Tutorial: Connect to a PostgreSQL Database from Java Tomcat App Service without secrets using a managed identity

Azure App Service provides a highly scalable, self-patching web hosting service in Azure. It also provides a managed identity for your app, which is a turn-key solution for securing access to Azure Database for PostgreSQL and other Azure services. Managed identities in App Service make your app more secure by eliminating secrets from your app, such as credentials in the environment variables. In this tutorial, you will learn how to:

  • Create a PostgreSQL database.
  • Deploy the sample app to Azure App Service on Tomcat using WAR packaging.
  • Configure a Spring Boot web application to use Azure AD authentication with PostgreSQL Database.
  • Connect to PostgreSQL Database with Managed Identity using Service Connector.

If you don't have an Azure subscription, create an Azure free account before you begin.

Prerequisites

Clone the sample app and prepare the repo

Run the following commands in your terminal to clone the sample repo and set up the sample app environment.

git clone https://github.com/Azure-Samples/Passwordless-Connections-for-Java-Apps
cd Passwordless-Connections-for-Java-Apps/Tomcat/

Create an Azure Database for PostgreSQL

Follow these steps to create an Azure Database for Postgres in your subscription. The Spring Boot app will connect to this database and store its data when running, persisting the application state no matter where you run the application.

  1. Sign into the Azure CLI, and optionally set your subscription if you have more than one connected to your login credentials.

    az login
    az account set --subscription <subscription-ID>
    
  2. Create an Azure Resource Group, noting the resource group name.

    RESOURCE_GROUP=<resource-group-name>
    LOCATION=eastus
    
    az group create --name $RESOURCE_GROUP --location $LOCATION
    
  3. Create an Azure Database for PostgreSQL server. The server is created with an administrator account, but it won't be used because we'll use the Azure Active Directory (Azure AD) admin account to perform administrative tasks.

    POSTGRESQL_ADMIN_USER=azureuser
    # PostgreSQL admin access rights won't be used because Azure AD authentication is leveraged to administer the database.
    POSTGRESQL_ADMIN_PASSWORD=<admin-password>
    POSTGRESQL_HOST=<postgresql-host-name>
    
    # Create a PostgreSQL server.
    az postgres flexible-server create \
        --resource-group $RESOURCE_GROUP \
        --name $POSTGRESQL_HOST \
        --location $LOCATION \
        --admin-user $POSTGRESQL_ADMIN_USER \
        --admin-password $POSTGRESQL_ADMIN_PASSWORD \
        --public-network-access 0.0.0.0 \
        --sku-name Standard_D2s_v3 
    
  4. Create a database for the application.

    DATABASE_NAME=checklist
    
    az postgres flexible-server db create \
        --resource-group $RESOURCE_GROUP \
        --server-name $POSTGRESQL_HOST \
        --database-name $DATABASE_NAME
    

Deploy the application to App Service

Follow these steps to build a WAR file and deploy to Azure App Service on Tomcat using a WAR packaging.

  1. The sample app contains a pom.xml file that can generate the WAR file. Run the following command to build the app.

    mvn clean package -f pom.xml
    
  2. Create an Azure App Service resource on Linux using Tomcat 9.0.

    APPSERVICE_PLAN=<app-service-plan>
    APPSERVICE_NAME=<app-service-name>
    # Create an App Service plan
    az appservice plan create \
        --resource-group $RESOURCE_GROUP \
        --name $APPSERVICE_PLAN \
        --location $LOCATION \
        --sku B1 \
        --is-linux
    
    # Create an App Service resource.
    az webapp create \
        --resource-group $RESOURCE_GROUP \
        --name $APPSERVICE_NAME \
        --plan $APPSERVICE_PLAN \
        --runtime "TOMCAT:9.0-jre8" 
    
  3. Deploy the WAR package to App Service.

    az webapp deploy \
        --resource-group $RESOURCE_GROUP \
        --name $APPSERVICE_NAME \
        --src-path target/app.war \
        --type war
    

Connect the Postgres database with identity connectivity

Note

Azure Active Directory Authentication for PostgreSQL Flexible Server is currently in preview.

Next, connect your app to a Postgres database with a system-assigned managed identity using Service Connector.

To do this, run the az webapp connection create command.

az webapp connection create postgres-flexible \
    --resource-group $RESOURCE_GROUP \
    --name $APPSERVICE_NAME \
    --target-resource-group $RESOURCE_GROUP \
    --server $POSTGRESQL_HOST \
    --database $DATABASE_NAME \
    --system-identity

This command creates a connection between your web app and your PostgreSQL server, and manages authentication through a system-assigned managed identity.

View sample web app

Run the following command to open the deployed web app in your browser.

az webapp browse \
    --resource-group $RESOURCE_GROUP \
    --name MyWebapp \
    --name $APPSERVICE_NAME

Clean up resources

In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell:

az group delete --name myResourceGroup

This command may take a minute to run.

Next steps

Learn more about running Java apps on App Service on Linux in the developer guide.

Learn how to secure your app with a custom domain and certificate.