fix: web ignore 사용시 warning

web ignore 대신 security filter의 permitAll로 대체
8 months ago · 5a974631e9
5 changed files with 71 additions and 27 deletions
--- a/app/kac-app/build.gradle
+++ b/app/kac-app/build.gradle
@ -39,7 +39,12 @@ dependencies {
    implementation project(":common-security")
    implementation project(":web-api-com")
    // TDOO: 제거...
-//    compileOnly project(":data-com")
+//    implementation project(":data-cns")
+//    implementation project(":data-com")
+//    implementation project(":data-ctr")
+//    implementation project(":data-flt")
+//    implementation project(":data-other")
+//    implementation project(":data-pty")
 }

 ext {
--- a/app/kac-app/src/main/java/kr/co/palnet/kac/app/core/security/AppSecurityConfig.java
+++ b/app/kac-app/src/main/java/kr/co/palnet/kac/app/core/security/AppSecurityConfig.java
@ -7,11 +7,16 @@ import kr.co.palnet.kac.config.security.service.BaseUserDetailsService;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.DependsOn;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
 import org.springframework.security.web.SecurityFilterChain;

+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+

@Slf4j
@EnableWebSecurity
@ -20,25 +25,24 @@ public class AppSecurityConfig extends SecurityConfig {

    // 시큐리티 적용 안하는 URL 목록
    private final String[] IGNORE_URL = {
-            "/docs/index.html",
-            "/api-docs/**",
-            "/swagger-ui/**",
-            "/v1/com/code/**"
+            "/v1/com/code/**",
    };

-    private final String[] USER_URL = {};
-
-
+    // 권한(ROLE)별 URL
+    private final String[] USER_URL = {
+    };

    public AppSecurityConfig(BaseUserDetailsService baseUserDetailsService, BaseAuthenticationEntryPoint baseAuthenticationEntryPoint, BaseAccessDeniedHandler baseAccessDeniedHandler) {
        super(baseUserDetailsService, baseAuthenticationEntryPoint, baseAccessDeniedHandler);
    }

    @Override
-    @Bean
-    protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+        // 기본 security 설정을 불러온다.
        this.setDefaultHttpSecurity(http);
+        // 여기서는 role별 허용 url 설정을 한다.
        http
+                .securityMatchers(matchers -> matchers.requestMatchers("/**"))
                .authorizeHttpRequests(authz ->
                        authz
                                .requestMatchers(USER_URL).hasRole("USER")
@ -49,10 +53,10 @@ public class AppSecurityConfig extends SecurityConfig {
        return http.build();
    }

-    @Bean
-    public WebSecurityCustomizer appWebSecurityCustomizer() {
-        return web -> web.ignoring()
-                .requestMatchers(IGNORE_URL);
+    // security filter 제외 - permission all
+    @Override
+    protected List<String> getExcludeURI() {
+        return new ArrayList<>(Arrays.asList(IGNORE_URL));
    }

 }
--- a/common/security/src/main/java/kr/co/palnet/kac/config/security/SecurityConfig.java
+++ b/common/security/src/main/java/kr/co/palnet/kac/config/security/SecurityConfig.java
@ -6,15 +6,16 @@ import kr.co.palnet.kac.config.security.filter.JwtCheckFilter;
 import kr.co.palnet.kac.config.security.filter.JwtLoginFilter;
 import kr.co.palnet.kac.config.security.service.BaseUserDetailsService;
 import lombok.RequiredArgsConstructor;
-import lombok.extern.slf4j.Slf4j;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.core.annotation.Order;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.ProviderManager;
 import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.WebSecurityCustomizer;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.RequestCacheConfigurer;
 import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.crypto.password.NoOpPasswordEncoder;
 import org.springframework.security.crypto.password.PasswordEncoder;
@ -22,7 +23,11 @@ import org.springframework.security.web.SecurityFilterChain;
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;

+import java.util.Arrays;
+import java.util.List;

+@EnableWebSecurity
+@Configuration
@RequiredArgsConstructor
 public abstract class SecurityConfig {

@ -30,20 +35,25 @@ public abstract class SecurityConfig {
    private final BaseAuthenticationEntryPoint baseAuthenticationEntryPoint;
    private final BaseAccessDeniedHandler baseAccessDeniedHandler;

-    private final String[] SWAGGER_URI = {
+    // 정적
+    private final String[] IGNORE_URI = {
+            // swagger
+            "/swagger-ui/**",
            "/swagger-ui/index.html",
            "/v3/api-docs",
            "/swagger-resources/**",
            "/webjars/**",
-        //     "/swagger-ui/**",
-        //     "/api-docs/**"
+            // rest doc
+            "/docs/index.html",
+            "/api-docs/**",
+            // custom
+            "/ping"
    };

-
    @Bean
    PasswordEncoder passwordEncoder() {
 //        return new BCryptPasswordEncoder();
-        // TODO 테스트 후 BCryptPasswordEncoder 로 변경
+        // TODO 테스트 후 BCryptPasswordEncoder 로 변경 - 회원가입 로직 구현 후 제거
        return NoOpPasswordEncoder.getInstance();
    }

@ -55,10 +65,12 @@ public abstract class SecurityConfig {
        return new ProviderManager(authProvider);
    }

+    @Order(2)
    @Bean
-    protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
+    public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
        setDefaultHttpSecurity(http);
        http
+                .securityMatchers(matchers -> matchers.requestMatchers("/**"))
                .authorizeHttpRequests(authz ->
                        authz
                                .anyRequest().authenticated()
@ -66,7 +78,7 @@ public abstract class SecurityConfig {
        return http.build();
    }

-    public void setDefaultHttpSecurity(HttpSecurity http) throws Exception {
+    protected void setDefaultHttpSecurity(HttpSecurity http) throws Exception {
        http
                .csrf(AbstractHttpConfigurer::disable)
                .sessionManagement(session ->
@ -82,10 +94,29 @@ public abstract class SecurityConfig {
                );
    }

+    protected abstract List<String> getExcludeURI();
+    @Order(1)
    @Bean
-    public WebSecurityCustomizer webSecurityCustomizer() {
-        return web -> web.ignoring()
-                .requestMatchers(SWAGGER_URI);
+    public SecurityFilterChain excludeFilterChain(HttpSecurity http) throws Exception {
+        List<String> excludeURI = getExcludeURI();
+        String[] ignoreURI;
+        if (excludeURI != null && !excludeURI.isEmpty()) {
+            excludeURI.addAll(Arrays.asList(IGNORE_URI));
+            ignoreURI = excludeURI.toArray(new String[0]);
+        } else {
+            ignoreURI = IGNORE_URI;
+        }
+
+        http
+                .securityMatchers(matchers -> matchers.requestMatchers(ignoreURI))
+                .authorizeHttpRequests(authz -> authz.anyRequest().permitAll())
+                .requestCache(RequestCacheConfigurer::disable)
+                .securityContext(AbstractHttpConfigurer::disable)
+                .sessionManagement(AbstractHttpConfigurer::disable)
+        ;
+        return http.build();
    }

+
+
 }
--- a/data/pty/src/main/java/kr/co/palnet/kac/data/pty/repository/PtyCstmrBasRepository.java
+++ b/data/pty/src/main/java/kr/co/palnet/kac/data/pty/repository/PtyCstmrBasRepository.java
@ -6,6 +6,6 @@ import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.query.Param;

 public interface PtyCstmrBasRepository extends JpaRepository<PtyCstmrBas, Integer> {
-    @Query("select b from PtyCstmrBas b inner join b.ptyCstmrDtl where b.userId = :userId")
+    @Query("select b from PtyCstmrBas b left join b.ptyCstmrDtl where b.userId = :userId")
    PtyCstmrBas findByUserId(@Param("userId") String userId);
 }
--- a/http-client/http/auth.http
+++ b/http-client/http/auth.http
@ -2,6 +2,7 @@
@userId = user
@password = 1234

+# @no-cookie-jar
 POST {{host}}/v1/login
 Authorization: Bearer {{authToken}} // 토큰이 있을 경우 필터에 걸리는지 확인하기 위한 조치
 Content-Type: application/json
@ -15,5 +16,8 @@ Content-Type: application/json
    client.global.set("authToken", response.headers.valueOf("Auth-Token"));
 %}

+### PING
+GET {{host}}/ping
+