package shop.mtcoding.bank.config.jwt;
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.InternalAuthenticationServiceException;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import com.fasterxml.jackson.databind.ObjectMapper;
import shop.mtcoding.bank.config.auth.LoginUser;
import shop.mtcoding.bank.dto.user.UserRequestDto.LoginRequestDto;
import shop.mtcoding.bank.dto.user.UserResponseDto.LoginResponseDto;
import shop.mtcoding.bank.util.CustomResponseUtil;
public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private AuthenticationManager authenticationManager;
public JwtAuthenticationFilter(AuthenticationManager authenticationManager) {
super(authenticationManager);
setFilterProcessesUrl("/api/login"); // /login -> /api/login (바꾸기)
this.authenticationManager = authenticationManager;
}
// 동작 시점 : POST, /login
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
throws AuthenticationException {
try {
ObjectMapper om = new ObjectMapper();
LoginRequestDto loginRequestDto = om.readValue(request.getInputStream(), LoginRequestDto.class); // 값을 담기
// 강제로그인 시키기
// 1. 토큰 만들기
UsernamePasswordAuthenticationToken authenticationToken = new UsernamePasswordAuthenticationToken(
loginRequestDto.getUsername(), loginRequestDto.getPassword());
// 2. 강제로그인(UserDetailsService, loadByUsername() 호출)
Authentication authentication = authenticationManager.authenticate(authenticationToken);
return authentication;
} catch (Exception e) {
// SecurityConfig, authenticationEntryPoint에서 걸림
throw new InternalAuthenticationServiceException(e.getMessage());
}
}
// attemptAuthentication의 return authentication 작동 시
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response,
FilterChain chain, Authentication authResult) throws IOException, ServletException {
LoginUser loginUser = (LoginUser) authResult.getPrincipal(); // 로그인 유저
String jwtToken = JwtProcess.create(loginUser); // 로그인유저로 JWT 생성
response.addHeader(JwtValueObject.HEADER, jwtToken); // 토큰 담기
LoginResponseDto loginResponseDto = new LoginResponseDto(loginUser.getUser());
CustomResponseUtil.success(response, loginResponseDto); //
}
}
throw new InternalAuthenticationServiceException(e.getMessage()); 라고 던지면 아래 사진에서 잡는다.
// 2. 강제로그인(UserDetailsService, loadByUsername() 호출)
Authentication authentication = authenticationManager.authenticate(authenticationToken);
return authentication;
그리고 강제 로그인 부분에서 세션을 만드는 이유가, JWT를 사용해도jSessionId는 사용하지 않지만 세션을 사용해서 컨트롤러에 진입하면 권한체크, 인증체크의 도움을 받아 편하기 때문이다. 이 세션의 유효기간읜 request, response 하면 끝
다음번 요청이 오면 해당 세션은 사용하지 못한다. 왜냐하면 jSessionId를 받지 못하기 때문에
package shop.mtcoding.bank.dto.user;
import javax.validation.constraints.NotEmpty;
import javax.validation.constraints.Pattern;
import javax.validation.constraints.Size;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import lombok.Getter;
import lombok.Setter;
import shop.mtcoding.bank.domain.user.User;
import shop.mtcoding.bank.domain.user.UserEnum;
public class UserRequestDto {
@Getter
@Setter
public static class LoginRequestDto { // 제어하지 못하는 이유 : 컨트롤러 전에 작동하기 때문에
private String username;
private String password;
}
.
.
.
여기서는 벨리데이션 체크 못한다, 왜냐하면 벨리데이션체크는 AOP로 컨트롤러에서 작동하는데 이거는 컨트롤러 전에 작동하기 때문에 하지 못한다.
package shop.mtcoding.bank.dto.user;
import lombok.Getter;
import lombok.Setter;
import shop.mtcoding.bank.domain.user.User;
import shop.mtcoding.bank.util.CustomDateUtil;
public class UserResponseDto {
@Getter
@Setter
public static class LoginResponseDto {
private Long id;
private String username;
private String createdAt;
public LoginResponseDto(User user) {
this.id = user.getId();
this.username = user.getUsername();
this.createdAt = CustomDateUtil.toStringFormat(user.getCreateAt()); // 시간 포맷
}
}
.
.
.
package shop.mtcoding.bank.util;
import java.time.LocalDateTime;
import java.time.format.DateTimeFormatter;
public class CustomDateUtil {
public static String toStringFormat(LocalDateTime localDateTime) {
return localDateTime.format(DateTimeFormatter.ofPattern("yyyy-MM-dd HH:mm:ss"));
}
}
package shop.mtcoding.bank.util;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.fasterxml.jackson.databind.ObjectMapper;
import shop.mtcoding.bank.dto.ResponseDto;
public class CustomResponseUtil {
private static final Logger log = LoggerFactory.getLogger(CustomResponseUtil.class); // static 때문에
public static void success(HttpServletResponse response, Object dto) {
try {
ObjectMapper om = new ObjectMapper();
ResponseDto<?> responseDto = new ResponseDto<>(1, "로그인 성공", dto);
String responseBody = om.writeValueAsString(responseDto);
response.setContentType("application/json; charset=utf-8");
response.setStatus(200);
response.getWriter().println(responseBody);
} catch (Exception e) {
log.error("서버 파싱 에러");
}
}
public static void unAuthentication(HttpServletResponse response, String msg) {
try {
ObjectMapper om = new ObjectMapper();
ResponseDto<?> responseDto = new ResponseDto<>(-1, msg, null);
String responseBody = om.writeValueAsString(responseDto);
response.setContentType("application/json; charset=utf-8");
response.setStatus(401);
response.getWriter().println(responseBody);
} catch (Exception e) {
log.error("서버 파싱 에러");
}
}
}
/login -> /api/login 바꾸는 법
super(AbstractAuthenticationProcessingFilter)에게 던짐
setFilterPrecessUrl을 호출함
따라서 setFilterProcessUrl을 바꾸는게 가능