我正在尝试实现sso和Spring Security ，以便与azure ad一起使用angular前端和spring引导后端。这是我的一些代码。我错过了什么帮助？我得到403错误不确定是什么问题，有azure设置了很好的类似的例子工作只是不能在我的应用程序上实现。

@EnableGlobalMethodSecurity(securedEnabled = true,
        prePostEnabled = true)
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {

    @Autowired
    private AADAuthenticationFilter aadAuthFilter;

    @Override
    protected void configure(HttpSecurity http) throws Exception {

        http.cors().and().authorizeRequests()
                .antMatchers("/index").permitAll()
                .antMatchers("/api/**").authenticated()
                .anyRequest().permitAll()
                .and()
            .csrf()
                .csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
                .and()
            .logout()
                .logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
                .deleteCookies("JSESSIONID")
                .logoutSuccessUrl("/")
                .invalidateHttpSession(true)
                .and()
            .addFilterBefore(aadAuthFilter, UsernamePasswordAuthenticationFilter.class);
    }
}

azure:
  activedirectory:
    tenant-id: xxxxx-xxxxxx-xxx--xxxxxxxxxx
    client-id: xxxxx-xxxxxx-xxx--xxxxxxxxxx
    client-secret: xxxxx-xxxxxx-xxx--xxxxxxxxxx
    # Optional, default value is http://localhost:8080/
    redirect-uri-template: http://localhost:8080/
    # groups that you created in your Azure AD tenant
    user-group:
      allowed-groups: PDP

@CrossOrigin
@RestController
public class LoginController {

    @PreAuthorize("hasRole('PDP')")
    @GetMapping(path = "/hello")
    public String hello (@RequestHeader HttpHeaders headers)  {
        Optional.ofNullable(headers.get(HttpHeaders.AUTHORIZATION)).ifPresent(
                h -> System.out.println("AUTHORIZATION HEADER: "+h.get(0))
        );
        return "{\"value\": \"Hello Word!\"}";
    }

    @Autowirednsta
    private AADAuthenticationProperties aadAuthenticationProperties;

    @RequestMapping({"/"})
    public ModelAndView index() {
        ModelAndView model = new ModelAndView("index");
        model.addObject("aad_clientId", aadAuthenticationProperties.getClientId());
        model.addObject("aad_tenantId", aadAuthenticationProperties.getTenantId());
        model.addObject("aad_redirectUri", Optional
                .ofNullable(aadAuthenticationProperties.getRedirectUriTemplate())
                .orElse("http://localhost:8080/") );
        return model;
    }

    @PreAuthorize("hasRole('PDP')")
    @PostMapping(value = SO_URI + SAVE_SO_LIST)
    public ResponseEntity<List<SO>> saveSOList(@RequestBody List<SO> soList) {
        try {
            List<SO> response = soService.saveSOList(soList);
            return ResponseEntity.ok(response);
        } catch (Exception e) {
            throw e;
        }
    }

}

export function MSALInstanceFactory(): IPublicClientApplication {
  return new PublicClientApplication({
    auth: {
      clientId: 'xxxxx-xxxxxx-xxx--xxxxxxxxxx',
      redirectUri: 'http://localhost:4200'
    }
  });
}

export function MSALInterceptorConfigFactory(): MsalInterceptorConfiguration {
  const protectedResourceMap = new Map<string, Array<string>>();
  protectedResourceMap.set('https://graph.microsoft.com/v1.0/me', ['user.read', 'mail.read']);
  protectedResourceMap.set('http://localhost:8080/', ['api://xxxxx-xxxxxx-xxx--xxxxxxxxxx/login']);

  return {
    interactionType: InteractionType.Redirect,
    protectedResourceMap
  };
}

providers: [
    {
      provide: LocationStrategy,
      useClass: HashLocationStrategy
    },
    {
      provide: HTTP_INTERCEPTORS,
      useClass: MsalInterceptor,
      multi: true
    },
    {
      provide: MSAL_INSTANCE,
      useFactory: MSALInstanceFactory
    },
    {
      provide: MSAL_INTERCEPTOR_CONFIG,
      useFactory: MSALInterceptorConfigFactory
    },
    MsalService,
  ]