
 
     @GetMapping("/me")
-    public Map<String, Object> getCurrentUser(JwtAuthenticationToken authentication) {
+    public Map<String, Object> getCurrentUser(Authentication authentication) {
         Map<String, Object> userInfo = new HashMap<>();
-        userInfo.put("name", authentication.getToken().getClaimAsString("name"));
-        userInfo.put("preferred_username", authentication.getToken().getClaimAsString("preferred_username"));
-        userInfo.put("roles", authentication.getToken().getClaimAsStringList("roles"));
-        userInfo.put("scp", authentication.getToken().getClaimAsString("scp"));
+        if (authentication instanceof JwtAuthenticationToken jwtAuth) {
+            userInfo.put("name", jwtAuth.getToken().getClaimAsString("name"));
+            userInfo.put("preferred_username", jwtAuth.getToken().getClaimAsString("preferred_username"));
+            userInfo.put("roles", jwtAuth.getToken().getClaimAsStringList("roles"));
+            userInfo.put("scp", jwtAuth.getToken().getClaimAsString("scp"));
+        } else {
+            userInfo.put("name", "Dev User (no JWT)");
+            userInfo.put("preferred_username", "dev@localhost");
+            userInfo.put("roles", Collections.emptyList());
+            userInfo.put("scp", "Evidence.Read");
+        }
         return userInfo;
     }
 }

sample-app/api/src/main/resources/application-dev.properties

@@ -1,3 +1,6 @@
 # Dev profile - local development with sample data
 logging.level.com.example.evidence=DEBUG
 logging.level.org.springframework.security=DEBUG
+
+# No JWT validation in dev — API is open for exploration before Exercise 1
+# Participants configure real Entra ID auth during Exercise 1

sample-app/api/src/main/resources/application-prod.properties

@@ -1,3 +1,6 @@
-# Prod profile - Azure Blob Storage
+# Prod profile - Azure deployment
 azure.storage.account-name=${AZURE_STORAGE_ACCOUNT_NAME:YOUR_STORAGE_ACCOUNT}
 azure.storage.container-name=${AZURE_STORAGE_CONTAINER_NAME:evidence}
+
+# JWT validation against Entra ID tenant
+spring.security.oauth2.resourceserver.jwt.issuer-uri=https://login.microsoftonline.com/${AZURE_TENANT_ID}/v2.0

sample-app/api/src/main/resources/application.properties

@@ -1,17 +1,13 @@
 # Server
 server.port=8080
 
-# Azure AD / Entra ID
-spring.cloud.azure.active-directory.enabled=true
-spring.cloud.azure.active-directory.credential.client-id=${AZURE_CLIENT_ID:YOUR_CLIENT_ID}
-spring.cloud.azure.active-directory.profile.tenant-id=${AZURE_TENANT_ID:YOUR_TENANT_ID}
-spring.cloud.azure.active-directory.app-id-uri=${APP_ID_URI:api://YOUR_CLIENT_ID}
+# Entra ID / JWT validation
+# Participants set their tenant ID in Exercise 1
+spring.security.oauth2.resourceserver.jwt.issuer-uri=${JWT_ISSUER_URI:}
+spring.security.oauth2.resourceserver.jwt.audiences=${JWT_AUDIENCE:api://YOUR_API_CLIENT_ID}
 
 # CORS
 app.cors.allowed-origins=${CORS_ALLOWED_ORIGINS:http://localhost:4200}
 
-# Allow bean definition overriding (Spring Cloud Azure + Spring Boot 3.4 conflict)
-spring.main.allow-bean-definition-overriding=true
-
 # Default profile
 spring.profiles.active=${SPRING_PROFILES_ACTIVE:dev}