package com.yun.preapisecure.configuration;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpStatus;
import org.springframework.security.access.AccessDeniedException;
import org.springframework.security.access.hierarchicalroles.RoleHierarchy;
import org.springframework.security.access.hierarchicalroles.RoleHierarchyImpl;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authorization.AuthorizationManager;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.session.SessionRegistry;
import org.springframework.security.core.session.SessionRegistryImpl;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.AccessDeniedHandler;
import org.springframework.security.web.access.intercept.RequestAuthorizationContext;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import org.springframework.security.web.util.matcher.RequestMatcherEntry;
import org.springframework.web.servlet.handler.HandlerMappingIntrospector;
import java.io.IOException;
import java.util.ArrayList;
import java.util.List;
@EnableWebSecurity
@Configuration
public class SecurityConfig {
private static final Logger LOGGER = LoggerFactory.getLogger(SecurityConfig.class);
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
// AuthenticationManagerBuilder builder = http.getSharedObject(AuthenticationManagerBuilder.class);
//builder.authenticationProvider(new CustomAuthenticationProvider());
//builder.authenticationProvider(new CustomAuthenticationProvider2()); 여러개 추가할 경우
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/logoutSuccess").authenticated()
.anyRequest().authenticated())
.rememberMe(remember -> remember
//.alwaysRemember(true) 보안에 약하다
.tokenValiditySeconds(3600)
.userDetailsService(userDetailsService())
.rememberMeParameter("remember")
.rememberMeCookieName("remember")
.key("security")
)
.formLogin(form -> form
//.loginPage("/loginPage")
.loginProcessingUrl("/loginProc")
.defaultSuccessUrl("/", false)
.failureUrl("/failed")
.usernameParameter("userId")
.usernameParameter("passwd")
/*.successHandler(new AuthenticationSuccessHandler() {
@Override
public void onAuthenticationSuccess(HttpServletRequest request, HttpServletResponse response, Authentication authentication) throws IOException, ServletException {
LOGGER.info("authentication : {}", authentication);
response.sendRedirect("/home");
}
})
.failureHandler(new AuthenticationFailureHandler() {
@Override
public void onAuthenticationFailure(HttpServletRequest request, HttpServletResponse response, AuthenticationException exception) throws IOException, ServletException {
LOGGER.info("authentication exception : {}", exception.getMessage());
response.sendRedirect("/loginPage");
}
})*/
.permitAll()
)
.httpBasic(basic -> basic.authenticationEntryPoint(new AuthenticationEntryPoint() {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
response.setHeader("WWW-Authenticate", "Basic realm=security");
response.sendError(HttpStatus.UNAUTHORIZED.value(), HttpStatus.UNAUTHORIZED.getReasonPhrase());
}})
)
.sessionManagement(fixation -> fixation
.sessionFixation()
.changeSessionId()
//.migrateSession()
//.newSession()
)
.sessionManagement(session -> session
.invalidSessionUrl("/invalidSessionUrl")
.maximumSessions(1)
.maxSessionsPreventsLogin(true)
.expiredUrl("/expiredUrl")
)
//.authenticationProvider(new CustomAuthenticationProvider()) http에 바로 추가해도 되고, 위와 같이 따로 추가해도 됨
.logout(logout -> logout
.logoutUrl("/logoutProc")
.logoutRequestMatcher(new AntPathRequestMatcher("/logout", "POST"))
.logoutSuccessUrl("/logoutSuccess")
.deleteCookies("JSSESIONID", "remember-me")
.invalidateHttpSession(true)
.clearAuthentication(true)
.addLogoutHandler(new LogoutHandler() {
@Override
public void logout(HttpServletRequest request, HttpServletResponse response, Authentication authentication) {
try {
response.sendRedirect("/logoutSuccess");
} catch (IOException e) {
throw new RuntimeException(e);
}
}
})
.permitAll()
)//login 또는 index로 보냄
.exceptionHandling(exception -> exception
.authenticationEntryPoint(new AuthenticationEntryPoint() {
@Override
public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
System.out.println("exception: " + authException.getMessage());
response.sendRedirect("/logout");//사용자 정의로 커스텀하게 만들었을 경우 login, logout 페이지를 직접 만들어줘야한다.
}
})
.accessDeniedHandler(new AccessDeniedHandler() {
@Override
public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException, ServletException {
System.out.println("exception: " + accessDeniedException.getMessage());
response.sendRedirect("/denied");
}
})
);
//SecurityContextHolder.setStrategyName(SecurityContextHolder.MODE_INHERITABLETHREADLOCAL);
return http.build();
}
//spring security User 사용자 정의 1. yml 파일 설정 / 2. User 설정 단 1번과 2번이 충돌할 경우 2번이 우선순위
@Bean
public UserDetailsService userDetailsService() {
UserDetails user = User.withUsername("user")
.password("{noop}1234")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
package com.yun.preapisecure.configuration;
import com.yun.preapisecure.CustomAuthenticationFilter;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.http.HttpStatus;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.Customizer;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.AuthenticationEntryPoint;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.logout.LogoutHandler;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import java.io.IOException;
@EnableWebSecurity
@Configuration
public class SecurityCustomFilterConfig {
private static final Logger LOGGER = LoggerFactory.getLogger(SecurityCustomFilterConfig.class);
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
AuthenticationManagerBuilder builder = http.getSharedObject(AuthenticationManagerBuilder.class);
AuthenticationManager authenticationManager = builder.build();
http
.authorizeHttpRequests(auth -> auth
.requestMatchers("/logoutSuccess").authenticated()
.requestMatchers("/login").permitAll()
.anyRequest().authenticated())
.formLogin(Customizer.withDefaults())
//.securityContext(securityContext -> securityContext.requireExplicitSave(true))//자동으로 session에 저장한다.
.authenticationManager(authenticationManager)
.addFilterBefore(customAuthenticationFilter(http, authenticationManager), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
/* @Bean
@Order(1)
public SecurityFilterChain securityFilterChain2(HttpSecurity http) throws Exception {
AuthenticationManagerBuilder builder = http.getSharedObject(AuthenticationManagerBuilder.class);
AuthenticationManager authenticationManager = builder.build();
http
.securityMatchers(matchers -> matchers.requestMatchers("/open-banking/oauth/"))
.authorizeHttpRequests(authorize -> authorize.anyRequest().permitAll());
return http.build();
}*/
public CustomAuthenticationFilter customAuthenticationFilter(HttpSecurity httpSecurity, AuthenticationManager manager) {
CustomAuthenticationFilter customAuthenticationFilter = new CustomAuthenticationFilter(httpSecurity);
customAuthenticationFilter.setAuthenticationManager(manager);
return customAuthenticationFilter;
}
//spring security User 사용자 정의 1. yml 파일 설정 / 2. User 설정 단 1번과 2번이 충돌할 경우 2번이 우선순위
@Bean
public UserDetailsService userDetailsService() {
UserDetails user = User.withUsername("user")
.password("{noop}1234")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
package com.yun.preapisecure.configuration;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.session.MapSession;
import org.springframework.session.MapSessionRepository;
import org.springframework.session.SessionRepository;
import org.springframework.session.config.annotation.web.http.EnableSpringHttpSession;
import org.springframework.session.web.http.CookieSerializer;
import org.springframework.session.web.http.DefaultCookieSerializer;
import java.util.concurrent.ConcurrentHashMap;
@Configuration
@EnableSpringHttpSession
public class HttpSessionConfig {
@Bean
public CookieSerializer cookieSerializer() {
DefaultCookieSerializer serializer = new DefaultCookieSerializer();
serializer.setUseHttpOnlyCookie(true);
serializer.setUseSecureCookie(true);
serializer.setSameSite("Lax");//none인 경우 https로 추가조치 해야한다.
return serializer;
}
@Bean
public SessionRepository<MapSession> sessionRepository() {
return new MapSessionRepository(new ConcurrentHashMap<>());
}
}
package com.yun.preapisecure.provider;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Component;
@Component
public class CustomAuthenticationProvider implements AuthenticationProvider {
private final UserDetailsService userDetailsService;
public CustomAuthenticationProvider(UserDetailsService userDetailsService) {
this.userDetailsService = userDetailsService;
}
@Override
public Authentication authenticate(Authentication authentication) throws AuthenticationException {
String loginId = authentication.getName();
String password = authentication.getCredentials().toString();
//아이디 검증
UserDetails user = userDetailsService.loadUserByUsername(loginId);
if (user == null) {
throw new UsernameNotFoundException("사용자가 존재하지 않는다.");
}
//비밀번호 검증
return new UsernamePasswordAuthenticationToken(
user.getUsername(), user.getPassword(), user.getAuthorities());
}
@Override
public boolean supports(Class<?> authentication) {
//일반적으로는 넘어온 authentication token와 인증 토큰이 맞아야 true 반환
return authentication.isAssignableFrom(UsernamePasswordAuthenticationToken.class);
}
}
package com.yun.preapisecure.provider;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.Collection;
public class CustomUserDetails implements UserDetails { //DB에서 가져온 데이터를 return
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
return null;
}
@Override
public String getPassword() {
return null;
}
@Override
public String getUsername() {
return null;
}
@Override
public boolean isAccountNonExpired() {
return false;
}
@Override
public boolean isAccountNonLocked() {
return false;
}
@Override
public boolean isCredentialsNonExpired() {
return false;
}
@Override
public boolean isEnabled() {
return false;
}
}
package com.yun.preapisecure;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
import org.springframework.security.web.context.DelegatingSecurityContextRepository;
import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
import org.springframework.security.web.context.SecurityContextRepository;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
import java.io.IOException;
public class CustomAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
protected final ObjectMapper objectMapper = new ObjectMapper();
public CustomAuthenticationFilter(HttpSecurity httpSecurity) {
super(new AntPathRequestMatcher("/api/login", "GET"));
setSecurityContextRepository(getSecurityContextRepository(httpSecurity));
}
private SecurityContextRepository getSecurityContextRepository(HttpSecurity httpSecurity) {
SecurityContextRepository securityContextRepository = httpSecurity.getSharedObject(SecurityContextRepository.class);
if (securityContextRepository == null) {
securityContextRepository = new DelegatingSecurityContextRepository(new HttpSessionSecurityContextRepository(), new RequestAttributeSecurityContextRepository());
}
return securityContextRepository;
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException, IOException, ServletException {
String username = request.getParameter("username");
String password = request.getParameter("password");
UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(username, password);
return this.getAuthenticationManager().authenticate(token);
}
}
하루 일지 보단 행동 고찰 과정에 대한 개발 블로그