로그인 할 떄 JWT방식 사용(토큰)
JSON 웹 토큰 방식 인증방식 구현
- 토큰 클라이언트에 저장하고 있다가 메뉴에 값을 갖고 서버에 접근
사용해보는 이유 : 토큰 방식이 제한 인증이긴 하지만 간편인증 방식들 (네이버 간편인증) OAUT2.0이 JWT 방식과 같다
- JWT 는 회원가입과 동시에 입력받은 password가 암호화 되어진다.
Controller
authController.class
@PostMapping("/signupToken")
public ResponseEntity<UserResponseDto> signup(@RequestBody UserRequestDto requestDto) {
return ResponseEntity.ok(authService.signup(requestDto));
}
@PostMapping("/loginToken")
public ResponseEntity<TokenDto> loginToken(@RequestBody UserRequestDto requestDto) {
System.out.println("컨트롤러 접속 완료 : " + requestDto);
return ResponseEntity.ok(authService.login(requestDto));
}- 각각 authService에서 정의한 signup과 login을 UserRequestDto를 통해 받은 입력 값을 들고 간다
DTO
UserRequestDTO.class
@Getter
@AllArgsConstructor
@NoArgsConstructor
@Builder
public class UserRequestDto {
private String userEmail;
private String userPwd;
public Users toUser(PasswordEncoder passwordEncoder) {
return Users.builder()
.userEmail(userEmail)
.userPwd(passwordEncoder.encode(userPwd))
.userAuth(Authority.ROLE_ADMIN)
.build();
}
public UsernamePasswordAuthenticationToken toAuthentication() {
return new UsernamePasswordAuthenticationToken(userEmail, userPwd);
}
}- User entity에서 만든 빌드 타입에 입력받은 userEmail과 passwordEncoder로 입력받은 userPwd를 암호화 해준다
(기본 가입 권한은 ADMIN으로 기재해준다)
Service
AuthService.class
package com.kh.iMMUTABLE.service;
import lombok.RequiredArgsConstructor;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.core.Authentication;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Service;
import javax.transaction.Transactional;
@Service
@RequiredArgsConstructor
@Transactional
public class AuthService {
private final AuthenticationManagerBuilder managerBuilder;
private final UserRepository userRepository;
private final PasswordEncoder passwordEncoder;
private final TokenProvider tokenProvider;
public UserResponseDto signup(UserRequestDto requestDto) {
if (userRepository.existsByUserEmail(requestDto.getUserEmail())) {
throw new RuntimeException("이미 가입되어 있는 유저입니다");
}
System.out.println("서비스 사인업 requestDto: " + requestDto);
Users user = requestDto.toUser(passwordEncoder);
return UserResponseDto.of(userRepository.save(user));
}
//로그인시 TokenDto 를 반환한다.
public TokenDto login(UserRequestDto requestDto) {
System.out.println("토큰디티오 접속 완료");
UsernamePasswordAuthenticationToken authenticationToken = requestDto.toAuthentication();
System.out.println("authenticationToken : " + authenticationToken);
Authentication authentication = managerBuilder.getObject().authenticate(authenticationToken);
System.out.println("authentication" + authentication);
return tokenProvider.generateTokenDto(authentication);
}
}
입력받은 requestDto 를 userRepository에서 선언한 exists를 통해 중복값을 식별한다
이 조건문에 부합하지 않는 다면 UserRequestDto에서 만든 toUser를 통해서 새로운 테이블을 만들어준다.
로그인시 입력받은 requestDto 를 UsernamePasswordAuthenticationToken
AuthenticationManagerBuilder 를 통해 토큰을 발행하여준다.
Entity
Users.class
@builder패턴이 들어가야한다
@Builder//빌더 패턴!!! 시큐리티쪽은 빌더 패턴을 많이 쓴다. 매개변수가 많을 때 순서 안지켜도 됨
public Users(String userEmail, String userPwd, Authority userAuth) {
this.userEmail = userEmail;
this.userPwd = userPwd;
this.authority = userAuth;
}JWT
해당 폴더에는 두가지 클래스를 선언한다.
JWTfilter.class
TokenProvider.class
JWTfilter.class
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.web.filter.OncePerRequestFilter;
import org.springframework.util.StringUtils;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Slf4j
@RequiredArgsConstructor
public class JwtFilter extends OncePerRequestFilter {
public static final String AUTHORIZATION_HEADER = "Authorization";
public static final String BEARER_PREFIX = "Bearer ";
private final TokenProvider tokenProvider;
private String resolveToken(HttpServletRequest request) {
String bearerToken = request.getHeader(AUTHORIZATION_HEADER);
if (StringUtils.hasText(bearerToken) && bearerToken.startsWith(BEARER_PREFIX)) {
return bearerToken.substring(7);
}
return null;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String jwt = resolveToken(request);
if (StringUtils.hasText(jwt) && tokenProvider.validateToken(jwt)) {
Authentication authentication = tokenProvider.getAuthentication(jwt);
SecurityContextHolder.getContext().setAuthentication(authentication);
}
filterChain.doFilter(request, response);
}
}TokenProvider.class
import io.jsonwebtoken.*;
import io.jsonwebtoken.security.Keys;
import lombok.extern.slf4j.Slf4j;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.stereotype.Component;
import java.security.Key;
import java.util.Arrays;
import java.util.Collection;
import java.util.Date;
import java.util.stream.Collectors;
@Slf4j //로깅데티어 관리
@Component//bean 에등록
public class TokenProvider {
private static final String AUTHORITIES_KEY = "auth";
private static final String BEARER_TYPE = "bearer";
//30분이 지나면 토큰이 만료되어 로그인이 풀리게 구성 토큰이 탈취되어도 이를 막을 수 없음
private static final long ACCESS_TOKEN_EXPIRE_TIME = 1000 * 60 * 30;
private final Key key; //자바에 Security
// 주의점: 여기서 @Value는 `springframework.beans.factory.annotation.Value`소속이다! lombok의 @Value와 착각하지 말것!
public TokenProvider(@Value("${springboot.jwt.secret}") String secretKey) {
this.key = Keys.secretKeyFor(SignatureAlgorithm.HS512); //HS512알고리즘
}
// 토큰 생성 후 요청하는 클라이언트한테 토큰을 날려주어야 함.
public TokenDto generateTokenDto(Authentication authentication) {
String authorities = authentication.getAuthorities().stream()
.map(GrantedAuthority::getAuthority)
.collect(Collectors.joining(","));
long now = (new Date()).getTime();
Date tokenExpiresIn = new Date(now + ACCESS_TOKEN_EXPIRE_TIME);
System.out.println(tokenExpiresIn);
String accessToken = Jwts.builder()
.setSubject(authentication.getName())
.claim(AUTHORITIES_KEY, authorities)
.setExpiration(tokenExpiresIn)
.signWith(key, SignatureAlgorithm.HS512)
.compact();
return TokenDto.builder()
.grantType(BEARER_TYPE)
.accessToken(accessToken)
.tokenExpiresIn(tokenExpiresIn.getTime())
.build();
}
public Authentication getAuthentication(String accessToken) {
Claims claims = parseClaims(accessToken);
if (claims.get(AUTHORITIES_KEY) == null) {
throw new RuntimeException("권한 정보가 없는 토큰입니다.");
}
Collection<? extends GrantedAuthority> authorities =
Arrays.stream(claims.get(AUTHORITIES_KEY).toString().split(","))
.map(SimpleGrantedAuthority::new)
.collect(Collectors.toList());
UserDetails principal = new User(claims.getSubject(), "", authorities);
return new UsernamePasswordAuthenticationToken(principal, "", authorities);
}
public boolean validateToken(String token) {
try {
Jwts.parserBuilder().setSigningKey(key).build().parseClaimsJws(token);
return true;
} catch (io.jsonwebtoken.security.SecurityException | MalformedJwtException e) {
log.info("잘못된 JWT 서명입니다.");
} catch (ExpiredJwtException e) {
log.info("만료된 JWT 토큰입니다.");
} catch (UnsupportedJwtException e) {
log.info("지원되지 않는 JWT 토큰입니다.");
} catch (IllegalArgumentException e) {
log.info("JWT 토큰이 잘못되었습니다.");
}
return false;
}
private Claims parseClaims(String accessToken) {
try {
return Jwts.parserBuilder().setSigningKey(key).build().parseClaimsJws(accessToken).getBody();
} catch (ExpiredJwtException e) {
return e.getClaims();
}
}
}
Security
- JwtAccessDeniedHandler.class
- JwtAuthenticationEntryPoint.class
- JwtSecurityConfig.class
- WebSecurityConfig.class
JwtAccessDeniedHandler.class
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class JwtAccessDeniedHandler implements AccessDeniedHandler {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
response.sendError(HttpServletResponse.SC_ACCEPTED);
}
}
JwtAuthenticationEntryPoint.class
import org.springframework.context.annotation.Configuration;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.stereotype.Component;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
@Component
public class JwtAuthenticationEntryPoint implements AuthenticationEntryPoint {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
response.sendError(HttpServletResponse.SC_ACCEPTED);
}
}
JwtSecurityConfig.class
import com.kh.finalPrjAm.jwt.JwtFilter;
import com.kh.finalPrjAm.jwt.TokenProvider;
import lombok.RequiredArgsConstructor;
import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.web.DefaultSecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@RequiredArgsConstructor
public class JwtSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
private final TokenProvider tokenProvider;
@Override
public void configure(HttpSecurity http) {
JwtFilter customFilter = new JwtFilter(tokenProvider);
http.addFilterBefore(customFilter, UsernamePasswordAuthenticationFilter.class);
}
}WebSecurityConfig.class
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.stereotype.Component;
@RequiredArgsConstructor
@Configuration
@EnableWebSecurity
@Component
public class WebSecurityConfig {
private final TokenProvider tokenProvider;
private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
private final JwtAccessDeniedHandler jwtAccessDeniedHandler;
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
http
.httpBasic().disable()
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.exceptionHandling()
.authenticationEntryPoint(jwtAuthenticationEntryPoint)
.accessDeniedHandler(jwtAccessDeniedHandler)
.and()
.authorizeRequests()
.antMatchers("/auth/**" [허가 할 경로들을 넣는다.]).permitAll() //auth 밑에 가게 만들어야 한다.
.antMatchers("/v2/api-docs", "/swagger-resources/**", "/swagger-ui.html", "/webjars/**", "/swagger/**", "/sign-api/exception").permitAll()
.anyRequest().authenticated()
.and()
.apply(new JwtSecurityConfig(tokenProvider));
return http.build();
}
}주의
jwt적용시 통합구현 때 401에러가 뜰 수 있다. 접근 권한이 없음을 의미하는데 통합 구현시 frontend는 static아래에서 구현되어진다.
.antMatchers("/**", "/static/**", ...).permitAll()로 변경해준다.
Be {Nice} Be {Kind}