Feature/jwt practice

README.md

@@ -31,4 +31,12 @@
   - https://console.cloud.google.com/ 개발자 센터 접속
   - 프로젝트 생성 후 OAuth 2.0 클라이언트 Id 생성
   - 승인된 리디렉션 URI: http://localhost:8080/login/oauth2/code/google path 고정
-  - 클라이언트ID, 보안 비밀번호 yml 설정 추가
+  - 클라이언트ID, 보안 비밀번호 yml 설정 추가
+
+### JWT
+- JSON 객체를 사용해서 토큰 자체에 정보들을 저장하고 있는 Web Token
+- 기존 세션 방식의 처리는 서버가 메모리 혹은 별도의 세션을 저장할 공간이 필요했음(하드디스크, DB)
+  - 서버의 부담
+  - auto scale이 되어 서버 인스턴스가 늘어났을 때, 메모리를 서로 공유하지 못하기 때문에 세션을 공유할 수 없음.
+  - 중간에 서버가 죽으면? 메모리에 있던 정보들 다 날라감. 별도 저장소를 구성하기엔 비용이 듦
+  - 이러한 이유 등으로 인해 jwt 웹 표준(RFC 7519) 등장.

build.gradle

@@ -24,15 +24,20 @@ repositories {
 dependencies {
 	implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
 	implementation 'org.springframework.boot:spring-boot-starter-security'
-	implementation 'org.springframework.boot:spring-boot-starter-oauth2-client'
+	implementation 'org.springframework.boot:spring-boot-starter-validation'
 	implementation 'org.springframework.boot:spring-boot-starter-web'
-	implementation 'org.springframework.boot:spring-boot-starter-mustache'
+	testImplementation 'org.springframework.boot:spring-boot-starter-test'
+	testImplementation 'org.springframework.security:spring-security-test'
 
 	compileOnly 'org.projectlombok:lombok'
 	annotationProcessor 'org.projectlombok:lombok'
-	testImplementation 'org.springframework.boot:spring-boot-starter-test'
-	testImplementation 'org.springframework.security:spring-security-test'
-	runtimeOnly 'com.mysql:mysql-connector-j:8.0.33'
+
+	runtimeOnly 'com.h2database:h2'
+//	runtimeOnly 'com.mysql:mysql-connector-j:8.0.33'
+
+	implementation 'io.jsonwebtoken:jjwt-api:0.11.5'
+	runtimeOnly 'io.jsonwebtoken:jjwt-impl:0.11.5'
+	runtimeOnly 'io.jsonwebtoken:jjwt-jackson:0.11.5'
 }
 
 tasks.named('test') {

docker-compose.yml

@@ -0,0 +1,24 @@
+## compose 파일 버전
+#version: '3'
+#services:
+#  # 서비스 명
+#  db:
+#    # 사용할 이미지
+#    image: mysql
+#    # 컨테이너 실행 시 재시작
+#    restart: always
+#    # 컨테이너명 설정
+#    container_name: mysql-container-by-compose
+#    # 접근 포트 설정(컨테이너 외부:컨테이너 내부)
+#    ports:
+#
+#      - 3307:3306
+#    # 환경 변수 설정
+#    environment:
+#      MYSQL_ROOT_PASSWORD: root
+#    # 명령어 설정
+#    command:
+#      - --character-set-server=utf8mb4
+#      - --collation-server=utf8mb4_unicode_ci
+##    volumes:
+##      -

src/main/java/com/example/security2/config/CorsConfig.java

@@ -0,0 +1,25 @@
+package com.example.security2.config;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.web.cors.CorsConfiguration;
+import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
+import org.springframework.web.filter.CorsFilter;
+
+@Configuration
+public class CorsConfig {
+
+    @Bean
+    public CorsFilter corsFilter() {
+        UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
+
+        CorsConfiguration config = new CorsConfiguration();
+        config.setAllowCredentials(true);
+        config.addAllowedOriginPattern("*");
+        config.addAllowedHeader("*");
+        config.addAllowedMethod("*");
+
+        source.registerCorsConfiguration("/rest/api/**", config);
+        return new CorsFilter(source);
+    }
+}

src/main/java/com/example/security2/config/JwtSecurityConfig.java

@@ -0,0 +1,25 @@
+package com.example.security2.config;
+
+import com.example.security2.jwt.JwtFilter;
+import com.example.security2.jwt.TokenProvider;
+import org.springframework.security.config.annotation.SecurityConfigurerAdapter;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.web.DefaultSecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+
+public class JwtSecurityConfig extends SecurityConfigurerAdapter<DefaultSecurityFilterChain, HttpSecurity> {
+
+    private final TokenProvider tokenProvider;
+
+    public JwtSecurityConfig(TokenProvider tokenProvider) {
+        this.tokenProvider = tokenProvider;
+    }
+
+    @Override
+    public void configure(HttpSecurity http) throws Exception {
+        // security 로직에 JwtFilter 등록
+        http.addFilterBefore(
+                new JwtFilter(tokenProvider),
+                UsernamePasswordAuthenticationFilter.class);
+    }
+}

src/main/java/com/example/security2/config/SecurityConfig.java

@@ -1,59 +1,75 @@
 package com.example.security2.config;
 
-import com.example.security2.oauth.PrincipalOauth2UserService;
+import com.example.security2.jwt.JwtAccessDeniedHandler;
+import com.example.security2.jwt.JwtAuthenticationEntryPoint;
+import com.example.security2.jwt.TokenProvider;
+import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
 import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
+import org.springframework.security.config.annotation.web.configurers.HeadersConfigurer;
+import org.springframework.security.config.http.SessionCreationPolicy;
 import org.springframework.security.web.SecurityFilterChain;
-import org.springframework.security.web.access.expression.WebExpressionAuthorizationManager;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.web.filter.CorsFilter;
 
 @Configuration
-@EnableWebSecurity // 스프링 필터체인에 등록
-@EnableMethodSecurity(securedEnabled = true, prePostEnabled = true)         // 권한 처리, Secured 어노테이션 활성화. preAuthorize, postAuthorize 어노테이션 활성화
+@EnableWebSecurity
+@EnableMethodSecurity
 public class SecurityConfig {
 
-    private final PrincipalOauth2UserService principalOauth2UserService;
+    private final CorsFilter corsFilter;
+    private final TokenProvider tokenProvider;
+    private final JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint;
+    private final JwtAccessDeniedHandler jwtAccessDeniedHandler;
 
-    public SecurityConfig(PrincipalOauth2UserService principalOauth2UserService) {
-        this.principalOauth2UserService = principalOauth2UserService;
+    public SecurityConfig(CorsFilter corsFilter, TokenProvider tokenProvider, JwtAuthenticationEntryPoint jwtAuthenticationEntryPoint, JwtAccessDeniedHandler jwtAccessDeniedHandler) {
+        this.corsFilter = corsFilter;
+        this.tokenProvider = tokenProvider;
+        this.jwtAuthenticationEntryPoint = jwtAuthenticationEntryPoint;
+        this.jwtAccessDeniedHandler = jwtAccessDeniedHandler;
     }
 
-    // SecurityConfig <-> PrincipalOauth2UserService 순환참조로 인해 분리(PasswordConfig)
-    /*@Bean
-    public PasswordEncoder passwordEncoder() {
-        return new BCryptPasswordEncoder();
-    }*/
-
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
         // csrf, cors 일단 비활성화
-        http.csrf(AbstractHttpConfigurer::disable);
-        http.cors(AbstractHttpConfigurer::disable);
+        http
+                .csrf(AbstractHttpConfigurer::disable)
+//                .cors(AbstractHttpConfigurer::disable)
 
-        http.authorizeHttpRequests((requests) -> requests
-                .requestMatchers("/user/**").authenticated()
-                .requestMatchers("/manager/**").access(
-                        new WebExpressionAuthorizationManager("hasRole('ROLE_ADMIN') or hasRole('ROLE_MANAGER')")
+                .addFilterBefore(corsFilter, UsernamePasswordAuthenticationFilter.class)
+                // jwt 예외핸들러 등록
+                .exceptionHandling(httpSecurityExceptionHandlingConfigurer ->
+                        httpSecurityExceptionHandlingConfigurer
+                                .authenticationEntryPoint(jwtAuthenticationEntryPoint)
+                                .accessDeniedHandler(jwtAccessDeniedHandler)
                 )
-                .requestMatchers("/admin/**").access(
-                        new WebExpressionAuthorizationManager("hasRole('ROLE_ADMIN')")
+
+                // 세션을 사용하지 않기 때문에 "STATELESS"로 설정
+                .sessionManagement(sessionManagementConfigurer ->
+                        sessionManagementConfigurer.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
                 )
-                .anyRequest().permitAll())
-                .formLogin(form -> form
-                        .loginPage("/loginForm")
-                        .usernameParameter("email")
-                        .loginProcessingUrl("/login")
-                        .defaultSuccessUrl("/")
+
+                .authorizeHttpRequests((requests) -> requests
+                    .requestMatchers(PathRequest.toH2Console()).permitAll()
+                    .requestMatchers(
+                            new AntPathRequestMatcher("/api/v1/auth"),
+                            new AntPathRequestMatcher("/api/v1/user/hello"),
+                            new AntPathRequestMatcher("/api/v1/user/signup")
+                    ).permitAll()
+                    .anyRequest().authenticated()
                 )
-                .oauth2Login(oauth2 -> oauth2
-                        .loginPage("/loginForm")
-                        .userInfoEndpoint(userInfoEndpointConfig -> userInfoEndpointConfig
-                                .userService(principalOauth2UserService)
-                        )
-                );
+                // enable h2 console
+                .headers(header -> header
+                        .frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)
+                )
+
+                // JwtFilter 적용
+                .apply(new JwtSecurityConfig(tokenProvider));
 
         return http.build();
     }