Skip to content

Add configured certificate filtering and lazy loading in KeyVault JCA#49774

Open
rujche wants to merge 20 commits into
mainfrom
rujche/main/Just-load-configured-certificates-in-azure-security-keyvault-jca
Open

Add configured certificate filtering and lazy loading in KeyVault JCA#49774
rujche wants to merge 20 commits into
mainfrom
rujche/main/Just-load-configured-certificates-in-azure-security-keyvault-jca

Conversation

@rujche

@rujche rujche commented Jul 10, 2026

Copy link
Copy Markdown
Member

Description

All SDK Contribution checklist:

  • The pull request does not introduce [breaking changes]
  • CHANGELOG is updated for new features, bug fixes or other significant changes.
  • I have read the contribution guidelines.

General Guidelines and Best Practices

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

  • Pull request includes test coverage for the included changes.

Copilot AI review requested due to automatic review settings July 10, 2026 01:43
@rujche rujche requested review from a team as code owners July 10, 2026 01:43
@rujche rujche self-assigned this Jul 10, 2026
@rujche rujche added azure-spring All azure-spring related issues azure-spring-jca labels Jul 10, 2026
@rujche rujche moved this to In Progress in Spring Cloud Azure Jul 10, 2026
@rujche rujche added this to the 2026-08 milestone Jul 10, 2026
@rujche rujche requested a review from moarychan July 10, 2026 01:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR enhances azure-security-keyvault-jca to reduce unnecessary Key Vault reads by (1) allowing users to configure a subset of certificate aliases to consider and (2) lazily loading certificate details only when a specific alias is requested—addressing the scenario described in #39487 (iterating/fetching all aliases when only one is configured).

Changes:

  • Added azure.keyvault.jca.certificates system property support to filter Key Vault certificate aliases to a configured subset.
  • Implemented lazy loading of Key Vault certificate key/certificate/chain data per alias (instead of eagerly loading all details on refresh).
  • Updated tests and documentation (README + CHANGELOG) to cover and describe the new behavior.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Show a summary per file
File Description
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/KeyVaultKeyStore.java Wires configured alias filtering into keystore initialization and routes Key Vault lookups through lazy-loading accessors.
sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/certificates/KeyVaultCertificates.java Implements configured-alias filtering and lazy loading of certificate details per alias.
sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/KeyVaultKeyStoreUnitTest.java Adds unit coverage for parsing configured aliases and verifying they are passed into KeyVaultCertificates.
sdk/keyvault/azure-security-keyvault-jca/src/test/java/com/azure/security/keyvault/jca/implementation/certificates/KeyVaultCertificatesTest.java Adds unit coverage ensuring alias listing is not eager and that only requested/configured aliases trigger Key Vault reads.
sdk/keyvault/azure-security-keyvault-jca/README.md Documents the new azure.keyvault.jca.certificates configuration option.
sdk/keyvault/azure-security-keyvault-jca/CHANGELOG.md Records the new filtering + lazy-loading features for the upcoming release.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 6 comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated no new comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.

Comment on lines +286 to +290
private void loadCertificateIfNeeded(String alias) {
refreshCertificatesIfNeeded();
KeyVaultClient currentKeyVaultClient = getKeyVaultClient();

if (alias == null || currentKeyVaultClient == null) {
Comment on lines +312 to +316
private void loadCertificateChainIfNeeded(String alias) {
refreshCertificatesIfNeeded();
KeyVaultClient currentKeyVaultClient = getKeyVaultClient();

if (alias == null || currentKeyVaultClient == null) {
Comment on lines +338 to 362
private void loadCertificateKeyIfNeeded(String alias) {
refreshCertificatesIfNeeded();
KeyVaultClient currentKeyVaultClient = getKeyVaultClient();

if (alias == null || currentKeyVaultClient == null) {
return;
}

synchronized (this) {
if (loadedCertificateKeyAliases.contains(alias)
|| !Optional.ofNullable(aliases).orElse(Collections.emptyList()).contains(alias)) {
return;
}

try {
Key loadedKey = currentKeyVaultClient.getKey(alias, null);
if (loadedKey != null) {
certificateKeys.put(alias, loadedKey);
loadedCertificateKeyAliases.add(alias);
}
} catch (RuntimeException exception) {
LOGGER.log(WARNING, exception, () -> "Failed to load certificate key for alias: " + alias);
}
}
}
@@ -141,6 +141,7 @@ The JCA library supports configuring the following options:
* `azure.keyvault.jca.refresh-certificates-when-have-un-trust-certificate`: Indicates whether to refresh certificates when have untrusted certificate.
* `azure.keyvault.jca.certificates-refresh-interval`: The refresh interval time.
* `azure.keyvault.jca.certificates-refresh-interval-in-ms`: The refresh interval time.

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Assuming the KV contains many certificates, I want to support the following filtering logic:

  • Forward filtering: Users can select aliases from a list of names or regular expressions. Without configuration, all aliases are read by default.

  • Reverse filtering: Exclusion by name or regular expression. Without configuration, no exclusions are allowed by default.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

azure-spring All azure-spring related issues azure-spring-jca KeyVault

Projects

Status: Untriaged
Status: In Progress

Development

Successfully merging this pull request may close these issues.

[FEATURE REQ] Just load configured certificates in azure-security-keyvault-jca

3 participants