You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by BRUNO MELLONI <Br...@chickasaw.net> on 2023/04/11 19:28:57 UTC
Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10?
I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD.
But when I tried to migrate applications that used Microsoft's spring-cloud-azure-starter-active-directory for authentication of 2-step authenticated webapps (the preferred approach) I started to get this error during application deploy to Tomcat 10:
Cannot cast ch.qos.logback.classic.servlet.LogbackServletContainerInitializer to jakarta.servlet.ServletContainerInitializer
My suspicion is that Microsoft's latest implementation is not compatible with Tomcat's approach to support log4j logging (as far as I know the approach has been around since at least Tomcat 9). But of course I could be wrong. Has anybody had any success? Was there any trick to migrating to Spring Boot 3 / Spring 6 / Tomcat 10 with 2-step authentication and authorization using Azure AD?
NOTE: I did succeed with 2-step auth with Azure AD when I dropped the Microsoft spring-cloud-azure-starter-active-directory dependency and instead used the raw OAuth2 approach to connect to Azure AD. The problem though is that roles defined in Azure are not coming through to the GrantedAuthorities of the SecurityContext or Principal. I know I could extract the UPN from the Principal and then define the AD Groups in the on-premises AD instead of Azure AD, but that would require code changes and what is worse it would make me hostage to the availability of sysadmins that manage our on-premises AD... meaning weeks of delay for new AD groups. It is a hack that I'd rather not use if Azure authorization can be made to work properly.
Any other advice will be welcome too.
Thanks.
RE: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10?
Posted by BRUNO MELLONI <Br...@chickasaw.net>.
That is the curious bit. Nothing was needed in the previous version, and I found nothing mentioned for the latest version.
For my own logging (not needed before and presumably not now for the Azure stuff) I would use:
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-api</artifactId>
<version>${log4j2.version}</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-core</artifactId>
<version>${log4j2.version}</version>
</dependency>
<dependency>
<groupId>org.apache.logging.log4j</groupId>
<artifactId>log4j-slf4j-impl</artifactId>
<version>${log4j2.version}</version>
</dependency>
<dependency>
<groupId>org.slf4j</groupId>
<artifactId>slf4j-api</artifactId>
<version>${slf4j.version}</version>
</dependency>
But it must have been a bug on spring-cloud-azure-starter-active-directory after all. That is what was causing the logback exception, the problem would not happen without that dependency. Interestingly… that particular problem went away this morning. I noticed that when I did a clean build today (did not happen before during previous clean builds) a number of dependencies got downloaded/updated, and now the exception is not being thrown.
The particular problem is now solved, with no action from my part. There are new issues but those I can handle.
From: Mark Thomas <ma...@apache.org>
Sent: Friday, April 14, 2023 9:13 AM
To: users@tomcat.apache.org
Subject: Re: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10?
On 13/04/2023 22: 48, BRUNO MELLONI wrote: > After further research let me ask the question in a different way: > > > * Tomcat 10 is configured to do log4j2 logging. > * My log4j2 code works fine. > * Spring-cloud-azure-starter-active-directory
ZjQcmQRYFpfptBannerStart
CAUTION: This Message Is From an External Source
This message originated outside the Chickasaw Nation. Do not click links or open attachments unless you recognize the sender and know the content is safe!
Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/IMeFMrRG1GeY!Jdtf_fv6_IHaYkOnqg0ntq7dHeM9BSmziea9b8WlFE6he1r79dw1kOFTAVUsrWKem_rpgDasu8Ac-LODZyrxoDgpRNpV9mHSNwH9ASQz$>
ZjQcmQRYFpfptBannerEnd
On 13/04/2023 22:48, BRUNO MELLONI wrote:
> After further research let me ask the question in a different way:
>
>
> * Tomcat 10 is configured to do log4j2 logging.
> * My log4j2 code works fine.
> * Spring-cloud-azure-starter-active-directory seems to use logback and it is incompatible with my Tomcat 10 setup.
>
> Given the above… what do I need to add to Tomcat 10 to make it handle apps that use logback for logging but still use my log4j2 Tomcat configuration for the actual logging?
Whatever the logback documentation says you need to add to route logging
to log4j2.
> I would swear that Tomcat had slf4j and other logging translation libraries built in…
Nope. That has never been the case.
> but perhaps Tomcat 10 no longer does for some and requires adding some jars?
Tomcat's internal logging routes to java.util.logging - you can re-route
that if required. Follow the directions to do that provided with your
logging framework of choice.
Assuming you are still seeing the:
"Cannot cast
ch.qos.logback.classic.servlet.LogbackServletContainerInitializer to
jakarta.servlet.ServletContainerInitializer" error, I'll repeat my
previous question:
Which version of which JAR is that ServletContainerInitializer coming from?
Mark
>
> b.
>
> From: Mark Thomas <ma...@apache.org>>
> Sent: Tuesday, April 11, 2023 2:41 PM
> To: users@tomcat.apache.org<ma...@tomcat.apache.org>
> Subject: Re: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10?
>
> On 11/04/2023 20: 28, BRUNO MELLONI wrote: > I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD. > > But when I tried to migrate applications
> ZjQcmQRYFpfptBannerStart
> CAUTION: This Message Is From an External Source
> This message originated outside the Chickasaw Nation. Do not click links or open attachments unless you recognize the sender and know the content is safe!
> Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/IMeFMrRG1GeY!JdtUXLGR9ova4gOnS-0H1iEbkX_fwvLLfLoUe-WtR-fKP3iug2CA6Got_-7FykjdaEEVaYQaX_1JDstwjD_T9laTb_I1TVa4IKmJLM79$>
> ZjQcmQRYFpfptBannerEnd
>
> On 11/04/2023 20:28, BRUNO MELLONI wrote:
>
>> I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD.
>
>>
>
>> But when I tried to migrate applications that used Microsoft's spring-cloud-azure-starter-active-directory for authentication of 2-step authenticated webapps (the preferred approach) I started to get this error during application deploy to Tomcat 10:
>
>>
>
>> Cannot cast ch.qos.logback.classic.servlet.LogbackServletContainerInitializer to jakarta.servlet.ServletContainerInitializer
>
>>
>
>>
>
>> My suspicion is that Microsoft's latest implementation is not compatible with Tomcat's approach to support log4j logging (as far as I know the approach has been around since at least Tomcat 9). But of course I could be wrong. Has anybody had any success? Was there any trick to migrating to Spring Boot 3 / Spring 6 / Tomcat 10 with 2-step authentication and authorization using Azure AD?
>
>>
>
>>
>
>>
>
>> NOTE: I did succeed with 2-step auth with Azure AD when I dropped the Microsoft spring-cloud-azure-starter-active-directory dependency and instead used the raw OAuth2 approach to connect to Azure AD. The problem though is that roles defined in Azure are not coming through to the GrantedAuthorities of the SecurityContext or Principal. I know I could extract the UPN from the Principal and then define the AD Groups in the on-premises AD instead of Azure AD, but that would require code changes and what is worse it would make me hostage to the availability of sysadmins that manage our on-premises AD... meaning weeks of delay for new AD groups. It is a hack that I'd rather not use if Azure authorization can be made to work properly.
>
>>
>
>> Any other advice will be welcome too.
>
>
>
> No idea but some questions that might help.
>
>
>
> Some sort of Java EE / Jakarta EE conflict?
>
>
>
> A JAR present in the WAR that contains some of the Servlet API JARs?
>
>
>
> Which version of which JAR is that ServletContainerInitializer coming from?
>
>
>
> Mark
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>>
>
> For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>
For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
Re: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10?
Posted by Mark Thomas <ma...@apache.org>.
On 13/04/2023 22:48, BRUNO MELLONI wrote:
> After further research let me ask the question in a different way:
>
>
> * Tomcat 10 is configured to do log4j2 logging.
> * My log4j2 code works fine.
> * Spring-cloud-azure-starter-active-directory seems to use logback and it is incompatible with my Tomcat 10 setup.
>
> Given the above… what do I need to add to Tomcat 10 to make it handle apps that use logback for logging but still use my log4j2 Tomcat configuration for the actual logging?
Whatever the logback documentation says you need to add to route logging
to log4j2.
> I would swear that Tomcat had slf4j and other logging translation libraries built in…
Nope. That has never been the case.
> but perhaps Tomcat 10 no longer does for some and requires adding some jars?
Tomcat's internal logging routes to java.util.logging - you can re-route
that if required. Follow the directions to do that provided with your
logging framework of choice.
Assuming you are still seeing the:
"Cannot cast
ch.qos.logback.classic.servlet.LogbackServletContainerInitializer to
jakarta.servlet.ServletContainerInitializer" error, I'll repeat my
previous question:
Which version of which JAR is that ServletContainerInitializer coming from?
Mark
>
> b.
>
> From: Mark Thomas <ma...@apache.org>
> Sent: Tuesday, April 11, 2023 2:41 PM
> To: users@tomcat.apache.org
> Subject: Re: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10?
>
> On 11/04/2023 20: 28, BRUNO MELLONI wrote: > I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD. > > But when I tried to migrate applications
> ZjQcmQRYFpfptBannerStart
> CAUTION: This Message Is From an External Source
> This message originated outside the Chickasaw Nation. Do not click links or open attachments unless you recognize the sender and know the content is safe!
> Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/IMeFMrRG1GeY!JdtUXLGR9ova4gOnS-0H1iEbkX_fwvLLfLoUe-WtR-fKP3iug2CA6Got_-7FykjdaEEVaYQaX_1JDstwjD_T9laTb_I1TVa4IKmJLM79$>
> ZjQcmQRYFpfptBannerEnd
>
> On 11/04/2023 20:28, BRUNO MELLONI wrote:
>
>> I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD.
>
>>
>
>> But when I tried to migrate applications that used Microsoft's spring-cloud-azure-starter-active-directory for authentication of 2-step authenticated webapps (the preferred approach) I started to get this error during application deploy to Tomcat 10:
>
>>
>
>> Cannot cast ch.qos.logback.classic.servlet.LogbackServletContainerInitializer to jakarta.servlet.ServletContainerInitializer
>
>>
>
>>
>
>> My suspicion is that Microsoft's latest implementation is not compatible with Tomcat's approach to support log4j logging (as far as I know the approach has been around since at least Tomcat 9). But of course I could be wrong. Has anybody had any success? Was there any trick to migrating to Spring Boot 3 / Spring 6 / Tomcat 10 with 2-step authentication and authorization using Azure AD?
>
>>
>
>>
>
>>
>
>> NOTE: I did succeed with 2-step auth with Azure AD when I dropped the Microsoft spring-cloud-azure-starter-active-directory dependency and instead used the raw OAuth2 approach to connect to Azure AD. The problem though is that roles defined in Azure are not coming through to the GrantedAuthorities of the SecurityContext or Principal. I know I could extract the UPN from the Principal and then define the AD Groups in the on-premises AD instead of Azure AD, but that would require code changes and what is worse it would make me hostage to the availability of sysadmins that manage our on-premises AD... meaning weeks of delay for new AD groups. It is a hack that I'd rather not use if Azure authorization can be made to work properly.
>
>>
>
>> Any other advice will be welcome too.
>
>
>
> No idea but some questions that might help.
>
>
>
> Some sort of Java EE / Jakarta EE conflict?
>
>
>
> A JAR present in the WAR that contains some of the Servlet API JARs?
>
>
>
> Which version of which JAR is that ServletContainerInitializer coming from?
>
>
>
> Mark
>
>
>
> ---------------------------------------------------------------------
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>
>
> For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10?
Posted by BRUNO MELLONI <Br...@chickasaw.net>.
After further research let me ask the question in a different way:
* Tomcat 10 is configured to do log4j2 logging.
* My log4j2 code works fine.
* Spring-cloud-azure-starter-active-directory seems to use logback and it is incompatible with my Tomcat 10 setup.
Given the above… what do I need to add to Tomcat 10 to make it handle apps that use logback for logging but still use my log4j2 Tomcat configuration for the actual logging?
I would swear that Tomcat had slf4j and other logging translation libraries built in… but perhaps Tomcat 10 no longer does for some and requires adding some jars?
b.
From: Mark Thomas <ma...@apache.org>
Sent: Tuesday, April 11, 2023 2:41 PM
To: users@tomcat.apache.org
Subject: Re: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10?
On 11/04/2023 20: 28, BRUNO MELLONI wrote: > I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD. > > But when I tried to migrate applications
ZjQcmQRYFpfptBannerStart
CAUTION: This Message Is From an External Source
This message originated outside the Chickasaw Nation. Do not click links or open attachments unless you recognize the sender and know the content is safe!
Report Suspicious <https://us-phishalarm-ewt.proofpoint.com/EWT/v1/IMeFMrRG1GeY!JdtUXLGR9ova4gOnS-0H1iEbkX_fwvLLfLoUe-WtR-fKP3iug2CA6Got_-7FykjdaEEVaYQaX_1JDstwjD_T9laTb_I1TVa4IKmJLM79$>
ZjQcmQRYFpfptBannerEnd
On 11/04/2023 20:28, BRUNO MELLONI wrote:
> I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD.
>
> But when I tried to migrate applications that used Microsoft's spring-cloud-azure-starter-active-directory for authentication of 2-step authenticated webapps (the preferred approach) I started to get this error during application deploy to Tomcat 10:
>
> Cannot cast ch.qos.logback.classic.servlet.LogbackServletContainerInitializer to jakarta.servlet.ServletContainerInitializer
>
>
> My suspicion is that Microsoft's latest implementation is not compatible with Tomcat's approach to support log4j logging (as far as I know the approach has been around since at least Tomcat 9). But of course I could be wrong. Has anybody had any success? Was there any trick to migrating to Spring Boot 3 / Spring 6 / Tomcat 10 with 2-step authentication and authorization using Azure AD?
>
>
>
> NOTE: I did succeed with 2-step auth with Azure AD when I dropped the Microsoft spring-cloud-azure-starter-active-directory dependency and instead used the raw OAuth2 approach to connect to Azure AD. The problem though is that roles defined in Azure are not coming through to the GrantedAuthorities of the SecurityContext or Principal. I know I could extract the UPN from the Principal and then define the AD Groups in the on-premises AD instead of Azure AD, but that would require code changes and what is worse it would make me hostage to the availability of sysadmins that manage our on-premises AD... meaning weeks of delay for new AD groups. It is a hack that I'd rather not use if Azure authorization can be made to work properly.
>
> Any other advice will be welcome too.
No idea but some questions that might help.
Some sort of Java EE / Jakarta EE conflict?
A JAR present in the WAR that contains some of the Servlet API JARs?
Which version of which JAR is that ServletContainerInitializer coming from?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org<ma...@tomcat.apache.org>
For additional commands, e-mail: users-help@tomcat.apache.org<ma...@tomcat.apache.org>
Re: Is Microsoft's spring-cloud-azure-starter-active-directory for Spring Boot 3 / Spring 6 compatible with Tomcat 10?
Posted by Mark Thomas <ma...@apache.org>.
On 11/04/2023 20:28, BRUNO MELLONI wrote:
> I was able to migrate applications to Spring Boot 3 / Spring 6 (standalone or running on Tomcat 10) so long as authentication was NOT through Azure AD.
>
> But when I tried to migrate applications that used Microsoft's spring-cloud-azure-starter-active-directory for authentication of 2-step authenticated webapps (the preferred approach) I started to get this error during application deploy to Tomcat 10:
>
> Cannot cast ch.qos.logback.classic.servlet.LogbackServletContainerInitializer to jakarta.servlet.ServletContainerInitializer
>
>
> My suspicion is that Microsoft's latest implementation is not compatible with Tomcat's approach to support log4j logging (as far as I know the approach has been around since at least Tomcat 9). But of course I could be wrong. Has anybody had any success? Was there any trick to migrating to Spring Boot 3 / Spring 6 / Tomcat 10 with 2-step authentication and authorization using Azure AD?
>
>
>
> NOTE: I did succeed with 2-step auth with Azure AD when I dropped the Microsoft spring-cloud-azure-starter-active-directory dependency and instead used the raw OAuth2 approach to connect to Azure AD. The problem though is that roles defined in Azure are not coming through to the GrantedAuthorities of the SecurityContext or Principal. I know I could extract the UPN from the Principal and then define the AD Groups in the on-premises AD instead of Azure AD, but that would require code changes and what is worse it would make me hostage to the availability of sysadmins that manage our on-premises AD... meaning weeks of delay for new AD groups. It is a hack that I'd rather not use if Azure authorization can be made to work properly.
>
> Any other advice will be welcome too.
No idea but some questions that might help.
Some sort of Java EE / Jakarta EE conflict?
A JAR present in the WAR that contains some of the Servlet API JARs?
Which version of which JAR is that ServletContainerInitializer coming from?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org