SpringBoot SpringSecurity 설정 v3-1. Deprecated WebSecurityConfigurerAdapter 대체하기

jeonbang123·2023년 4월 17일
SpringSecuritySpringboot
0

springboot

목록 보기
14/14

to-be

package com.codesign.base.configure;

import com.codesign.base.jwt.JwtAuthenticationFilter;
import com.codesign.base.jwt.JwtAuthorizationFilter;
import com.codesign.base.service.UserService;
import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig2 {

    private final AuthenticationConfiguration authConfig;

    @Bean
    public AuthenticationManager authenticationManager() throws Exception {
        return authConfig.getAuthenticationManager();
    }

    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder(){
        return new BCryptPasswordEncoder();
    }

    @Bean
    public SecurityFilterChain filterChain(HttpSecurity http, UserService userService ) throws Exception {
        http.csrf().disable(); // 위변조 방지 미사용
        http.cors().configurationSource(corsFilter()) // cors설정
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) // session 미사용
                .and().formLogin().disable() // formlogin 미사용
                .httpBasic().disable() // Baerer 사용으로 Basic방식 미사용
                .addFilter(new JwtAuthenticationFilter(authenticationManager()))
                .addFilter(new JwtAuthorizationFilter(authenticationManager(), userService))
                .authorizeRequests()
                .antMatchers("/api/v1/user/**").permitAll()
                .antMatchers("/api/v1/manager/**").access("hasRole('ROLE_MANAGER')")
                .anyRequest().permitAll();

        return http.build();
    }

    @Bean
    public CorsConfigurationSource corsFilter(){
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true); // 자바스크립트 응답을 처리할 수 있게 할지 설정(ajax, axios)
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/api/*", config);
        // TODO /api/* 으로 요청이 왔을때, Allowed 된 요청만 받는지 확인하기

        return source;
    }

}
  • AuthenticationConfiguration를 주입받음
  • @Bean authenticationManager 등록
  • @Overrideconfig()@Bean filterChain()으로 변경
  • UserServicefilterChain()의 인자로 받음

as-is

package com.codesign.base.configure;

import com.codesign.base.jwt.JwtAuthenticationFilter;
import com.codesign.base.jwt.JwtAuthorizationFilter;
import com.codesign.base.service.UserService;
import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@Configuration
@EnableWebSecurity
@RequiredArgsConstructor
public class SecurityConfig extends WebSecurityConfigurerAdapter {

    private final UserService userService;


    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.csrf().disable(); // 위변조 방지 미사용
        http.cors().configurationSource(corsFilter()) // cors설정
                .and().sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) // session 미사용
                .and().formLogin().disable() // formlogin 미사용
                .httpBasic().disable() // Baerer 사용으로 Basic방식 미사용
                .addFilter(new JwtAuthenticationFilter(authenticationManager()))
                .addFilter(new JwtAuthorizationFilter(authenticationManager(), userService))
                .authorizeRequests()
                .antMatchers("/api/v1/user/**").permitAll()
                .antMatchers("/api/v1/manager/**").access("hasRole('ROLE_MANAGER')")
                .anyRequest().permitAll();
    }

    @Bean
    public CorsConfigurationSource corsFilter(){
        CorsConfiguration config = new CorsConfiguration();
        config.setAllowCredentials(true); // 자바스크립트 응답을 처리할 수 있게 할지 설정(ajax, axios)
        config.addAllowedOrigin("*");
        config.addAllowedHeader("*");
        config.addAllowedMethod("*");

        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
        source.registerCorsConfiguration("/api/*", config);
        // TODO /api/* 으로 요청이 왔을때, Allowed 된 요청만 받는지 확인하기

        return source;
    }

    @Bean
    public BCryptPasswordEncoder bCryptPasswordEncoder(){
        return new BCryptPasswordEncoder();
    }

}
profile
jeonbang123
Design Awesome Style Code
이전 포스트

SpringBoot SpringSecurity 설정 v2-4. BasicAuthorizationFilter 설정

0개의 댓글