Next try for remember me

2026-03-11 05:21:07 +01:00 · 2025-06-27 14:41:48 +02:00
parent 9621360647
commit 3df5670015
4 changed files with 86 additions and 5 deletions
--- a/src/main/java/org/kickerelo/kickerelo/config/SecurityConfig.java
+++ b/src/main/java/org/kickerelo/kickerelo/config/SecurityConfig.java
@@ -0,0 +1,20 @@
+package org.kickerelo.kickerelo.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.Profile;
+import org.springframework.jdbc.core.JdbcTemplate;
+import org.springframework.security.oauth2.client.JdbcOAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.OAuth2AuthorizedClientService;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+
+@Profile("prod")
+@Configuration
+public class SecurityConfig {
+    @Bean
+    public OAuth2AuthorizedClientService authorizedClientService(
+            JdbcTemplate jdbcTemplate,
+            ClientRegistrationRepository clientRegistrationRepository) {
+        return new JdbcOAuth2AuthorizedClientService(jdbcTemplate, clientRegistrationRepository);
+    }
+}
--- a/src/main/java/org/kickerelo/kickerelo/config/SecurityConfiguration.java
+++ b/src/main/java/org/kickerelo/kickerelo/config/SecurityConfiguration.java
@@ -2,31 +2,77 @@ package org.kickerelo.kickerelo.config;

 import java.security.SecureRandom;
 import java.util.Base64;
+
+import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Profile;
+import org.springframework.jdbc.core.JdbcTemplate;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;

 import com.vaadin.flow.spring.security.VaadinWebSecurity;
+import org.springframework.security.oauth2.client.*;
+import org.springframework.security.oauth2.client.registration.ClientRegistrationRepository;
+import org.springframework.security.oauth2.client.web.DefaultOAuth2AuthorizedClientManager;
+import org.springframework.security.oauth2.client.web.OAuth2AuthorizedClientRepository;
+import org.springframework.security.web.SecurityFilterChain;

@Profile("prod")
@Configuration
-class SecurityConfiguration extends VaadinWebSecurity {
+class SecurityConfiguration {
+
+    private final OAuth2AuthorizedClientService authorizedClientService;
+
+    // Inject the persistent authorized client service we configured previously
+    public SecurityConfiguration(OAuth2AuthorizedClientService authorizedClientService) {
+        this.authorizedClientService = authorizedClientService;
+    }

    private static String rememberMeSecret = null;

-    @Override
    protected void configure(HttpSecurity http) throws Exception {
        if (rememberMeSecret == null) rememberMeSecret = generateSecret();

        http.authorizeHttpRequests(auth -> auth
                .requestMatchers("/app/admin/**", "/app/admin", "/app/app/admin/**", "/app/app/admin").hasAuthority("Kicker Admin")
                .anyRequest().permitAll())
-            .rememberMe(rememberMe -> rememberMe.key(rememberMeSecret))
            .oauth2Login(org.springframework.security.config.Customizer.withDefaults())
            .logout(logout -> logout.logoutSuccessUrl("/"))
            .csrf(csrf -> csrf.disable());
    }

+
+    @Bean
+    public OAuth2AuthorizedClientManager authorizedClientManager(
+            ClientRegistrationRepository clientRegistrationRepository,
+            OAuth2AuthorizedClientRepository authorizedClientRepository) {
+
+        OAuth2AuthorizedClientProvider authorizedClientProvider =
+                OAuth2AuthorizedClientProviderBuilder.builder()
+                        .authorizationCode()
+                        .refreshToken()
+                        .clientCredentials()
+                        .build();
+
+        DefaultOAuth2AuthorizedClientManager authorizedClientManager =
+                new DefaultOAuth2AuthorizedClientManager(
+                        clientRegistrationRepository, authorizedClientRepository);
+        authorizedClientManager.setAuthorizedClientProvider(authorizedClientProvider);
+
+        return authorizedClientManager;
+    }
+
+    @Bean
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        http.authorizeHttpRequests(auth -> auth
+                        .requestMatchers("/app/admin/**", "/app/admin", "/app/app/admin/**", "/app/app/admin").hasAuthority("Kicker Admin")
+                        .anyRequest().permitAll())
+                .oauth2Login(org.springframework.security.config.Customizer.withDefaults())
+                .logout(logout -> logout.logoutSuccessUrl("/"))
+                .csrf(csrf -> csrf.disable());
+
+        return http.build();
+    }
+
    private String generateSecret() {
        SecureRandom random = new SecureRandom();
        byte[] bytes = new byte[24];
--- a/src/main/resources/application-prod.properties
+++ b/src/main/resources/application-prod.properties
@@ -13,7 +13,7 @@ spring.jpa.open-in-view=false
 # == OIDC Configuration ==
 spring.security.oauth2.client.registration.oidc.client-id=${OIDC_CLIENT_ID}
 spring.security.oauth2.client.registration.oidc.client-secret=${OIDC_CLIENT_SECRET}
-spring.security.oauth2.client.registration.oidc.scope=openid,email,profile
+spring.security.oauth2.client.registration.oidc.scope=openid,email,profile,offline_access
 spring.security.oauth2.client.registration.oidc.redirect-uri=${OIDC_REDIRECT_URI}
 spring.security.oauth2.client.provider.oidc.jwk-set-uri=${OIDC_JWK_SET_URI}
 spring.security.oauth2.client.provider.oidc.issuer-uri=${OIDC_ISSUER_URI}
--- a/src/main/resources/schema.sql
+++ b/src/main/resources/schema.sql
@@ -55,4 +55,19 @@ ALTER TABLE ergebnis2vs2
    ADD CONSTRAINT FK_ERGEBNIS2VS2_ON_VERLIERER_HINTEN FOREIGN KEY (verlierer_hinten) REFERENCES spieler (id);

 ALTER TABLE ergebnis2vs2
-    ADD CONSTRAINT FK_ERGEBNIS2VS2_ON_VERLIERER_VORN FOREIGN KEY (verlierer_vorn) REFERENCES spieler (id);
+    ADD CONSTRAINT FK_ERGEBNIS2VS2_ON_VERLIERER_VORN FOREIGN KEY (verlierer_vorn) REFERENCES spieler (id);
+
+
+CREATE TABLE oauth2_authorized_client (
+                                          client_registration_id varchar(100) NOT NULL,
+                                          principal_name varchar(200) NOT NULL,
+                                          access_token_type varchar(100) NOT NULL,
+                                          access_token_value blob NOT NULL,
+                                          access_token_issued_at timestamp NOT NULL,
+                                          access_token_expires_at timestamp NOT NULL,
+                                          access_token_scopes varchar(1000) DEFAULT NULL,
+                                          refresh_token_value blob DEFAULT NULL,
+                                          refresh_token_issued_at timestamp DEFAULT NULL,
+                                          created_at timestamp DEFAULT CURRENT_TIMESTAMP NOT NULL,
+                                          PRIMARY KEY (client_registration_id, principal_name)
+);