basic auth 구현 및 설명

basic auth 이란

api 서버에서 데이터을 요구할때 http Authorization 헤더에 user id 와 , password 을 base64 로 인코딩한 문자열을 추가하여 인증하는 형식

• 참고 : HTTP 기본인증

구현

• config 설정

  @Autowired
  private AuthProvider authProvider;
  
  @Override
  		/**
  		 * 스크링 시큐리트를 통하여 접근페이지 설정
  		 */
  		protected void configure(HttpSecurity http) throws Exception{
  			http
  			.logout()
      .logoutUrl("/api/logout")
      .and()
      .csrf()
      .disable()
      .authorizeRequests()
      .antMatchers(
      		"/",
              "/api/v1/user/join",
              "/static/**"
      ).permitAll()
      .anyRequest().authenticated()
      .and()
      .headers().frameOptions().sameOrigin()
      .and()
      .httpBasic()
      .authenticationEntryPoint(new NoPopupBasicAuthenticationEntryPoint()) ;
  		    http.authenticationProvider(authProvider);
  	}

  http.authenticationProvider 부분에 authProvider 추가

• AuthProvider.java

  package com.jeaeok.myproject.testApp.configs;
  import java.util.ArrayList;
  import java.util.List;
  import org.springframework.beans.factory.annotation.Autowired;
  import org.springframework.security.authentication.AuthenticationProvider;
  import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
  import org.springframework.security.core.Authentication;
  import org.springframework.security.core.AuthenticationException;
  import org.springframework.security.core.GrantedAuthority;
  import org.springframework.security.core.authority.SimpleGrantedAuthority;
  import org.springframework.security.crypto.password.PasswordEncoder;
  import org.springframework.stereotype.Component;
  
  import com.jeaeok.myproject.testApp.domain.MyAuthenticaion;
  import com.jeaeok.myproject.testApp.domain.User;
  import com.jeaeok.myproject.testApp.services.UserService;
  
  @Component("authProvider")
  /**
  * 로그인 확인 하는 클레스
  * @author atcis
  *
  */
  public class AuthProvider implements AuthenticationProvider  {
      
      @Autowired
      private PasswordEncoder passwordEncoder;
      
      
      
      @Autowired
      private UserService userService;
  
      @Override
      public Authentication authenticate(Authentication authentication) throws AuthenticationException {
          String id = authentication.getName();
          String password = authentication.getCredentials().toString();
  
          User user_info = userService.getUser(id);
          
          if (null == user_info || !passwordEncoder.matches(password, user_info.getUserPassword())) {
              return null;
          }
          
          List<GrantedAuthority> grantedAuthorityList = new ArrayList<>();
          if (user_info.isAdmin()) {
              grantedAuthorityList.add(new SimpleGrantedAuthority("ROLE_USER"));
          }
          return new MyAuthenticaion(id, password, grantedAuthorityList, user_info);
      }
  
      @Override
      public boolean supports(Class<?> authentication) {
          return authentication.equals(UsernamePasswordAuthenticationToken.class);
      }
  }

  authentication.getName() : basic auth 부분에 id
  
  authentication.getCredentials().toString() : basic auth 부분에 password
  

• basic auth 은 base64 로 인코딩 되어 전송되기 때문에 중간자 공격에 취약할수도 있음