본인 코드에서는 오류가 딱히 없었는데 다른 조원분께서 오류가 난다고 하셔서 코드를 수정해 보았다.
기존 Spring Security에서는 WebSecurityConfigurerAdapter를 상속받고 configure 메서드를 오버라이딩해 설정들을 정의했지만, 새로운 방식에서는 설정들을 하나의 Bean으로 등록하고 SecurityFilterChain를 리턴한다. 이렇게 컴포넌트 기반으로 구성하는 방법은 좀 더 세밀한 커스터마이징을 가능하게 한다.
SecurityConfig 수정 전
@Configuration @EnableWebSecurity @RequiredArgsConstructor
public class SecurityConfig extends WebSecurityConfigurerAdapter {
//spring security에서 제공되는 UserDetailsService
private final UserDetailsService userDetailsService;
private final BCryptPasswordEncoder bCryptPasswordEncoder;
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder);
}
@Override
protected void configure(HttpSecurity http) throws Exception {
CustomAuthenticationFilter customAuthenticationFilter = new CustomAuthenticationFilter(authenticationManagerBean());
customAuthenticationFilter.setFilterProcessesUrl("/api/login");
http.csrf().disable(); //Spring Security에서 CSRF 공격 방지 기능을 비활성화
http.sessionManagement().sessionCreationPolicy(STATELESS);
//spring security에 의해 막히지 않도록 허용할 url들을 작성해준다
http.authorizeRequests().antMatchers( "/api/user/save","/api/login/**","/api/token/refresh/**", "/api/email",
"/v2/api-docs",
"/swagger-resources/**",
"/swagger-ui.html",
"/swagger-ui/**",
"/webjars/**" ,
/*Probably not needed*/ "/swagger.json").permitAll();
http.authorizeRequests().antMatchers(GET, "/api/user/**").hasAnyAuthority("ROLE_USER");
http.authorizeRequests().antMatchers(POST, "/api/user/save").hasAnyAuthority("ROLE_USER");
//http.authorizeRequests().antMatchers(POST, "/api/user/save/**").hasAnyAuthority("ROLE_ADMIN");
http.authorizeRequests().anyRequest().authenticated();
http.addFilter(customAuthenticationFilter);
http.addFilterBefore(new CustomAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
}
@Bean @Override
public AuthenticationManager authenticationManagerBean() throws Exception{
return super.authenticationManagerBean();
}
@Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/static/css/**, /static/js/**, *.ico");
// swagger
web.ignoring().antMatchers(
"/v3/api-docs", "/configuration/ui",
"/swagger-resources", "/configuration/security",
"/swagger-ui.html", "/webjars/**","/swagger/**");
}
}SecurityConfig 수정 후
@Configuration @EnableWebSecurity @RequiredArgsConstructor
public class SecurityConfig {
private final AuthenticationConfiguration authConfig;
@Bean
public AuthenticationManager authenticationManager() throws Exception {
return authConfig.getAuthenticationManager();
}
@Bean
public BCryptPasswordEncoder bCryptPasswordEncoder(){
return new BCryptPasswordEncoder();
}
private final UserDetailsService userDetailsService;
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.userDetailsService(userDetailsService).passwordEncoder(bCryptPasswordEncoder());
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception{
CustomAuthenticationFilter customAuthenticationFilter = new CustomAuthenticationFilter(authenticationManager());
customAuthenticationFilter.setFilterProcessesUrl("/api/login");
http
.csrf().disable()
.authorizeHttpRequests()
.antMatchers( "/api/user/save","/api/login/**","/api/token/refresh/**", "/api/email", "/api/**",
"/v2/api-docs",
"/swagger-resources/**",
"/swagger-ui.html",
"/swagger-ui/**",
"/webjars/**" ,
"/swagger.json").permitAll()
.antMatchers(GET, "/api/user/**","/api/users").hasAnyAuthority("ROLE_USER")
.antMatchers(POST, "/api/user/save").hasAnyAuthority("ROLE_USER")
//.antMatchers(POST, "/api/user/save/**").hasAnyAuthority("ROLE_ADMIN")
.requestMatchers()
.permitAll()
.anyRequest()
.authenticated()
.and()
.sessionManagement()
.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.addFilter(customAuthenticationFilter)
.addFilterBefore(new CustomAuthorizationFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
}