|
|
|
@ -6,15 +6,16 @@ import kr.co.palnet.kac.config.security.filter.JwtCheckFilter;
|
|
|
|
|
import kr.co.palnet.kac.config.security.filter.JwtLoginFilter; |
|
|
|
|
import kr.co.palnet.kac.config.security.service.BaseUserDetailsService; |
|
|
|
|
import lombok.RequiredArgsConstructor; |
|
|
|
|
import lombok.extern.slf4j.Slf4j; |
|
|
|
|
import org.springframework.context.annotation.Bean; |
|
|
|
|
import org.springframework.context.annotation.Configuration; |
|
|
|
|
import org.springframework.core.annotation.Order; |
|
|
|
|
import org.springframework.security.authentication.AuthenticationManager; |
|
|
|
|
import org.springframework.security.authentication.ProviderManager; |
|
|
|
|
import org.springframework.security.authentication.dao.DaoAuthenticationProvider; |
|
|
|
|
import org.springframework.security.config.annotation.web.builders.HttpSecurity; |
|
|
|
|
import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer; |
|
|
|
|
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; |
|
|
|
|
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; |
|
|
|
|
import org.springframework.security.config.annotation.web.configurers.RequestCacheConfigurer; |
|
|
|
|
import org.springframework.security.config.http.SessionCreationPolicy; |
|
|
|
|
import org.springframework.security.crypto.password.NoOpPasswordEncoder; |
|
|
|
|
import org.springframework.security.crypto.password.PasswordEncoder; |
|
|
|
@ -22,7 +23,11 @@ import org.springframework.security.web.SecurityFilterChain;
|
|
|
|
|
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; |
|
|
|
|
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; |
|
|
|
|
|
|
|
|
|
import java.util.Arrays; |
|
|
|
|
import java.util.List; |
|
|
|
|
|
|
|
|
|
@EnableWebSecurity |
|
|
|
|
@Configuration |
|
|
|
|
@RequiredArgsConstructor |
|
|
|
|
public abstract class SecurityConfig { |
|
|
|
|
|
|
|
|
@ -30,20 +35,25 @@ public abstract class SecurityConfig {
|
|
|
|
|
private final BaseAuthenticationEntryPoint baseAuthenticationEntryPoint; |
|
|
|
|
private final BaseAccessDeniedHandler baseAccessDeniedHandler; |
|
|
|
|
|
|
|
|
|
private final String[] SWAGGER_URI = { |
|
|
|
|
// 정적
|
|
|
|
|
private final String[] IGNORE_URI = { |
|
|
|
|
// swagger
|
|
|
|
|
"/swagger-ui/**", |
|
|
|
|
"/swagger-ui/index.html", |
|
|
|
|
"/v3/api-docs", |
|
|
|
|
"/swagger-resources/**", |
|
|
|
|
"/webjars/**", |
|
|
|
|
// "/swagger-ui/**",
|
|
|
|
|
// "/api-docs/**"
|
|
|
|
|
// rest doc
|
|
|
|
|
"/docs/index.html", |
|
|
|
|
"/api-docs/**", |
|
|
|
|
// custom
|
|
|
|
|
"/ping" |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@Bean |
|
|
|
|
PasswordEncoder passwordEncoder() { |
|
|
|
|
// return new BCryptPasswordEncoder();
|
|
|
|
|
// TODO 테스트 후 BCryptPasswordEncoder 로 변경
|
|
|
|
|
// TODO 테스트 후 BCryptPasswordEncoder 로 변경 - 회원가입 로직 구현 후 제거
|
|
|
|
|
return NoOpPasswordEncoder.getInstance(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
@ -55,10 +65,12 @@ public abstract class SecurityConfig {
|
|
|
|
|
return new ProviderManager(authProvider); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
@Order(2) |
|
|
|
|
@Bean |
|
|
|
|
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception { |
|
|
|
|
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { |
|
|
|
|
setDefaultHttpSecurity(http); |
|
|
|
|
http |
|
|
|
|
.securityMatchers(matchers -> matchers.requestMatchers("/**")) |
|
|
|
|
.authorizeHttpRequests(authz -> |
|
|
|
|
authz |
|
|
|
|
.anyRequest().authenticated() |
|
|
|
@ -66,7 +78,7 @@ public abstract class SecurityConfig {
|
|
|
|
|
return http.build(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
public void setDefaultHttpSecurity(HttpSecurity http) throws Exception { |
|
|
|
|
protected void setDefaultHttpSecurity(HttpSecurity http) throws Exception { |
|
|
|
|
http |
|
|
|
|
.csrf(AbstractHttpConfigurer::disable) |
|
|
|
|
.sessionManagement(session -> |
|
|
|
@ -82,10 +94,29 @@ public abstract class SecurityConfig {
|
|
|
|
|
); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
protected abstract List<String> getExcludeURI(); |
|
|
|
|
@Order(1) |
|
|
|
|
@Bean |
|
|
|
|
public WebSecurityCustomizer webSecurityCustomizer() { |
|
|
|
|
return web -> web.ignoring() |
|
|
|
|
.requestMatchers(SWAGGER_URI); |
|
|
|
|
public SecurityFilterChain excludeFilterChain(HttpSecurity http) throws Exception { |
|
|
|
|
List<String> excludeURI = getExcludeURI(); |
|
|
|
|
String[] ignoreURI; |
|
|
|
|
if (excludeURI != null && !excludeURI.isEmpty()) { |
|
|
|
|
excludeURI.addAll(Arrays.asList(IGNORE_URI)); |
|
|
|
|
ignoreURI = excludeURI.toArray(new String[0]); |
|
|
|
|
} else { |
|
|
|
|
ignoreURI = IGNORE_URI; |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
http |
|
|
|
|
.securityMatchers(matchers -> matchers.requestMatchers(ignoreURI)) |
|
|
|
|
.authorizeHttpRequests(authz -> authz.anyRequest().permitAll()) |
|
|
|
|
.requestCache(RequestCacheConfigurer::disable) |
|
|
|
|
.securityContext(AbstractHttpConfigurer::disable) |
|
|
|
|
.sessionManagement(AbstractHttpConfigurer::disable) |
|
|
|
|
; |
|
|
|
|
return http.build(); |
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
} |
|
|
|
|