Deploy Java Spring Boot apps to Azure Container Apps
This article shows you how to deploy a Java Spring Boot app with sign-in by Microsoft Entra account to Azure Container Apps.
This article assumes that you completed one of the following articles using only the Run locally tab, and you now want to deploy to Azure. These instructions are the same as the ones in the Deploy to Azure tab in these articles:
- Secure Java Spring Boot apps using Microsoft Entra ID
- Secure Java Spring Boot apps using Azure Active Directory B2C
- Enable Java Spring Boot apps to sign in users and access Microsoft Graph
- Secure Java Spring Boot apps using roles and role claims
- Secure Java Spring Boot apps using groups and group claims
Prerequisites
- An Azure account. If you don't have one, create a free account. You need the Contributor or Owner permission on the Azure subscription to proceed. For more information, see Assign Azure roles using the Azure portal.
- The Azure CLI.
- The Azure Container Apps CLI extension, version
0.3.47or higher. To install the latest version, use theaz extension add --name containerapp --upgrade --allow-previewcommand. - The Java Development Kit, version 17 or higher.
- Maven.
Prepare the Spring project
Use the following steps to prepare the project:
Use the following Maven command to build the project:
mvn clean verifyRun the sample project locally by using the following command:
mvn spring-boot:run
Setup
To sign in to Azure from the CLI, run the following command and follow the prompts to complete the authentication process.
az login
To ensure you're running the latest version of the CLI, run the upgrade command.
az upgrade
Next, install or update the Azure Container Apps extension for the CLI.
If you receive errors about missing parameters when you run az containerapp commands in Azure CLI, be sure you have the latest version of the Azure Container Apps extension installed.
az extension add --name containerapp --upgrade
Note
Starting in May 2024, Azure CLI extensions no longer enable preview features by default. To access Container Apps preview features, install the Container Apps extension with --allow-preview true.
az extension add --name containerapp --upgrade --allow-preview true
Now that the current extension or module is installed, register the Microsoft.App and Microsoft.OperationalInsights namespaces.
Note
Azure Container Apps resources have migrated from the Microsoft.Web namespace to the Microsoft.App namespace. Refer to Namespace migration from Microsoft.Web to Microsoft.App in March 2022 for more details.
az provider register --namespace Microsoft.App
az provider register --namespace Microsoft.OperationalInsights
Create the Azure Container Apps environment
Now that your Azure CLI setup is complete, you can define the environment variables that are used throughout this article.
Define the following variables in your bash shell.
export RESOURCE_GROUP="ms-identity-containerapps"
export LOCATION="canadacentral"
export ENVIRONMENT="env-ms-identity-containerapps"
export API_NAME="ms-identity-api"
export JAR_FILE_PATH_AND_NAME="./target/ms-identity-spring-boot-webapp-0.0.1-SNAPSHOT.jar"
Create a resource group.
az group create \
--name $RESOURCE_GROUP \
--location $LOCATION \
Create an environment with an auto-generated Log Analytics workspace.
az containerapp env create \
--name $ENVIRONMENT \
--resource-group $RESOURCE_GROUP \
--location $LOCATION
Show the default domain of the container app environment. Note down this domain to use in later sections.
az containerapp env show \
--name $ENVIRONMENT \
--resource-group $RESOURCE_GROUP \
--query properties.defaultDomain
Prepare the app for deployment
When you deploy your application to Azure Container Apps, your redirect URL changes to the redirect URL of your deployed app instance in Azure Container Apps. Use the following steps to change these settings in your application.yml file:
Navigate to your app's src\main\resources\application.yml file and change the value of
post-logout-redirect-urito your deployed app's domain name, as shown in the following example. Be sure to replace<API_NAME>and<default-domain-of-container-app-environment>with your actual values. For example, with the default domain for your Azure Container App environment from the previous step andms-identity-apifor your app name, you would usehttps://ms-identity-api.<default-domain>for thepost-logout-redirect-urivalue.post-logout-redirect-uri: https://<API_NAME>.<default-domain-of-container-app-environment>After saving this file, use the following command to rebuild your app:
mvn clean package
Important
The application.yml file of the application currently holds the value of your client secret in the client-secret parameter. It isn't good practice to keep this value in this file. You might also be taking a risk if you commit the file to a Git repository. For the recommended approach, see Manage secrets in Azure Container Apps.
Update your Microsoft Entra ID app registration
Because the redirect URI changes to your deployed app on Azure Container Apps, you also need to change the redirect URI in your Microsoft Entra ID app registration. Use the following steps to make this change:
Navigate to the Microsoft identity platform for developers App registrations page.
Use the search box to search for your app registration - for example,
java-servlet-webapp-authentication.Open your app registration by selecting its name.
Select Authentication from the menu.
In the Web - Redirect URIs section, select Add URI.
Fill out the URI of your app, appending
/login/oauth2/code/- for example,https://<containerapp-name>.<default domain of container app environment>/login/oauth2/code/.Select Save.
Deploy the app
Deploy the JAR package to Azure Container Apps.
Note
If necessary, you can specify the JDK version in the Java build environment variables. For more information, see Build environment variables for Java in Azure Container Apps.
Now you can deploy your WAR file with the az containerapp up CLI command.
az containerapp up \
--name $API_NAME \
--resource-group $RESOURCE_GROUP \
--location $LOCATION \
--environment $ENVIRONMENT \
--artifact <JAR_FILE_PATH_AND_NAME> \
--ingress external \
--target-port 8080 \
--query properties.configuration.ingress.fqdn
Note
The default JDK version is 17. If you need to change the JDK version for compatibility with your application, you can use the --build-env-vars BP_JVM_VERSION=<YOUR_JDK_VERSION> argument to adjust the version number.
For more build environment variables, see Build environment variables for Java in Azure Container Apps.
Validate the app
In this example, the containerapp up command includes the --query properties.configuration.ingress.fqdn argument, which returns the fully qualified domain name (FQDN), also known as the app's URL. Use the following steps to check the app's logs to investigate any deployment issue:
Access the output application URL from the Outputs page of the Deployment section.
From the navigation pane of the Azure Container Apps instance Overview page, select Logs to check the app's logs.
More information
- Microsoft identity platform (Microsoft Entra ID for developers)
- Overview of Microsoft Authentication Library (MSAL)
- Quickstart: Register an application with the Microsoft identity platform
- Quickstart: Configure a client application to access web APIs
- Understanding Microsoft Entra ID application consent experiences
- Understand user and admin consent
- Application and service principal objects in Microsoft Entra ID
- National Clouds
- MSAL code samples
- Microsoft Entra ID Spring Boot Starter client library for Java
- Microsoft Authentication Library for Java (MSAL4J)
- MSAL4J Wiki
- ID tokens
- Access tokens in the Microsoft identity platform
Next steps
For more information and other deployment options, see the following articles: