add oAuth2, openid check, spring security message

rules/rules-overridden-azure/technology-usage/security.windup.xml

@@ -57,5 +57,83 @@
                 <technology-tag level="INFORMATIONAL">OpenSAML</technology-tag>
             </perform>
         </rule>
+        <rule id="security-03600">
+            <when>
+                <or>
+                    <!-- Spring component declared in source code condition -->
+                    <project>
+                        <artifact groupId="org.springframework.security" artifactId="spring-security-core"/>
+                    </project>
+                    <!-- Spring Boot component declared in source code condition -->
+                    <project>
+                        <artifact groupId="org.springframework.boot" artifactId="spring-boot-starter-security"/>
+                    </project>
+                    <!-- Spring component in compiled application condition -->
+                    <dependency groupId="org.springframework.security" artifactId="spring-security-core"/>
+                </or>
+            </when>
+            <perform>
+                <hint title="Embedded framework - Spring Security" category-id="information" effort="0">
+                    <message>
+                        The application embeds a Spring Security library. Ensure that the application is configured to access the identity provider.
+
+                        Consider using Azure Active Directory as an identity provider.
+                    </message>
+                </hint>
+                <link title="Spring Security-related dependencies found in the project" href="https://learn.microsoft.com/azure/developer/java/migration/migrate-spring-boot-to-app-service#identity-providers"/>
+                <link title="Azure Active Directory (Azure AD) identity provider for External Identities" href="https://docs.microsoft.com/azure/active-directory/external-identities/azure-ad-account"/>
+                <link title="Spring Security" href="https://docs.spring.io/spring-security/reference/index.html"/>
+                <link title="Spring Boot API: Authorization" href="https://auth0.com/docs/quickstart/backend/java-spring-security5/01-authorization"/>
+                <technology-tag level="INFORMATIONAL">Spring Security</technology-tag>
+            </perform>
+        </rule>
+        <rule id="security-03700">
+            <when>
+                <file filename="{*}oauth2{*}.jar"/>
+            </when>
+            <perform>
+                <hint title="Embedded library - OAuth 2.0" category-id="information" effort="0">
+                    <message>
+                        The application embeds an OAuth 2.0 library. For Spring Boot applications, please ensure that the application is configured to use Spring Security OAuth2.
+
+                        The Microsoft identity platform uses OAuth 2.0 and other protocols to enable applications to provide a Single Sign-On experience.
+
+                        By migrating your SSO implementation to Azure AD with OAuth 2.0, you leverage the capabilities of Azure AD for managing identities and enabling secure SSO across your applications.
+                        Azure AD offers features like multi-factor authentication, conditional access policies, and seamless integration with various SaaS applications, providing a robust and scalable solution for identity and access management in the cloud.
+                    </message>
+                    <link title="OAuth 2.0 authentication with Azure Active Directory" href="https://learn.microsoft.com/azure/active-directory/architecture/auth-oauth2"/>
+                    <link title="OAuth 2.0 and OpenID Connect protocols on the Microsoft Identity Platform" href="https://learn.microsoft.com/azure/active-directory/develop/v2-protocols"/>
+                    <link title="Application types and OAuth2" href="https://learn.microsoft.com/azure/active-directory/develop/v2-app-types"/>
+                    <link title="Spring Cloud Security quickstart" href="https://spring.io/projects/spring-cloud-security"/>
+                    <link title="Microsoft identity platform documentation" href="https://learn.microsoft.com/azure/active-directory/develop"/>
+                    <link title="Azure Active Directory documentation" href="https://learn.microsoft.com/en-us/azure/active-directory"/>
+                </hint>
+                <technology-tag level="INFORMATIONAL">OAuth 2.0</technology-tag>
+            </perform>
+        </rule>
+        <rule id="security-03800">
+            <when>
+                <or>
+                    <file filename="{*}openid4java{*}.jar"/>
+                    <file filename="{*}pac4j-oidc{*}.jar"/>
+                </or>
+            </when>
+            <perform>
+                <hint title="Embedded library - OpenID" category-id="information" effort="0">
+                    <message>
+                        The application embeds an OpenID library. The Microsoft identity platform uses OpenID and other protocols to enable applications to provide a Single Sign-On experience.
+
+                        By migrating your SSO implementation to Azure AD with OpenID, you leverage the capabilities of Azure AD for managing identities and enabling secure SSO across your applications.
+                        Azure AD offers features like multi-factor authentication, conditional access policies, and seamless integration with various SaaS applications, providing a robust and scalable solution for identity and access management in the cloud.
+                    </message>
+                    <link title="OpenID Connect authentication with Azure Active Directory" href="https://learn.microsoft.com/azure/active-directory/architecture/auth-oidc"/>
+                    <link title="OAuth 2.0 and OpenID Connect protocols on the Microsoft Identity Platform" href="https://learn.microsoft.com/azure/active-directory/develop/v2-protocols"/>
+                    <link title="OpenID Connect on the Microsoft identity platform" href="https://learn.microsoft.com/azure/active-directory/develop/v2-protocols-oidc"/>
+                    <link title="Microsoft identity platform documentation" href="https://learn.microsoft.com/azure/active-directory/develop"/>
+                    <link title="Azure Active Directory documentation" href="https://learn.microsoft.com/en-us/azure/active-directory"/>
+                </hint>
+                <technology-tag level="INFORMATIONAL">OpenID</technology-tag>
+            </perform>
+        </rule>
     </rules>
 </ruleset>

rules/rules-overridden-azure/technology-usage/tests/security-target-azure-appservice.windup.test.xml

@@ -34,6 +34,36 @@
                     <fail message="OpenSAML hint for Azure was not found!"/>
                 </perform>
             </rule>
+            <rule id="security-azure-appservice-03600-test">
+                <when>
+                    <not>
+                        <hint-exists message="The application embeds a Spring Security library. Ensure that the application is configured to access the identity provider"/>
+                    </not>
+                </when>
+                <perform>
+                    <fail message="Spring Security hint for Azure was not found!"/>
+                </perform>
+            </rule>
+            <rule id="security-azure-appservice-03700-test">
+                <when>
+                    <not>
+                        <hint-exists message="The application embeds an OAuth 2.0 library. For Spring Boot applications, please ensure that the application is configured to use Spring Security OAuth2"/>
+                    </not>
+                </when>
+                <perform>
+                    <fail message="OAuth 2.0 hint for Azure was not found!"/>
+                </perform>
+            </rule>
+            <rule id="security-azure-appservice-03800-test">
+                <when>
+                    <not>
+                        <hint-exists message="The application embeds an OpenID library. The Microsoft identity platform uses OpenID and other protocols to enable applications"/>
+                    </not>
+                </when>
+                <perform>
+                    <fail message="OpenID hint for Azure was not found!"/>
+                </perform>
+            </rule>
         </rules>
     </ruleset>
 </ruletest>

rules/rules-overridden-azure/technology-usage/tests/security-target-discovery.windup.test.xml

@@ -32,6 +32,17 @@
                     <fail message="Expected data not found for rule security-02800"/>
                 </perform>
             </rule>
+            <rule id="security-discovery-03600-test">
+                <when>
+                    <not>
+                        <classification-exists classification="Embedded library - Spring Security"/>
+                        <technology-tag-exists technology-tag="Spring Security"/>
+                    </not>
+                </when>
+                <perform>
+                    <fail message="Expected data not found for rule security-03600"/>
+                </perform>
+            </rule>
         </rules>
     </ruleset>
 </ruletest>