Deploy Java Tomcat apps to Azure App Service

This article shows you how to deploy a Tomcat app with sign-in by Microsoft Entra account to Azure App Service.

This article assumes that you completed one of the following articles using only the Run locally tab, and you now want to deploy to Azure. These instructions are the same as the ones in the Deploy to Azure tab in these articles:

• Enable sign-in for Java Tomcat apps using Microsoft Entra ID
• Enable sign-in for Java Tomcat apps using MSAL4J with Azure Active Directory B2C
• Enable Java Tomcat apps to sign in users and access Microsoft Graph
• Secure Java Tomcat apps using roles and role claims
• Secure Java Tomcat apps using groups and group claims

Prerequisites

• Maven Plugin for Azure App Service apps

  If Maven isn't your preferred development tool, see the following similar tutorials that use other tools:

  • IntelliJ IDEA
  • Eclipse
  • Visual Studio Code

• Azure CLI

Configure the Maven plugin

When you deploy to Azure App Service, the deployment automatically uses your Azure credentials from the Azure CLI. If the Azure CLI isn't installed locally, then the Maven plugin authenticates with OAuth or device sign-in. For more information, see authentication with Maven plugins.

Use the following steps to configure the plugin:

1. Run the following command to configure the deployment. This command helps you to set up the Azure App Service operating system, Java version, and Tomcat version.

   mvn com.microsoft.azure:azure-webapp-maven-plugin:2.12.0:config
   

2. For Create new run configuration, press Y, then press Enter.

3. For Define value for OS, press 1 for Windows, or 2 for Linux, then press Enter.

4. For Define value for javaVersion, press 2 for Java 11, then press Enter.

5. For Define value for webContainer, press 4 for Tomcat 9.0, then press Enter.

6. For Define value for pricingTier, press Enter to select the default P1v2 tier.

7. For Confirm, press Y, then press Enter.

The following example shows the output of the deployment process:

Please confirm webapp properties
AppName : msal4j-servlet-auth-1707209552268
ResourceGroup : msal4j-servlet-auth-1707209552268-rg
Region : centralus
PricingTier : P1v2
OS : Linux
Java Version: Java 11
Web server stack: Tomcat 9.0
Deploy to slot : false
Confirm (Y/N) [Y]: [INFO] Saving configuration to pom.
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time:  37.112 s
[INFO] Finished at: 2024-02-06T08:53:02Z
[INFO] ------------------------------------------------------------------------

After you've confirmed your choices, the plugin adds the required plugin element and settings to your project's pom.xml file to configure your app to run in Azure App Service.

The relevant portion of the pom.xml file should look similar to the following example:

<build>
    <plugins>
        <plugin>
            <groupId>com.microsoft.azure</groupId>
            <artifactId>>azure-webapp-maven-plugin</artifactId>
            <version>x.xx.x</version>
            <configuration>
                <schemaVersion>v2</schemaVersion>
                <resourceGroup>your-resourcegroup-name</resourceGroup>
                <appName>your-app-name</appName>
            ...
            </configuration>
        </plugin>
    </plugins>
</build>

You can modify the configurations for App Service directly in your pom.xml. Some common configurations are listed in the following table:

Property	Required	Description
subscriptionId	false	The subscription ID.
resourceGroup	true	The Azure resource group for your app.
appName	true	The name of your app.
region	false	The region in which to host your app. The default value is centralus. For valid regions, see Supported Regions.
pricingTier	false	The pricing tier for your app. The default value is P1v2 for a production workload. The recommended minimum value for Java development and testing is B2. For more information, see App Service Pricing.
runtime	false	The runtime environment configuration. For more information, see Configuration Details.
deployment	false	The deployment configuration. For more information, see Configuration Details.

For the complete list of configurations, see the plugin reference documentation. All the Azure Maven plugins share a common set of configurations. For these configurations, see Common Configurations. For configurations specific to Azure App Service, see Azure app: Configuration Details.

Be sure to save aside the appName and resourceGroup values for later use.

Prepare the app for deployment

When you deploy your application to App Service, your redirect URL changes to the redirect URL of your deployed app instance. Use the following steps to change these settings in your properties file:

1. Navigate to your app's authentication.properties file and change the value of app.homePage to your deployed app's domain name, as shown in the following example. For example, if you chose example-domain for your app name in the previous step, you must now use https://example-domain.azurewebsites.net for the app.homePage value. Be sure that you've also changed the protocol from http to https.

   # app.homePage is by default set to dev server address and app context path on the server
   # for apps deployed to azure, use https://your-sub-domain.azurewebsites.net
   app.homePage=https://<your-app-name>.azurewebsites.net
   

2. After saving this file, use the following command to rebuild your app:

   mvn clean package
   

Update your Microsoft Entra ID app registration

Because the redirect URI changes to your deployed app to Azure App Service, you also need to change the redirect URI in your Microsoft Entra ID app registration. Use the following steps to make this change:

1. Navigate to the Microsoft identity platform for developers App registrations page.

2. Use the search box to search for your app registration - for example, java-servlet-webapp-authentication.

3. Open your app registration by selecting its name.

4. Select Authentication from the menu.

5. In the Web - Redirect URIs section, select Add URI.

6. Fill out the URI of your app, appending /auth/redirect - for example, https://<your-app-name>.azurewebsites.net/auth/redirect.

7. Select Save.

Deploy the app

You're now ready to deploy your app to Azure App Service. Use the following command to make sure you're signed in to your Azure environment to execute the deployment:

az login

With all the configuration ready in your pom.xml file, you can now use the following command to deploy your Java app to Azure:

mvn package azure-webapp:deploy

After deployment is completed, your application is ready at http://<your-app-name>.azurewebsites.net/. Open the URL with your local web browser, where you should see the start page of the msal4j-servlet-auth application.

Remove secret values

The authentication.properties file of the application currently holds the value of your client secret in the aad.secret parameter. It isn't good practice to keep this value in this file. You might also be taking a risk if you commit it to a Git repository.

As an security extra step, you can store this value in Azure Key Vault and use Key Vault References to make it available in your application.

Use the following steps to move the value of aad.secret to Key Vault and use it in your code:

1. Use the following commands to create an Azure Key Vault instance:

   export RESOURCE_GROUP=<your-resource-group-name>
   export KEY_VAULT=<your-key-vault-name>
   az keyvault create \
       --resource-group $RESOURCE_GROUP \
       --name $KEY_VAULT
   

2. Use the following commands to add the secret value of aad.secret to your key vault as a new secret:

   az keyvault secret set \
       --vault-name $KEY_VAULT \
       --name "AADSECRET" \
       --value "<the-value-of-your-client-secret>"
   

3. You now need to give your app access to your key vault. To do this task, first create a new identity for your app by using the following commands:

   export WEB_APP_NAME=<your-web-app-name>
   az webapp identity assign \
       --resource-group $RESOURCE_GROUP \
       --name $WEB_APP_NAME
   

4. Use the following commands to give this identity get and list permission on the secrets in your Key Vault:

   export IDENTITY=$(az webapp identity show \
       --resource-group $RESOURCE_GROUP \
       --name $WEB_APP_NAME \
       --query principalId \
       --output tsv)
   az keyvault set-policy \
       --resource-group $RESOURCE_GROUP \
       --name $KEY_VAULT \
       --secret-permissions get list \
       --object-id $IDENTITY
   

5. Use the following command to create an application setting in your app that uses a key vault reference to the secret in your key vault. This setting makes the value of the secret available to your app as an environment variable.

   az webapp config appsettings set \
       --resource-group $RESOURCE_GROUP \
       --name $WEB_APP_NAME \
       --settings AADSECRET='@Microsoft.KeyVault(VaultName=$KEY_VAULT;SecretName=AADSECRET)'
   

6. Use the following code to load this value from the environment variables. In the \src\main\java\com\microsoft\azuresamples\msal4j\helpers\Config.java file, on line 41, change the current statement to the following line:

   public static final String SECRET = System.getenv("AADSECRET");
   

7. You can now delete the aad.secret key and value from the authentication.properties file.

8. Rebuild the code by using the following command:

   mvn clean package
   

9. Redeploy the application by using the following command:

   mvn package azure-webapp:deploy
   

Your deployment is now complete.

More information

• Microsoft Authentication Library (MSAL) for Java
• Microsoft identity platform (Microsoft Entra ID for developers)
• Quickstart: Register an application with the Microsoft identity platform
• Understanding Microsoft Entra ID application consent experiences
• Understand user and admin consent
• MSAL code samples