🚀 Spring Boot JWT 인증 & SecurityConfig 정리

1️⃣ JWT 로 백엔드 보호

• 기존 Basic Auth 방식: username/password 확인만 가능, 세션/토큰 처리 없음 → React 등 프론트에서 사용 불편
• JWT: RESTful API에서 가장 많이 사용되는 인증/인가 방식

JWT 개념

• Authentication (인증): 로그인 과정
• Authorization (인가/권한): 인증 후 역할 기반 권한 부여
• JWT는 URL, POST 파라미터, Header 등으로 전송 가능
• JWT 구조: xxxxx.yyyyyy.zzzzz

부분	내용
Header	토큰 유형, 해싱 알고리즘
Payload	사용자 정보 (username, role 등)
Signature	토큰 변조 확인

---

2️⃣ JWT 생성 및 검증

jjwt 라이브러리 의존성

implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.5'
runtimeOnly 'io.jsonwebtoken:jjwt-jackson:0.11.5'

JwtService

@Component
public class JwtService {
    static final long EXPIRATIONTIME = 86400000; // 1일
    static final String PREFIX = "Bearer";
    static final Key key = Keys.secretKeyFor(SignatureAlgorithm.HS256);

    public String getToken(String username) {
        return Jwts.builder()
            .setSubject(username)
            .setExpiration(new Date(System.currentTimeMillis() + EXPIRATIONTIME))
            .signWith(key)
            .compact();
    }

    public String getAuthUser(HttpServletRequest request) {
        String token = request.getHeader(HttpHeaders.AUTHORIZATION);
        if (token != null) {
            String user = Jwts.parserBuilder()
                .setSigningKey(key)
                .build()
                .parseClaimsJws(token.replace(PREFIX, ""))
                .getBody()
                .getSubject();
            if (user != null) return user;
        }
        return null;
    }
}

---

3️⃣ 로그인 요청 데이터용 Record

public record AccountCredentials(String username, String password) {}

• Record 특징

  1. 간결함: 필드만 정의하면 getter/setter 자동 생성
  2. 불변성: 모든 필드는 private final
  3. 자동 생성: AllArgsConstructor, toString(), equals() 등

---

4️⃣ Optional 사용

Optional<AppUser> user = userRepository.findByUsername(username);
user.ifPresent(u -> System.out.println(u.getUsername()));
String name = user.orElse(new AppUser("Guest","")).getUsername();

• NullPointerException 방지, 함수형 스타일 가능

---

5️⃣ LoginController

@RestController
@RequiredArgsConstructor
public class LoginController {
    private final JwtService jwtService;
    private final AuthenticationManager authentication;

    @PostMapping("/login")
    public ResponseEntity<?> getToken(@RequestBody AccountCredentials credentials) {
        UsernamePasswordAuthenticationToken creds =
            new UsernamePasswordAuthenticationToken(credentials.username(), credentials.password());
        Authentication auth = authentication.authenticate(creds);

        String jwts = jwtService.getToken(auth.getName());
        return ResponseEntity
            .ok()
            .header(HttpHeaders.AUTHORIZATION, "Bearer " + jwts)
            .header(HttpHeaders.ACCESS_CONTROL_EXPOSE_HEADERS, "Authorization")
            .build();
    }
}

---

6️⃣ SecurityConfig & AuthenticationManager

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig {
    private final JwtService jwtService;

    @Bean
    public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception{
        return authConfig.getAuthenticationManager();
    }

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http.csrf(csrf -> csrf.disable())
            .sessionManagement(sm -> sm.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
            .authorizeHttpRequests(auth -> auth
                .requestMatchers(HttpMethod.POST, "/login").permitAll()
                .anyRequest().authenticated()
            )
            .addFilterBefore(new AuthenticationFilter(jwtService), UsernamePasswordAuthenticationFilter.class);
        return http.build();
    }
}

---

7️⃣ AuthenticationFilter

@RequiredArgsConstructor
public class AuthenticationFilter extends OncePerRequestFilter {
    private final JwtService jwtService;

    @Override
    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) 
            throws ServletException, IOException {
        String jws = request.getHeader(HttpHeaders.AUTHORIZATION);
        if (jws != null) {
            String user = jwtService.getAuthUser(request);
            Authentication authentication = new UsernamePasswordAuthenticationToken(user, null, Collections.emptyList());
            SecurityContextHolder.getContext().setAuthentication(authentication);
        }
        filterChain.doFilter(request, response);
    }
}

---

8️⃣ 예외 처리: AuthEntryPoint

public class AuthEntryPoint implements AuthenticationEntryPoint {
    @Override
    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) 
            throws IOException, ServletException {
        response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
        response.getWriter().println("Error : " + authException.getMessage());
    }
}

• 로그인 실패 시 401 반환, 커스텀 메시지 출력 가능

---

9️⃣ 인증 흐름 🔁

1. 클라이언트 → POST /login → username/password 전송
2. AuthenticationManager 검증 → JWT 발급
3. 이후 요청 → Authorization: Bearer <token> 헤더 포함
4. AuthenticationFilter 가 JWT 검증 후 SecurityContext 설정
5. Controller 접근 가능

---

🔟 핵심 포인트 💡

기능	클래스/인터페이스	설명
인증	UserDetailsService, AuthenticationManager	JWT 발급 전 로그인 검증
권한	RoleVoter, @PreAuthorize	Role 기반 접근 제어
세션	SecurityContextHolder	Stateless → 세션 사용 안함
CSRF	csrf().disable()	REST API에서는 비활성화
로그인	/login, LoginController	JWT 발급
요청 보호	AuthenticationFilter	모든 요청 인증 처리

---