# [Security] Jwt Authentication ๊ตฌํ˜„ by Overriding Spring Security ์ธ์ฆ ์•„ํ‚คํ…์ณ
Study Repository

[Security] Jwt Authentication ๊ตฌํ˜„ by Overriding Spring Security ์ธ์ฆ ์•„ํ‚คํ…์ณ

by rlaehddnd0422

๐Ÿ“• Java&Spring/Security

์ด๋ฒˆ ํฌ์ŠคํŒ…์—์„œ๋Š” Spring Security์— Jwt ์„ ์ ์šฉํ•œ ์ธ์ฆ(Authentication)๋ฐฉ์‹์— ๋Œ€ํ•ด ์•Œ์•„๋ณด๊ณ ,

๋‹ค์Œ ํฌ์ŠคํŒ…์—์„œ๋Š” ์ธ์ฆ์— ๊ธฐ๋ฐ˜ํ•œ ์ธ๊ฐ€(๊ถŒํ•œ๊ฒ€์‚ฌ,Authorization)๋ฐฉ์‹์— ๋Œ€ํ•ด ์•Œ์•„๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

๐ŸšฉSecurity Filter 

http.csrf().disable()
        .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) // ์„ธ์…˜ ์‚ฌ์šฉ X, Stateless
        .and()
        .formLogin().disable() // ํผ ๋กœ๊ทธ์ธ ์‚ฌ์šฉ X
        .httpBasic().disable() // http ๊ธฐ๋ฐ˜ ์ธ์ฆ๋ฐฉ์‹ (ID, PW๋กœ ๊ฒ€์ฆ) ์‚ฌ์šฉ X
  • csrf().disable() : Cross Site Request Forgery ๋ฐฉ์ง€
  • sessionCreationPolicy : JWT ์ธ์ฆ๋ฐฉ์‹์„ ์‚ฌ์šฉํ•  ์˜ˆ์ •์ด๊ณ , ์„ธ์…˜์„ ์‚ฌ์šฉํ•˜์ง€ ์•Š๊ธฐ ๋•Œ๋ฌธ์—,  ์„ธ์…˜์„ ์ ์šฉํ•˜์ง€ ์•Š๊ธฐ ์œ„ํ•ด SessionCreationPolicy๋ฅผ Stateless๋กœ ๋ณ€๊ฒฝ.
  • formLogin().disable() : HTTP Form Based Authentication์„ ์‚ฌ์šฉํ•˜์ง€ ์•Š๊ณ  ๋กœ๊ทธ์ธ ์‹œ Json์œผ๋กœ request ์˜ˆ์ •์ด๋ฏ€๋กœ ํผ ๋กœ๊ทธ์ธ ์˜ต์…˜์„ ๊บผ์ค๋‹ˆ๋‹ค. 
  • httpBasic().disable() : HTTP Basic Authentication ๋ฐฉ์‹์„ ์‚ฌ์šฉํ•˜์ง€ ์•Š์„ ์˜ˆ์ •์ด๋ฏ€๋กœ ์˜ต์…˜์„ ๊บผ์ค๋‹ˆ๋‹ค. 

 

HTTP Basic Authentication ์ด๋ž€?

ํŠน์ • ๋ฆฌ์†Œ์Šค์— ์ ‘๊ทผ ์š”์ฒญํ• ๋•Œ ๋ธŒ๋ผ์šฐ์ €๊ฐ€ ์‚ฌ์šฉ์ž์˜ username, password ๋งŒ ํ™•์ธํ•˜์—ฌ ์ œํ•œํ•˜๋Š” ์ธ์ฆ ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค.

 

HTTP Basic Authentication์€ ์–ด๋–ป๊ฒŒ ๋™์ž‘ํ• ๊นŒ ? 

1. ์ธ์ฆ๋˜์ง€ ์•Š์€ ์œ ์ €๊ฐ€ ์ œํ•œ๋œ ์š”์ฒญ์„ ์„œ๋ฒ„์— ์š”์ฒญ

2. ์„œ๋ฒ„๋Š” ํด๋ผ์ด์–ธํŠธ์—๊ฒŒ username, password ์š”์ฒญ

3. ํด๋ผ์ด์–ธํŠธ๋Š” ๋‹ค์‹œ username, password๋ฅผ ํ—ค๋”์— ๋‹ด์•„ ์š”์ฒญ

4. ์„œ๋ฒ„์—์„œ ์ผ์น˜ํ•˜๋ฉด 200 ์‹คํŒจํ•˜๋ฉด 401 ์—๋Ÿฌ ๋ฆฌํ„ด

์ฟ ํ‚ค์™€ ์„ธ์…˜ ์‚ฌ์šฉํ•˜์ง€ ์•Š๊ณ  ๋ณด์•ˆ์— ์ทจ์•ฝํ•˜๋‹จ ์ ์ด ํŠน์ง•์ด๊ณ ,
์™ธ๋ถ€์—์„œ๋„ ์š”์ฒญ ํ—ค๋”๋ฅผ ๋ณผ ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ HTTPs์™€ ์‚ฌ์šฉํ•˜๋Š” ๊ฒƒ์ด ํ•„์ˆ˜์ ์ž…๋‹ˆ๋‹ค.

 

์ด์ œ "/login" ์š”์ฒญ์— ๋Œ€ํ•ด Spring Security๊ฐ€ ๊ฐ€๋กœ์ฑ„์„œ ์ฒ˜๋ฆฌํ•  ์ˆ˜ ์žˆ๋Š” ํ•„ํ„ฐ๋ฅผ ๋งŒ๋“ค์–ด๋ด…์‹œ๋‹ค.

๐ŸšฉJwt-Authentication-Filter ์ƒ์„ฑ

Jwt ๋ฐฉ์‹ Authentication

์ „์ฒด์ ์ธ ๋™์ž‘๋ฐฉ์‹์€ ๋‹น์—ฐํžˆ Spring Security์˜ ์ธ์ฆ ์•„ํ‚คํ…์ณ์™€ ๋™์ผํ•œ Flow๋ฅผ ๊ฐ–์Šต๋‹ˆ๋‹ค.

๋‹ค๋งŒ ํ•„ํ„ฐ๋ฅผ Jwt ์ธ์ฆ๋ฐฉ์‹์œผ๋กœ ์ปค์Šคํ…€ ํ•ด์ฃผ๊ธฐ๋งŒ ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค.

 

์šฐ์„  ์•Œ์•„์•ผ ํ•  ์ ์€, Spring Security์—๋Š” UsernamepasswordAuthenticationFilter ๋ผ๋Š” ํ•„ํ„ฐ๊ฐ€ /login ์š”์ฒญ์— ๋Œ€ํ•ด์„œ ๊ฐ€๋กœ์ฑ„์„œ ์ฒ˜๋ฆฌํ•ด์ค€๋‹ค๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

 

์šฐ๋ฆฌ๋Š” ์ด UsernamePasswordAuthenticationFilter ํ•„ํ„ฐ๋ฅผ ์ƒ์†๋ฐ›์•„ ์˜ค๋ฒ„๋ผ์ด๋”ฉ ํ›„ Jwt ๋ฐฉ์‹์œผ๋กœ ๋ฆฌํŽ™ํ† ๋งํ•˜์—ฌ SecurityConfig์— ๋“ฑ๋กํ•ด์ฃผ๊ธฐ๋งŒ ํ•˜๋ฉด ๋ฉ๋‹ˆ๋‹ค. 

@Slf4j
@RequiredArgsConstructor
public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
    private final AuthenticationManager authenticationManager;

    // /login ์š”์ฒญ์„ ํ•˜๋ฉด ๋กœ๊ทธ์ธ ์‹œ๋„๋ฅผ ์œ„ํ•ด์„œ ์‹คํ–‰๋˜๋Š” ํ•จ์ˆ˜
    @Override
    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException
    
    // Attempt attemptAuthentication ํ•จ์ˆ˜์—์„œ ๋กœ๊ทธ์ธ Authentication ๊ฐ์ฒด๋ฅผ ์„ฑ๊ณต์ ์œผ๋กœ ๋ฆฌํ„ด๋ฐ›์•˜์„ ๋•Œ ์‹คํ–‰๋˜๋Š” ํ•จ์ˆ˜
	// ์ฆ‰, ์ธ์ฆ ์„ฑ๊ณต์‹œ ์‹คํ–‰
    @Override
	protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult)
  • UsernamePasswordAuthenticationFilter์—๋Š” ์‹คํ–‰๋˜๋Š” ์‹œ์ ์— ๋”ฐ๋ฅธ ๋ฉ”์†Œ๋“œ๊ฐ€ ๋งŽ์ด ์žˆ์ง€๋งŒ, ๋กœ๊ทธ์ธ ๊ณผ์ •์—์„œ๋Š” ๋‘ ๊ฐœ์˜ ๋ฉ”์†Œ๋“œ๋งŒ ์‚ฌ์šฉํ•ฉ๋‹ˆ๋‹ค.
  • 1. attemptAuthentication ๋ฉ”์†Œ๋“œ : /login ์š”์ฒญ์ด ์˜ค๋ฉด ๋กœ๊ทธ์ธ ์‹œ๋„๋ฅผ ์œ„ํ•ด์„œ ์‹คํ–‰๋˜๋Š” ๋ฉ”์†Œ๋“œ์ž…๋‹ˆ๋‹ค. 
    • 1. UsernamePasswordAuthenticationToken์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.
    • 2. AuthenticationManager์— ์ ‘๊ทผํ•˜์—ฌ ์ƒ์„ฑํ•œ ํ† ํฐ์œผ๋กœ ์ธ์ฆ๊ณผ์ •์„ ๊ฑฐ์ณ Authenticate ๊ฐ์ฒด ๋‚ด๋ถ€์— PrincipalDetails๋ฅผ ๋‹ด์•„ ๋ฆฌํ„ดํ•ฉ๋‹ˆ๋‹ค.
  • 2. successfulAuthentication ๋ฉ”์†Œ๋“œ : attemptAuthentication ๋ฉ”์†Œ๋“œ์—์„œ Authentication ๊ฐ์ฒด๋ฅผ ์„ฑ๊ณต์ ์œผ๋กœ ๋ฆฌํ„ด๋ฐ›์•˜์„๋•Œ ์‹คํ–‰๋˜๋Š” ํ•จ์ˆ˜๋กœ ์‰ฝ๊ฒŒ ๋งํ•ด ์ธ์ฆ๊ณผ์ •์„ ์„ฑ๊ณต์ ์œผ๋กœ ํ†ต๊ณผํ–ˆ์„ ๋•Œ ์‹คํ–‰๋˜๋Š” ๋ฉ”์†Œ๋“œ์ž…๋‹ˆ๋‹ค. 
    • ์ด ๋ฉ”์†Œ๋“œ๋ฅผ ํ†ตํ•ด์„œ ์œ„ ๊ทธ๋ฆผ์˜ ๊ณผ์ •๊ณผ ๊ฐ™์ด ๊ตฌํ˜„ํ•ฉ์‹œ๋‹ค. 
    • ์ด ๋ฉ”์†Œ๋“œ๋ฅผ ํ†ตํ•ด PrincipalDetails๋ฅผ ํ† ๋Œ€๋กœ Jwt๋ฅผ ์ƒ์„ฑํ•˜์—ฌ ํด๋ผ์ด์–ธํŠธ์—๊ฒŒ ๋ฆฌํ„ดํ•ด์ฃผ๋„๋ก ๋ณ€๊ฒฝํ•ฉ์‹œ๋‹ค.

 

์šฐ์„  login ์š”์ฒญ์ด ์˜ค๋ฉด ๋กœ๊ทธ์ธ์„ ์‹œ๋„ํ•˜๊ธฐ ์œ„ํ•ด ์‹คํ–‰๋˜๋Š” ํ•จ์ˆ˜์ธ attemptAuthentication ๋ฉ”์†Œ๋“œ๋ฅผ ๋ฆฌํŽ™ํ† ๋ง ํ•ด๋ด…์‹œ๋‹ค.

๐ŸšฉUsernamePasswordAuthenticationFilter ๊ตฌํ˜„ - 1. attemptAuthentication ๋ฉ”์†Œ๋“œ

1. RequestBody์— ๋‹ด์€ username, password ์ •๋ณด๋ฅผ LoginRequestDto๋กœ ๋ณ€ํ™˜

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

    // 1. Json(Username, Password) -> loginRequestDto ๋ณ€ํ™˜
    ObjectMapper om = new ObjectMapper();
    LoginRequestDto loginRequestDto = null;
    try {
        loginRequestDto = om.readValue(request.getInputStream(), LoginRequestDto.class);
    } catch (IOException e) {
        throw new RuntimeException(e);
    }

1. Username / Password Parsing ( Json To LoginRequestDto )

  • ์šฐ์„ , /login ์š”์ฒญ์ด username๊ณผ password์™€ ํ•จ๊ป˜ ๋“ค์–ด์™”์„ ๋•Œ ํ•„ํ„ฐ์—์„œ๋Š” ์š”์ฒญ๋ฐ›์€ username๊ณผ password์— ๋Œ€ํ•ด ํŒŒ์‹ฑ์ž‘์—…์„ ํ•ด์ฃผ์–ด์•ผํ•ฉ๋‹ˆ๋‹ค.
  • RequestBody ํ˜•์‹์œผ๋กœ ์š”์ฒญํ–ˆ๊ธฐ ๋•Œ๋ฌธ์— ObjectMapper๋ฅผ ์‚ฌ์šฉํ•ด request์˜ json InputStream์„ ์ฝ์–ด LoginRequestDto ํด๋ž˜์Šค๋กœ ํŒŒ์‹ฑ์ž‘์—…์„ ํ•ด์ฃผ์—ˆ์Šต๋‹ˆ๋‹ค.

LoginRequestDto๋ฅผ ํ†ตํ•ด UsernamePasswordAuthenticationToken ์ƒ์„ฑ

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

// 1. Json(Username, Password) -> loginRequestDto
...

// 2. loginRequestDto -> UsernamePasswordAuthentication Token ์ƒ์„ฑ
UsernamePasswordAuthenticationToken authenticationToken =
	new UsernamePasswordAuthenticationToken(loginRequestDto.getUsername(),loginRequestDto.getPassword());

2. UsernamePasswordAuthenticationToken ์ƒ์„ฑ

  • LoginRequestDto๋กœ ํŒŒ์‹ฑ๋œ ์ •๋ณด๋ฅผ ๋ฐ”ํƒ•์œผ๋กœ UsernamePasswordAuthenticationToken์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค
  • ์ธ์ฝ”๋”ฉ ๋ฐฉ์‹์„ ๋”ฐ๋กœ ์ง€์ •ํ•˜์ง€ ์•Š์œผ๋ฉด Bcrypt ๋ฐฉ์‹์œผ๋กœ ์ธ์ฝ”๋”ฉํ•˜์—ฌ ํ† ํฐ์„ ๋งŒ๋“ญ๋‹ˆ๋‹ค.

 

 

AuthenticationManager์—์„œ authenticate ๋ฉ”์†Œ๋“œ๋ฅผ ํ†ตํ•ด 2์—์„œ ์ƒ์„ฑํ•œ ํ† ํฐ์œผ๋กœ ์‚ฌ์šฉ์ž ์ •๋ณด ๊ฒ€์ฆ

@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {

// 1. Json(Username, Password) -> loginRequestDto
...

// 2. loginRequestDto -> UsernamePasswordAuthentication Token ์ƒ์„ฑ
...

// 3. 2์—์„œ username, password๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ BcryptEncoding์œผ๋กœ ์ƒ์„ฑํ•œ ํ† ํฐ์œผ๋กœ ์‚ฌ์šฉ์ž ์ •๋ณด ๊ฒ€์ฆ
Authentication authentication = authenticationManager.authenticate(authenticationToken);

 

3. AuthenticationManager์—์„œ ์œ„์—์„œ ์ƒ์„ฑํ•œ UsernamePasswordAuthentication Token์œผ๋กœ AuthenticationProvider์—๊ฒŒ ๊ฒ€์ฆ์„ ์š”์ฒญํ•ฉ๋‹ˆ๋‹ค.

AuthenticationManager์—์„œ authenticate() ๋ฉ”์†Œ๋“œ ํ˜ธ์ถœ ์‹œ ์‚ฌ์‹ค ๋‚ด๋ถ€์ ์œผ๋กœ AuthenticationProvicder๊ฐ€ ์•„๋ž˜ ์ž‘์—…๋“ค์„ ์ˆ˜ํ–‰ํ•ฉ๋‹ˆ๋‹ค.

AuthenticaitonManager.authencate()์— ๋‚ด์žฅ๋œ ์ž‘์—…

authenticate() ๋ฉ”์†Œ๋“œ 

0. ๋‚ด๋ถ€์ ์œผ๋กœ AuthenticateProvider ํ˜ธ์ถœ  

1. AuthenticateProvider๊ฐ€ UserDetailsService์˜ loadUserByUsername(username) ๋ฅผ ํ˜ธ์ถœ
2. loadUserByUsername(username) - username๊ณผ ์ผ์น˜ํ•˜๋Š” ์‚ฌ์šฉ์ž๊ฐ€ ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค ๋‚ด๋ถ€์— ์กด์žฌํ•˜๋Š”์ง€ ํ™•์ธ 

3. loadUserByUsername(username) - Bcrpyt๋กœ ์ธ์ฝ”๋”ฉ๋œ password Token์ด ๋ฐ์ดํ„ฐ๋ฒ ์ด์Šค์— ์กด์žฌํ•˜๋Š”์ง€ ํ™•์ธ 

4. ์ฒด์ธ์— ๊ฑธ์ณ Authentication ๊ฐ์ฒด๋‚ด๋ถ€์— UserDetails๋ฅผ ๋‹ด์•„์„œ ๋ฆฌํ„ดํ•ฉ๋‹ˆ๋‹ค.

 

Session ์˜์—ญ์— Authentication ์ €์žฅ

 

5. ์œ„ ๊ทธ๋ฆผ๊ณผ ๊ฐ™์ด Authentication ๊ฐ์ฒด๊ฐ€ Session ์˜์—ญ์— ์ €์žฅ๋ฉ๋‹ˆ๋‹ค!

๐Ÿšฉ UsernamePasswordAuthenticationFilter ๊ตฌํ˜„ - 2. successfulAuthentication ๋ฉ”์†Œ๋“œ

@Override
protected void successfulAuthentication(HttpServletRequest request,
        HttpServletResponse response,
        FilterChain chain,
        Authentication authResult) throws IOException, ServletException

 

UsernamePasswordAuthenticationFilter์˜ attemptAuthentication ํ•จ์ˆ˜์—์„œ ์„ฑ๊ณต์ ์œผ๋กœ Authentication ๊ฐ์ฒด๋ฅผ ๋ฆฌํ„ด๋ฐ›์œผ๋ฉด ArgumentResolver๋ฅผ ํ†ตํ•ด successfulAuthentication ๋ฉ”์†Œ๋“œ์˜ Argument์ธ authResult์— ์ž๋™์œผ๋กœ ๋Œ€์ž…๋ฉ๋‹ˆ๋‹ค.

 

๋งˆ์ง€๋ง‰์œผ๋กœ ์šฐ๋ฆฌ๊ฐ€ ์—ฌ๊ธฐ์„œ ๊ตฌํ˜„ํ•ด์•ผ ํ•  ๋ถ€๋ถ„์€ ๋ฐ”๋กœ Authentication ๋‚ด๋ถ€์˜ UserDetails์˜ ์ •๋ณด๋ฅผ ํ† ๋Œ€๋กœ JWT ํ† ํฐ์„ ๋งŒ๋“ค์–ด ํด๋ผ์ด์–ธํŠธ์—๊ฒŒ ๋ฆฌํ„ดํ•˜๋Š” ๊ฒƒ์ž…๋‹ˆ๋‹ค.

Authenticate ๊ฐ์ฒด๋ฅผ ์„ฑ๊ณต์ ์œผ๋กœ ๋ฐ›์•˜์œผ๋‹ˆ ๋งˆ์ง€๋ง‰์œผ๋กœ ๊ฐ์ฒด ๋‚ด๋ถ€์˜ UserDetails๋ฅผ ํ† ๋Œ€๋กœ Jwt๋ฅผ ๋งŒ๋“ค์–ด ํ—ค๋”์— ๋‹ด์•„ ํด๋ผ์ด์–ธํŠธ์—๊ฒŒ ๋ณด๋‚ด์ฃผ์ž

@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
    PrincipalDetails principalDetails = (PrincipalDetails) authResult.getPrincipal();
    String jwtToken = JWT.create()
            .withSubject(principalDetails.getUsername())
            .withExpiresAt(new Date(System.currentTimeMillis() + JwtProperties.EXPIRATION_TIME))
            .withClaim("id", principalDetails.getUser().getId())
            .withClaim("username", principalDetails.getUser().getUsername())
            .sign(Algorithm.HMAC512(JwtProperties.SECRET));

    response.addHeader(JwtProperties.HEADER_STRING, JwtProperties.TOKEN_PREFIX+jwtToken);
}
  • Jwt ๋ฅผ gradle์— dependencies๋กœ ์ฃผ์ž…ํ•ด์ฃผ์—ˆ๊ธฐ ๋•Œ๋ฌธ์—, Builder๋กœ Jwt ํ† ํฐ์„ ์ƒ์„ฑํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
    • withSubject() : ํ† ํฐ์˜ ์ด๋ฆ„์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.
    • withExpiresAt() : ํ† ํฐ์˜ ์œ ํšจ๊ธฐ๊ฐ„์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.
    • withClaim() : ํ† ํฐ์— ๋‹ด๊ธธ ์ •๋ณด๋ฅผ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค.
    • sign() : ํ† ํฐ ์•”ํ˜ธํ™” ์•Œ๊ณ ๋ฆฌ์ฆ˜์„ ์ง€์ •ํ•ฉ๋‹ˆ๋‹ค. / ์—ฌ๊ธฐ์— ์ง€์ •ํ•˜๋Š” SECRET์€ ์„œ๋ฒ„๋งŒ ์•Œ๊ณ ์žˆ์–ด์•ผ ํ•˜๋Š” ์ •๋ณด์ด๋ฏ€๋กœ ๋ณด์•ˆ์„ฑ์žˆ๊ฒŒ ์„ค์ •ํ•ฉ์‹œ๋‹ค.
  • response์˜ ํ—ค๋”์— ์ƒ์„ฑํ•œ Jwt๋ฅผ ๋‹ด์•„ ํด๋ผ์ด์–ธํŠธ์—๊ฒŒ ๋ฆฌํ„ดํ•ฉ๋‹ˆ๋‹ค!

๋ชจ๋“  ์ค€๋น„๊ฐ€ ๋๋‚ฌ์Šต๋‹ˆ๋‹ค.  ์ด์ œ ๋งˆ์ง€๋ง‰์œผ๋กœ ์ปค์Šคํ…€ํ•œ ํ•„ํ„ฐ๋ฅผ ๋ฎ์–ด์”Œ์›Œ ์ค์‹œ๋‹ค.

๐Ÿšฉ SecurityConfig์— UsernamePasswordAuthentication Override

@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
    http.csrf().disable()
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS) // ์„ธ์…˜ ์‚ฌ์šฉ X, Stateless
            .and()
            .formLogin().disable() // ํผ ๋กœ๊ทธ์ธ ์‚ฌ์šฉ X
            .httpBasic().disable() // ๊ธฐ๋ณธ์ธ์ฆ๋ฐฉ์‹ ID, PW ์‚ฌ์šฉ X
            .apply(new MyCustomDsl())
            .and()
            .authorizeRequests()
            .antMatchers("/api/v1/user/**")
            .access("hasRole('ROLE_USER') or hasRole('ROLE_MANAGER') or hasRole('ROLE_ADMIN')")
            .antMatchers("/api/v1/manager/**")
            .access("hasRole('ROLE_MANAGER') or hasRole('ROLE_ADMIN')")
            .antMatchers("/api/v1/admin/**")
            .access("hasRole('ROLE_ADMIN')")
            .anyRequest().permitAll();

    return http.build();
}

public class MyCustomDsl extends AbstractHttpConfigurer<MyCustomDsl, HttpSecurity> {
    @Override
    public void configure(HttpSecurity http) throws Exception {
        AuthenticationManager authenticationManager = http.getSharedObject(AuthenticationManager.class);
        http
                .addFilter(corsFilter)
                .addFilter(new JwtAuthenticationFilter(authenticationManager));// ์ธ์ฆ
    }
}

๐Ÿšฉ Postman Test

ํšŒ์› ๊ฐ€์ž…



 

  • json์œผ๋กœ ๋“ค์–ด์˜จ password๋ฅผ Bcrypt๋ฐฉ์‹์œผ๋กœ ์ธ์ฝ”๋”ฉํ•˜์—ฌ DB์— ์ €์žฅํ•ด์ค์‹œ๋‹ค.

 

๋กœ๊ทธ์ธ

login Post

 

Response Header

  • ์‘๋‹ต ํ—ค๋”์— Jwt๊ฐ€ ๋‹ด๊ฒจ์žˆ๋Š” ๊ฒƒ์„ ํ™•์ธํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • ์ œํ•œ๋œ ๋ฆฌ์†Œ์Šค์— ์ ‘๊ทผํ•  ๋•Œ  ์ด Authorization ํ—ค๋”์˜ jwtํ† ํฐ ์ •๋ณด๋ฅผ ์„œ๋ฒ„์— ํ•จ๊ป˜ ๋ณด๋‚ด์„œ, ์„œ๋ฒ„์—์„œ ํ† ํฐ ๊ฒ€์ฆ์„ ํ•˜๋„๋ก ํ•˜์—ฌ์•ผ ํ•˜๋Š”๋ฐ, ์ด ์ธ๊ฐ€(Authorization)๊ณผ์ •์€ ๋‹ค์Œ ํฌ์ŠคํŒ…์—์„œ ์•Œ์•„๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. 

<์ •๋ฆฌ>

  • ์ด๋ ‡๊ฒŒ Spring Security ์ธ์ฆ ์•„ํ‚คํ…์ณ๋ฅผ ๋ฆฌํŽ™ํ† ๋งํ•˜์—ฌ /login ์š”์ฒญ์„ ์„ฑ๊ณต์ ์œผ๋กœ ์ธ์ฆํ•œ ํด๋ผ์ด์–ธํŠธ์˜ ์„ธ์…˜์˜์—ญ์— authentication ๊ฐ์ฒด๋ฅผ ์ €์žฅํ•˜๊ณ , Jwt ํ† ํฐ์„ Response Header์— ๋‹ด์•„ ๋ฆฌํ„ดํ•ด๋ณด์•˜์Šต๋‹ˆ๋‹ค.
  • ์ด์ œ ํด๋ผ์ด์–ธํŠธ๋Š” ๋ฆฌํ„ด๋ฐ›์€ Jwtํ† ํฐ์„ ์š”์ฒญํ—ค๋”์— ํ•จ๊ป˜ ๋ณด๋‚ด ์ œํ•œ๋œ ๋ฆฌ์†Œ์Šค์— ์ ‘๊ทผํ•  ์ˆ˜ ์žˆ์Šต๋‹ˆ๋‹ค.
  • ๋‹ค์Œ ํฌ์ŠคํŒ…์—์„œ๋Š” ์„œ๋ฒ„์—์„œ ์ œํ•œ๋œ ๋ฆฌ์†Œ์Šค ์š”์ฒญ์— ๋Œ€ํ•ด Jwt ํ† ํฐ์„ ๊ฒ€์ฆํ•˜๋Š” ์ž‘์—…์ธ Jwt Authorization์„ ๊ตฌํ˜„ํ•ด๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค.

 

<์ฐธ๊ณ  ์ž๋ฃŒ>

https://datamoney.tistory.com/334

 

[Spring] Spring Security JWT ๋กœ๊ทธ์ธ ๊ตฌํ˜„ (HTTP Basic Authentication / Form Based Authentication / JWT)

์Šคํ”„๋ง ์‹œํ๋ฆฌํ‹ฐ์™€ JWT๋ฅผ ์ด์šฉํ•œ ๋กœ๊ทธ์ธ์„ ๊ตฌํ˜„ํ•ด๋ณด๋ ค ํ•œ๋‹ค. โžก๏ธ ๊ฐœ๋… ์ •๋ฆฌ 2023.01.09 - [Backend/Spring] - [Spring] Spring Security ๊ธฐ๋ณธ ๊ฐœ๋… (JWT / OAuth2.0 / ๋™์ž‘ ๋ฐฉ์‹ / ๊ตฌ์„ฑ ์š”์†Œ) [Spring] Spring Security ๊ธฐ๋ณธ ๊ฐœ

datamoney.tistory.com

https://datamoney.tistory.com/332

 

[Spring] Spring Security ๊ธฐ๋ณธ ๊ฐœ๋… (JWT / OAuth2.0 / ๋™์ž‘ ๋ฐฉ์‹ / ๊ตฌ์„ฑ ์š”์†Œ)

JWT (Jason Web Token) ์œ ์ € ์ธ์ฆ, ์‹๋ณ„ํ•˜๊ธฐ ์œ„ํ•œ ํ† ํฐ ๊ธฐ๋ฐ˜์˜ ์ธ์ฆ ๊ตฌ์กฐ ํ—ค๋” (Header) ํƒ€์ž… (type) : ํ•ญ์ƒ JWT ์•Œ๊ณ ๋ฆฌ์ฆ˜ (alg) ํŽ˜์ด๋กœ๋“œ (Payload) : ์‚ฌ์šฉ์ž ์ •๋ณด ๋‹ด๊น€ ์„œ๋ช… (Verify Signature) ๋™์ž‘ ๋ฐฉ์‹ 1. ํด๋ผ์ด์–ธ

datamoney.tistory.com

https://nordvpn.com/ko/blog/csrf/

 

ํฌ๋กœ์Šค ์‚ฌ์ดํŠธ ์š”์ฒญ ์œ„์กฐ(CSRF)์˜ ์˜๋ฏธ

ํฌ๋กœ์Šค ์‚ฌ์ดํŠธ ์š”์ฒญ ์œ„์กฐ๋ž€ ๋ฌด์—‡์ผ๊นŒ์š”? ์ด ๊ธ€์—์„œ ํฌ๋กœ์Šค ์‚ฌ์ดํŠธ ์š”์ฒญ ์œ„์กฐ์˜ ์˜๋ฏธ์™€ ๋ฐฉ์ง€ ๋ฐฉ๋ฒ•์„ ํ™•์ธํ•ด ๋ณด์„ธ์š”

nordvpn.com

https://devscb.tistory.com/123

 

CSRF๋ž€, CSRF ๋™์ž‘์›๋ฆฌ, CSRF ๋ฐฉ์–ด๋ฐฉ๋ฒ•

CSRF๋ž€, CSRF ๋™์ž‘์›๋ฆฌ, CSRF ๋ฐฉ์–ด๋ฐฉ๋ฒ• CSRF๋ž€ CSRF๋ž€, Cross Site Request Forgery์˜ ์•ฝ์ž๋กœ, ํ•œ๊ธ€ ๋œป์œผ๋กœ๋Š” ์‚ฌ์ดํŠธ๊ฐ„ ์š”์ฒญ ์œ„์กฐ๋ฅผ ๋œปํ•ฉ๋‹ˆ๋‹ค. CSRF๋Š” ์›น ๋ณด์•ˆ ์ทจ์•ฝ์ ์˜ ์ผ์ข…์ด๋ฉฐ, ์‚ฌ์šฉ์ž๊ฐ€ ์ž์‹ ์˜ ์˜์ง€์™€๋Š” ๋ฌด๊ด€

devscb.tistory.com

https://www.youtube.com/watch?v=mW-8MQ-4arU 

 

์ €์ž‘์žํ‘œ์‹œ

'๐Ÿ“• Java&Spring > Security' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๋‹ค๋ฅธ ๊ธ€

[Security] JWT ๊ตฌํ˜„ (1) - ํ”„๋กœ์ ํŠธ ์ƒ์„ฑ  (0) 2023.06.06
[Security] Jwt Authorization ๊ตฌํ˜„ by Overriding Spring Security ์ธ์ฆ ์•„ํ‚คํ…์ณ  (0) 2023.06.05
[Security] JWT(Json Web Token) ์ธ์ฆ ๋ฐฉ์‹  (0) 2023.06.02
[Security] ์ฟ ํ‚ค vs ์„ธ์…˜ vs ํ† ํฐ  (0) 2023.06.02
[Security] OAuth2.0 ๋„ค์ด๋ฒ„, ์นด์นด์˜ค ๋กœ๊ทธ์ธ ๊ธฐ๋Šฅ ์ถ”๊ฐ€  (0) 2023.06.01

๋ธ”๋กœ๊ทธ์˜ ์ •๋ณด

Study Repository

rlaehddnd0422

ํ™œ๋™ํ•˜๊ธฐ

ํ‹ฐ์Šคํ† ๋ฆฌํˆด๋ฐ”