fix: align workshop guides and deploy scripts with current architecture

- update Exercise 1 to remove Spring Cloud Azure AAD property references
- update Exercise 2 to expect 200 (dev profile permits all) instead of 401
- update Exercise 3 to include Step 0 for enabling JWT validation and method security
- update configure-app-settings.sh to use JWT_ISSUER_URI and JWT_AUDIENCE env vars
- add *.log to .gitignore and remove tracked applicationinsights.log

🔧 - Generated by Copilot

Author: emmanuelknafo

.gitignore

@@ -25,6 +25,7 @@ target/
 *.ear
 hs_err_pid*
 replay_pid*
+*.log
 
 # --- IDE ---
 .idea/

sample-app/api/applicationinsights.log

@@ -150,9 +150,9 @@ echo "==> Configuring API App Service: ${API_APP_NAME}..."
 API_IDENTIFIER_URI="api://${API_CLIENT_ID}"
 
 API_SETTINGS=(
-    "AZURE_AD_CLIENT_ID=${API_CLIENT_ID}"
-    "AZURE_AD_TENANT_ID=${TENANT_ID}"
-    "AZURE_AD_APP_ID_URI=${API_IDENTIFIER_URI}"
+    "AZURE_TENANT_ID=${TENANT_ID}"
+    "JWT_ISSUER_URI=https://login.microsoftonline.com/${TENANT_ID}/v2.0"
+    "JWT_AUDIENCE=${API_IDENTIFIER_URI}"
     "AZURE_STORAGE_ACCOUNT_NAME=${STORAGE_ACCOUNT_NAME}"
     "AZURE_STORAGE_CONTAINER_NAME=${CONTAINER_NAME}"
     "WEBSITES_PORT=8080"
@@ -170,9 +170,9 @@ az webapp config appsettings set \
     --output none
 
 echo "    API settings configured:"
-echo "      AZURE_AD_CLIENT_ID"
-echo "      AZURE_AD_TENANT_ID"
-echo "      AZURE_AD_APP_ID_URI"
+echo "      AZURE_TENANT_ID"
+echo "      JWT_ISSUER_URI"
+echo "      JWT_AUDIENCE"
 echo "      AZURE_STORAGE_ACCOUNT_NAME"
 echo "      AZURE_STORAGE_CONTAINER_NAME"
 echo "      WEBSITES_PORT=8080"

scripts/configure-app-settings.sh

@@ -113,14 +113,16 @@ export const environment = {
 
 ### Step 10: Update the API Configuration
 
-Open `sample-app/api/src/main/resources/application-dev.properties` and replace the placeholder values:
+The API uses standard Spring Security OAuth2 Resource Server for JWT validation. The `dev` profile runs without JWT validation so you can explore the API immediately. For production deployment (Exercise 4), the JWT issuer URI and audience are set via environment variables.
 
-```properties
-spring.cloud.azure.active-directory.credential.client-id=<API-CLIENT-ID>
-spring.cloud.azure.active-directory.profile.tenant-id=<TENANT-ID>
-spring.security.oauth2.resourceserver.jwt.audiences=api://<API-CLIENT-ID>
-spring.security.oauth2.resourceserver.jwt.issuer-uri=https://login.microsoftonline.com/<TENANT-ID>/v2.0
-```
+No changes to `application-dev.properties` are needed at this point. The API configuration is updated during deployment in Exercise 4.
+
+> **Note:** If you want to enable JWT validation locally, set these environment variables before starting the API:
+>
+> ```bash
+> export JWT_ISSUER_URI=https://login.microsoftonline.com/<TENANT-ID>/v2.0
+> export JWT_AUDIENCE=api://<API-CLIENT-ID>
+> ```
 
 ## Scripted Alternative
 
@@ -144,7 +146,7 @@ Confirm your setup by checking these items:
 - [ ] SPA has `Evidence.Read` delegated permission granted
 - [ ] SPA is pre-authorized on the API
 - [ ] `environment.ts` contains real Client ID, Tenant ID, and scope URI
-- [ ] `application-dev.properties` contains real Client ID, Tenant ID, and audience
+- [ ] You have recorded the API Client ID, SPA Client ID, and Tenant ID for later exercises
 
 ## Troubleshooting
 

workshop/guides/exercise-1-app-registrations.md

@@ -27,15 +27,15 @@ mvn spring-boot:run -Dspring-boot.run.profiles=dev
 
 Wait for the log line `Started EvidenceApiApplication` before proceeding. The API runs on `http://localhost:8080`.
 
-### Step 2: Verify the API Requires Authentication
+### Step 2: Verify the API Is Running
 
-In a second terminal, send an unauthenticated request:
+In a second terminal, send a request:
 
 ```bash
-curl -s -o /dev/null -w "%{http_code}" http://localhost:8080/api/me
+curl -s http://localhost:8080/api/cases | head -c 200
 ```
 
-Expected result: `401`. This confirms the API rejects requests without a valid Bearer token.
+Expected result: a JSON array of 5 mock cases. In the `dev` profile, all endpoints are open for exploration without authentication. JWT validation is enabled when deploying to Azure (Exercise 4).
 
 ### Step 3: Install SPA Dependencies and Start the SPA
 
@@ -103,7 +103,7 @@ Select **Sign Out** in the navigation bar. Verify:
 
 Confirm each of these items works correctly:
 
-- [ ] API starts and returns 401 for unauthenticated requests
+- [ ] API starts successfully and returns case data at `http://localhost:8080/api/cases`
 - [ ] SPA compiles and loads at `http://localhost:4200`
 - [ ] Sign-in redirects to Entra ID and returns an authenticated session
 - [ ] Case list loads with sample data

workshop/guides/exercise-2-run-locally.md

@@ -16,6 +16,28 @@ Experience the full role-based access control (RBAC) cycle: attempt a protected
 
 ## Steps
 
+### Step 0: Enable JWT Validation and Method Security
+
+The `dev` profile permits all requests and disables `@PreAuthorize` to allow exploration. To experience the RBAC cycle, you must switch to a profile with real JWT validation.
+
+1. Stop the API if it is running (Ctrl+C).
+2. Set your Entra ID configuration as environment variables:
+
+```bash
+export JWT_ISSUER_URI=https://login.microsoftonline.com/<TENANT-ID>/v2.0
+export JWT_AUDIENCE=api://<API-CLIENT-ID>
+export SPRING_PROFILES_ACTIVE=prod
+```
+
+3. Restart the API:
+
+```bash
+cd sample-app/api
+mvn spring-boot:run
+```
+
+> **Why?** Method security annotations (`@PreAuthorize`) are only enforced in non-dev profiles. The `MethodSecurityConfig` class enables `@EnableMethodSecurity` only for the `!dev` profile.
+
 ### Step 1: Examine the POST Endpoint
 
 Open `sample-app/api/src/main/java/com/example/evidence/controller/CaseController.java` and locate the `POST /api/cases` method. Notice the `@PreAuthorize("hasAuthority('ROLE_CaseAdmin')")` annotation. This annotation restricts the endpoint to users whose JWT contains `CaseAdmin` in the `roles` claim.
@@ -128,4 +150,4 @@ If you need to check your work or catch up, solution files are available:
 | Role not visible in Enterprise applications | Looking at the App registration instead of Enterprise application | App roles are assigned under **Enterprise applications**, not App registrations |
 | `roles` claim missing from JWT | Role assignment did not propagate | Wait 1-2 minutes, sign out, sign back in, and check the token again |
 | 500 error on POST instead of 201 | Request body missing required fields | Ensure the JSON body includes `title` and `description` fields |
-| `@PreAuthorize` not enforced (any user can POST) | `@EnableMethodSecurity` annotation missing from security configuration | Verify `SecurityConfig.java` has `@EnableMethodSecurity` on the class |
+| `@PreAuthorize` not enforced (any user can POST) | Running with the `dev` profile which disables method security | Restart the API with a non-dev profile: set `SPRING_PROFILES_ACTIVE=prod` and provide `JWT_ISSUER_URI` and `JWT_AUDIENCE` environment variables |