[SpringBoot 3.1.0 ๐Ÿ†™] SpringSecurity ์„ค์ •ํ•˜๊ธฐ

Dev_chยท2023๋…„ 8์›” 6์ผ
0
post-thumbnail

ํ”„๋กœ์ ํŠธ๋ฅผ ์ง„ํ–‰ํ•˜๋ฉด์„œ, SpringBoot๋ฅผ 3.1.2 ๋ฒ„์ „์„ ์‚ฌ์šฉํ•˜๊ฒŒ ๋˜์—ˆ๋‹ค. ์˜ˆ์ „์— 2.6 ~ 2.7.x ๋ฒ„์ „์„ ์‚ฌ์šฉํ• ๋•Œ JWT์™€ Security๋ฅผ ์ด์šฉํ•˜์—ฌ ์œ ์ € ์„œ๋น„์Šค๋ฅผ ๋งŒ๋“œ๋Š” ํฌ์ŠคํŒ…์ด ์žˆ์—ˆ๋Š”๋ฐ ์ตœ์‹  ๋ฒ„์ „์˜ SpringBoot์™€ Security๋ฅผ ์‚ฌ์šฉํ•œ๋‹ค๋ฉด ํ•ด๋‹น ํฌ์ŠคํŒ…๋Œ€๋กœ ๊ตฌํ˜„ํ•  ์ˆ˜ ์—†์„ ๊ฒƒ ์ด๋‹ค.

๊ทธ๋ž˜์„œ ์ด๋ฒˆ์—๋Š” SpringBoot 3.1.2 ๋ฒ„์ „๊ณผ SpringSecurity์˜ 6.1 ๋ฒ„์ „์„ ์ด์šฉํ•ด JWT์™€ Security๋ฅผ ํ•œ๊บผ๋ฒˆ์— ๋‹ค๋ค„๋ณด๋Š” ํฌ์ŠคํŒ…์„ ๋‹ค๋ฃจ๋ ค ํ•œ๋‹ค.

์ด๋ฒˆ ํŒŒํŠธ๋Š” SpringSecurity ์ด๋‹ค.


๐Ÿง ๊ฐ„๋‹จํ•˜๊ฒŒ ๊ตฌํ˜„ํ•ด๋ณด๊ธฐ

// dependency
implementation 'org.springframework.boot:spring-boot-starter-security'
testImplementation 'org.springframework.security:spring-security-test'

build.gradle์— ์˜์กด์„ฑ์„ ์ฃผ์ž…ํ•˜๋Š” ๋ถ€๋ถ„์€ ํฌ๊ฒŒ ๋‹ค๋ฅผ ๊ฒƒ ์—†๋‹ค.

๊ธฐ์กด Security ์„ค์ •์„ ์ ์šฉํ•˜๊ธฐ์œ„ํ•ด SecurityConfig๋ผ๋Š” ํด๋ž˜์Šค๋ฅผ ๋งŒ๋“ค์–ด์ฃผ์—ˆ์—ˆ๋Š”๋ฐ, ์ด๋ฒˆ์—๋„ ๋งˆ์ฐฌ๊ฐ€์ง€๋กœ ๋งŒ๋“ค ๊ฒƒ ์ด๋‹ค. ๋‹ค๋งŒ, 2.x.x ์ฝ”๋“œ์™€ ๋น„๊ตํ•ด๊ฐ€๋ฉด์„œ ์‚ดํŽด๋ณด๋„๋ก ํ•˜์ž.

SpringBoot 2.6.x ~

@Configuration
@EnableWebSecurity
@EnableGlobalMethodSecurity(prePostEnabled = true)
@RequiredArgsConstructor
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    private final CorsFilter corsFilter;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Override
    protected void configure(HttpSecurity httpSecurity) throws Exception {
        httpSecurity
                .csrf().disable()

                .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)

                .sessionManagement()
                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)

                .and()
                .authorizeRequests()
                .antMatchers("/test","/auth","/auth/login","/docs","/test","/health","/auth/check").permitAll()
                .antMatchers("/docs/**").permitAll()
                .antMatchers("/docs/index.html").permitAll()
                .anyRequest().authenticated();

    }
}

Jwt๋ฅผ ์ ์šฉํ•˜๊ธฐ ์ „์˜ 2.6.x ๋ฒ„์ „์˜ SecurityConfig ํด๋ž˜์Šค์ด๋‹ค. WebSecurityConfigurerAdapter๋ผ๋Š” ์ธํ„ฐํŽ˜์ด์Šค๋ฅผ ์ƒ์†๋ฐ›์•„ ์˜ค๋ฒ„๋ผ์ด๋”ฉํ•œ ํ•จ์ˆ˜ ๋‚ด๋ถ€์—์„œ Security์™€ ๊ด€๋ จ๋œ ์„ค์ •์„ ํ•ด์ฃผ์—ˆ์—ˆ๋Š”๋ฐ, ๋ฐฉ๋ฒ•์ด ๋‹ฌ๋ผ์กŒ๋‹ค.

๋˜ํ•œ and() ์™€ ๊ฐ™์€ non-lamda DSL methods ๋“ค์ด ์ „๋ถ€ deprecated ๋˜์—ˆ๋‹ค. ์ด์ œ๋Š” lamda-DSL๋กœ ์„ค์ •์„ ๊ตฌ์„ฑํ•˜๊ฒŒ ๋˜์—ˆ๋‹ค.

์™œ ์ด๋ ‡๊ฒŒ ๋๋Š”์ง€ ๊ถ๊ธˆํ•˜๋ฉด ์•„๋ž˜์˜ ๋ฌธ์„œ๋ฅผ ์‚ดํŽด๋ณด๋„๋ก ํ•˜์ž ๐Ÿคจ

https://docs.spring.io/spring-security/reference/migration-7/configuration.html

SpringBoot 3.1.x ~

@Configuration
@EnableWebSecurity
@EnableMethodSecurity
@RequiredArgsConstructor
public class SecurityConfig {

    private final CorsFilter corsFilter;

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        http
                .csrf(AbstractHttpConfigurer::disable)
                .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
                .sessionManagement(session -> session
                        .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                )
                .authorizeHttpRequests(request -> request
                        .requestMatchers(
                                "/version", "/login/google"
                        )
                        .permitAll()
                )
                .authorizeHttpRequests(request -> request.anyRequest().authenticated())

        return http.build();
    }
}

๋”ฑ๋ด๋„ ๋ญ”๊ฐ€ ๋งŽ์ด ๋ฐ”๋€ ๊ฒƒ ๊ฐ™๊ธดํ•˜๋‹ค... ๊ทธ๋ž˜์„œ ์„ค๋ช…์„ ๊ณ๋“ค์ด์ž๋ฉด

  1. @EnableGlobalMethodSecurity(prePostEnabled = true)๋„ deprecated ๋œ๋‹ค๊ณ  ํ•œ๋‹ค.
    • ํ•ด๊ฒฐ ๋ฐฉ๋ฒ•์œผ๋กœ๋Š” @EnableMethodSecurity๋ฅผ ์‚ฌ์šฉํ•ด์ฃผ๋ฉด๋œ๋‹ค. ๊ธฐ๋ณธ๊ฐ’์ด true์ด๊ธฐ ๋•Œ๋ฌธ์— ๊ตณ์ด ์ง€์ •ํ•ด์ฃผ์ง€ ์•Š์•„๋„ ๋œ๋‹ค.
  1. WebSecurityConfigurerAdapter ์ธํผํ…Œ์ด์Šค๋ฅผ ์ƒ์†๋ฐ›์ง€ ์•Š๋Š”๋‹ค.
    • SecurityFilterChain ์ธํ„ฐํŽ˜์ด์Šค ํ•จ์ˆ˜๋ฅผ ํ•˜๋‚˜ ๋งŒ๋“ค์–ด์„œ ๊ทธ ์•ˆ์—์„œ ๊ธฐ์กด์— ์„ค์ •ํ–ˆ๋˜ ์ฝ”๋“œ๋ฅผ ๊ตฌํ˜„ํ•œ ํ›„ Bean์œผ๋กœ ๋“ฑ๋กํ•ด์ค€๋‹ค.
  1. ์„ค์ • ์ฝ”๋“œ๋ฅผ ๊ตฌํ˜„ํ•˜๋Š” ๋ฐฉ์‹์ด non-lamda-DSL์—์„œ lamda-DSL๋กœ ๋ณ€๊ฒฝ๋˜์—ˆ๋‹ค.

์ด๊ฒŒ ๊ทธ๋ž˜๋„ ์ฝ”๋“œ ์ „์ฒด๊ฐ€ ๋งŽ์ด ๋ฐ”๋€ ๊ฒƒ ๊ฐ™์•„๋„, ๊ตฌํ˜„ํ•˜๋Š” ๋ฐฉ์‹์ด ํ‹€๋ ค์ง„๊ฑด ์•„๋‹ˆ๊ธฐ์— ๊ธฐ์กด์˜ ์ฝ”๋“œ๋ฅผ ์‰ฝ๊ฒŒ ์ˆ˜์ •ํ•  ์ˆ˜ ์žˆ๋‹ค.


Security 2.6.x ~ ๋ถ€ํ„ฐ ์‚ฌ์šฉํ•˜๋‹ค๋ณด๋‹ˆ ์ต์ˆ™ํ•ด์ ธ์„œ ์‰ฝ๊ฒŒ ๋ฐ”๊ฟ€ ์ˆ˜ ์žˆ์„๊นŒ ํ–ˆ๋Š”๋ฐ, ๊ทธ๋ž˜๋„ ๊ณต์‹๋ฌธ์„œ๋‚˜ ์—ฌ๋Ÿฌ ์ž๋ฃŒ๋“ค์ด ๋งŽ์•„ ๋ฒ„์ „์ด ๋†’์•„์ ธ๋„ ์‰ฝ๊ฒŒ ๋ฐ”๊ฟ€ ์ˆ˜ ์žˆ์—ˆ๋‹ค. andDo()๋ฅผ ์‚ฌ์šฉํ•˜๋Š” non-lamda ๋ฐฉ์‹์ด ์‚ฌ์‹ค ํ•„์ž์˜ ๊ฒฝ์šฐ ๊ทธ๋‹ฅ ์ข‹์ง€ ์•Š์•˜๋Š”๋ฐ, lamda ํ˜•์‹์„ ์‚ฌ์šฉํ•˜๊ฒŒ ๋ฐ”๋€Œ๊ฒŒ ๋˜๋ฉด์„œ ๋ญ”๊ฐ€ ๋” ์ข‹์•„์ง„ ๊ฒƒ ๊ฐ™๋‹ค(?)

์•„๋ฌดํŠผ ์ด๋ฒˆ ํฌ์ŠคํŒ…๋„ ์—ฌ๊ธฐ์„œ ๋! ๋‹ค์Œ์—๋Š” JWT ๊นŒ์ง€ ๊ฐ™์ด ์‚ฌ์šฉํ•ด๋ณด์Ÿˆ

profile
๋‚ด๊ฐ€ ๋ชฐ์ž…ํ•˜๋Š” ๊ณผ์ •์„ ๋‹ด์€ ๊ณณ

0๊ฐœ์˜ ๋Œ“๊ธ€