Spring Boot : SecurityConfig.java ์ •๋ฆฌ

๊น€์•„๋ฌด๊ฐœยท2023๋…„ 10์›” 24์ผ
0

Spring Boot ๐Ÿƒ

๋ชฉ๋ก ๋ณด๊ธฐ
84/95
post-custom-banner

Spring Boot 2.7 ~ 3.1 ๋™์ž‘ ํ™•์ธ

Basic ์ธ์ฆ ์‚ฌ์šฉ + h2 web console = true ์„ค์ •ํ•œ ๊ฒฝ์šฐ

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http,
                                                   HandlerMappingIntrospector introspector) throws Exception {
        MvcRequestMatcher.Builder mvcMatcher = new MvcRequestMatcher.Builder(introspector);
        return http
                .authorizeHttpRequests(config -> config
                        .requestMatchers(
                                PathRequest.toH2Console()
                        ).permitAll()
                        
                        .requestMatchers(
                                mvcMatcher.pattern("/users/**"),
                                mvcMatcher.pattern("/admin/users/**")
                        ).permitAll()
                        
                        .anyRequest().authenticated()
                )
                .httpBasic(withDefaults())
                .csrf(AbstractHttpConfigurer::disable)
                .headers(AbstractHttpConfigurer::disable)
                .build();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        UserDetails user = User.builder()
                .username("zhyun")
                .password("{noop}qweasd")
                .roles("USER")
                .build();

        UserDetails admin = User.builder()
                .username("gimwlgus")
                .password("{noop}zxcasd")
                .roles("ADMIN")
                .build();

        return new InMemoryUserDetailsManager(user, admin);
    }
}


Basic ์ธ์ฆ ์‚ฌ์šฉ + h2 web console = false ์„ค์ •ํ•œ ๊ฒฝ์šฐ

@Configuration
public class SecurityConfig {

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        return http
                .authorizeHttpRequests(config -> config
                        .requestMatchers(
                                "/users/**",
                                "/admin/users/**"
                        ).permitAll()

                        .anyRequest().authenticated()
                )
                .httpBasic(withDefaults())
                .csrf(AbstractHttpConfigurer::disable)
                .headers(AbstractHttpConfigurer::disable)
                .build();
    }

    @Bean
    public UserDetailsService userDetailsService() {
        UserDetails user = User.builder()
                .username("zhyun")
                .password("{noop}qweasd")
                .roles("USER")
                .build();

        UserDetails admin = User.builder()
                .username("gimwlgus")
                .password("{noop}zxcasd")
                .roles("ADMIN")
                .build();

        return new InMemoryUserDetailsManager(user, admin);
    }
}


Form Login ์‚ฌ์šฉ + ์ •์  ๋ฆฌ์†Œ์Šค ๋ชจ๋‘ ํ—ˆ์šฉ

@Slf4j
@RequiredArgsConstructor
@EnableWebSecurity
@Configuration
public class SecurityConfiguration {

    private final AccountService accountService;
    private final UserAuthenticationSuccess userAuthenticationSuccess;

    @Value("${server.servlet.context-path}")
    private static String CONTEXT_PATH_PROPERTY;

    public static final String CONTEXT_PATH = Objects.isNull(CONTEXT_PATH_PROPERTY) ? "/mission" : CONTEXT_PATH_PROPERTY;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity httpSecurity) throws Exception {
        return httpSecurity
                .authorizeHttpRequests(
                        auth -> auth
                                .requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
                                .requestMatchers(
                                        "/login/**",
                                        "/join/**",
                                        "/kiosk/**",
                                        "/error/**"
                                ).permitAll()
                                .requestMatchers("/", "/seller/**").hasRole("SELLER")
                                .requestMatchers("/", "/store/**", "/review/**").hasRole("CUSTOMER")
                                .anyRequest().authenticated()
                )
                .csrf(AbstractHttpConfigurer::disable) 
                .headers(AbstractHttpConfigurer::disable)
                .formLogin(
                        login -> login
                                .loginPage("/login").permitAll()
                                .successHandler(userAuthenticationSuccess)
                )
                .addFilterBefore(new SecurityExceptionHandlerFilter(), UsernamePasswordAuthenticationFilter.class)
                .addFilterBefore(new SecurityLoginFilter(accountService , passwordEncoder()), UsernamePasswordAuthenticationFilter.class)
                .logout(
                        logout -> logout
                                .logoutSuccessUrl("/")
                                .invalidateHttpSession(true)
                )
                .build();
    }

    @Bean
    public PasswordEncoder passwordEncoder() {
        return new BCryptPasswordEncoder();
    }

}




๋‚˜๋ฅผ ์œ„ํ•œ ๋กœ๊ทธ

์ •๋ง ์—ด์‹ฌํžˆ ๊ณต๋ถ€ํ•  ๋•Œ ๋งŒ๋“ค์–ด๋’€๋˜ ์ฝ”๋“œ์˜€๋Š”๋ฐ
๊ธฐ์–ต์ด ์•ˆ๋‚˜์„œ ํŒŒ์ผ์„ ์žƒ์–ด๋ฒ„๋ฆฐ ์ค„ ์•Œ๊ณ  ๊นœ์ง ๋†€๋ž๋‹ค;
์ด๊ฑธ ๋ธ”๋กœ๊ทธ์— ๊ธฐ๋ก์„ ์•ˆํ•ด๋†จ๋‹ค๋‹ˆ..ใ„ทใ„ท
์ด์ œ๋ผ๋„ ๊ธฐ๋ก โœ๏ธ

security config

post-custom-banner

0๊ฐœ์˜ ๋Œ“๊ธ€