240 azure oauth2

.github/workflows/build-war-and-container.yml

@@ -55,4 +55,8 @@ jobs:
           src: ghcr.io/hbtgmbh/salat:ci
           dst: |
             ${{ steps.meta.outputs.tags }}
-
+#      - name: 'Run Azure webapp deploy action using publish profile credentials'
+#        uses: azure/webapps-deploy@v2
+#        with:
+#          app-name: salat-test
+#          publish-profile: ${{ secrets.azureWebAppPublishProfile }}

pom.xml

@@ -4,7 +4,8 @@
 	<parent>
 		<groupId>org.springframework.boot</groupId>
 		<artifactId>spring-boot-starter-parent</artifactId>
-		<version>2.7.4</version>
+		<version>2.7.8</version>
+
 		<relativePath/> <!-- lookup parent from repository -->
 	</parent>
 	<groupId>de.hbt.salat</groupId>
@@ -27,12 +28,26 @@
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-security</artifactId>
+			<artifactId>spring-boot-starter-web</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>com.azure.spring</groupId>
+			<artifactId>spring-cloud-azure-starter-active-directory</artifactId>
+			<version>4.8.0</version>
 		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
-			<artifactId>spring-boot-starter-web</artifactId>
+			<artifactId>spring-boot-starter-oauth2-client</artifactId>
+		</dependency>
+		<dependency>
+			<groupId>org.springframework.security</groupId>
+			<artifactId>spring-security-test</artifactId>
+			<scope>test</scope>
 		</dependency>
+<!--		<dependency>-->
+<!--			<groupId>com.azure.spring</groupId>-->
+<!--			<artifactId>spring-cloud-azure-starter-active-directory</artifactId>-->
+<!--		</dependency>-->
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-actuator</artifactId>
@@ -48,11 +63,6 @@
 			<scope>runtime</scope>
 			<optional>true</optional>
 		</dependency>
-		<dependency>
-			<groupId>org.projectlombok</groupId>
-			<artifactId>lombok</artifactId>
-			<optional>true</optional>
-		</dependency>
 		<dependency>
 			<groupId>org.springframework.boot</groupId>
 			<artifactId>spring-boot-starter-tomcat</artifactId>
@@ -82,6 +92,11 @@
 			<artifactId>spring-security-test</artifactId>
 			<scope>test</scope>
 		</dependency>
+		<dependency>
+			<groupId>org.projectlombok</groupId>
+			<artifactId>lombok</artifactId>
+			<optional>true</optional>
+		</dependency>
 		<dependency>
 			<groupId>com.h2database</groupId>
 			<artifactId>h2</artifactId>
@@ -219,7 +234,7 @@
 		<dependency>
 			<groupId>org.webjars.npm</groupId>
 			<artifactId>bootstrap-icons</artifactId>
-			<version>1.10.3</version>
+			<version>1.11.1</version>
 		</dependency>
 
 	</dependencies>

src/main/java/org/tb/SalatApplication.java

@@ -4,14 +4,17 @@
 import org.springframework.boot.actuate.autoconfigure.security.servlet.ManagementWebSecurityAutoConfiguration;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.boot.autoconfigure.security.servlet.SecurityAutoConfiguration;
+import org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration;
 import org.springframework.data.jpa.repository.config.EnableJpaAuditing;
 import org.springframework.data.jpa.repository.config.EnableJpaRepositories;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.transaction.annotation.EnableTransactionManagement;
 
+@EnableWebSecurity
 @EnableJpaRepositories
 @EnableJpaAuditing
 @EnableTransactionManagement
-@SpringBootApplication(exclude = { SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class})
+@SpringBootApplication(exclude = { ErrorMvcAutoConfiguration.class, SecurityAutoConfiguration.class, ManagementWebSecurityAutoConfiguration.class})
 public class SalatApplication {
 
   public static void main(String[] args) {

src/main/java/org/tb/auth/AadOAuth2LoginSecurityConfig.java

@@ -0,0 +1,39 @@
+package org.tb.auth;
+
+import com.azure.spring.cloud.autoconfigure.aad.AadWebSecurityConfigurerAdapter;
+import lombok.RequiredArgsConstructor;
+import org.springframework.context.annotation.Profile;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+
+@RequiredArgsConstructor
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+@Profile({"test","prod","local"})
+public class AadOAuth2LoginSecurityConfig extends AadWebSecurityConfigurerAdapter {
+
+  final private HbtAuthenticationFilter hbtAuthenticationFilter;
+
+  /**
+   * Add configuration logic as needed.
+   */
+  @Override
+  protected void configure(HttpSecurity http) throws Exception {
+    super.configure(http);
+    http
+        //.addFilterAfter(hbtAuthenticationFilter, )
+        .authorizeHttpRequests(
+            (authorize) -> authorize
+                .antMatchers(HbtAuthenticationFilter.EXCLUDE_PATTERN.toArray(new String[0]))
+                .permitAll()
+                .antMatchers("/**")
+                //.hasRole("salat-user")
+                //.anyRequest()
+                .authenticated()
+        )
+        .csrf().disable()
+//        .csrf().csrfTokenRepository(CookieCsrfTokenRepository.withHttpOnlyFalse())
+        ;
+  }
+}

src/main/java/org/tb/auth/AuthService.java

@@ -4,13 +4,15 @@
 import static org.tb.common.util.SecureHashUtils.legacyPasswordMatches;
 import static org.tb.common.util.SecureHashUtils.passwordMatches;
 
-import java.time.*;
+import java.time.Clock;
+import java.time.Duration;
+import java.time.LocalDate;
 import java.util.HashSet;
 import java.util.Optional;
 import java.util.Set;
 import java.util.stream.Collectors;
 import java.util.stream.StreamSupport;
-
+import javax.annotation.PostConstruct;
 import lombok.Data;
 import lombok.RequiredArgsConstructor;
 import org.springframework.beans.factory.annotation.Value;
@@ -19,8 +21,6 @@
 import org.tb.employee.domain.Employee;
 import org.tb.employee.persistence.EmployeeRepository;
 
-import javax.annotation.PostConstruct;
-
 @Service
 @RequiredArgsConstructor
 public class AuthService {

src/main/java/org/tb/auth/AuthorizedUser.java

@@ -1,7 +1,7 @@
 package org.tb.auth;
 
 import static java.lang.Boolean.TRUE;
-import static org.springframework.web.context.WebApplicationContext.SCOPE_REQUEST;
+import static org.springframework.web.context.WebApplicationContext.SCOPE_SESSION;
 import static org.tb.common.GlobalConstants.EMPLOYEE_STATUS_ADM;
 import static org.tb.common.GlobalConstants.EMPLOYEE_STATUS_BL;
 import static org.tb.common.GlobalConstants.EMPLOYEE_STATUS_BO;
@@ -15,7 +15,7 @@
 import org.tb.employee.domain.Employee;
 
 @Component
-@Scope(value = SCOPE_REQUEST, proxyMode = ScopedProxyMode.TARGET_CLASS)
+@Scope(value = SCOPE_SESSION, proxyMode = ScopedProxyMode.TARGET_CLASS)
 @Data
 public class AuthorizedUser implements Serializable {