스프링 시큐리티를 사용해서 인증, 인가를 구현하던 중 분명히 permitAll()로 회원가입과 로그인에 대한 접근을 허용했는데 필터를 거치게 되며 토큰 값을 검사하는 로직을 타게 되는 문제가 발생하였다.
다음은 내가 작성한 코드이다.
[WebSecurityConfig.java]
package org.example.expert.security;
import org.example.expert.config.JwtUtil;
import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
@Configuration
@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true)
public class WebSecurityConfig {
private final JwtUtil jwtUtil;
private final UserDetailsServiceImpl userDetailsService;
private final AuthenticationConfiguration authenticationConfiguration;
public WebSecurityConfig(JwtUtil jwtUtil, UserDetailsServiceImpl userDetailsService, AuthenticationConfiguration authenticationConfiguration) {
this.jwtUtil = jwtUtil;
this.userDetailsService = userDetailsService;
this.authenticationConfiguration = authenticationConfiguration;
}
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception {
return configuration.getAuthenticationManager();
}
@Bean
public JwtAuthenticationFilter jwtAuthenticationFilter() throws Exception {
JwtAuthenticationFilter filter = new JwtAuthenticationFilter(jwtUtil);
filter.setAuthenticationManager(authenticationManager(authenticationConfiguration));
return filter;
}
@Bean
public JwtAuthorizationFilter jwtAuthorizationFilter() {
return new JwtAuthorizationFilter(jwtUtil, userDetailsService);
}
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
http.csrf(csrf -> csrf.disable());
http.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS));
http.authorizeHttpRequests(req ->
req
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
.requestMatchers("/auth/**").permitAll()
.requestMatchers("/error").permitAll()
.requestMatchers("/admin/**").hasRole("ADMIN")
.anyRequest().authenticated()
);
http.addFilterBefore(jwtAuthorizationFilter(), JwtAuthenticationFilter.class);
http.addFilterBefore(jwtAuthenticationFilter(), UsernamePasswordAuthenticationFilter.class);
return http.build();
}
}
.requestMatchers("/auth/**").permitAll() 를 적었음에도 JwtAuthorizationFilter를 거치며 있지도 않은 토큰을 검사하면서 오류가 발생했다.
알고보니 permitAll()은 Spring Security의 필터 체인을 거치는건 똑같지만, 특정 경로나 리소스에 대해 사용자의 인증이 없어도 액세스를 허용하는 기능이었다.
이는 Security Context와 관련이 있는데, Security Context는 사용자의 보안 정보를 저장하고 제공하는 인터페이스로, 주로 Authentication 객체를 저장해 사용자의 인증 상태와 권한 정보에 접근할 수 있게 해준다. 이는 Security Context Holder를 통해 얻을 수 있다.
permitAll()은 모든 필터 체인을 거친 후 Security Context Holder 안에 존재하는 Security Context에 Authentication 인증 객체가 존재하지 않아도 해당 API 호출을 정상적으로 해주는 것이다.
결국 필터는 타지만 인증 객체가 존재하지 않아도 프로세스가 정상적으로 동작하게 해준다는 의미이다.
그래서 원래는 OncePerRequestFilter를 상속받은 필터에서 토큰을 무조건 받는다고 가정하고 만약 존재하지 않으면 바로 예외를 터트렸는데, 그렇게 하지 않고 만약 토큰이 존재하지 않으면 그냥 다음 필터로 넘겨버리는 로직으로 수정하였다.
[JwtAuthorizationFilter.java]
package org.example.expert.security;
import io.jsonwebtoken.Claims;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.example.expert.config.JwtUtil;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContext;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;
@Slf4j(topic = "Authorization & Validate jwt token")
public class JwtAuthorizationFilter extends OncePerRequestFilter {
private final JwtUtil jwtUtil;
private final UserDetailsServiceImpl userDetailsService;
public JwtAuthorizationFilter(JwtUtil jwtUtil, UserDetailsServiceImpl userDetailsService) {
this.jwtUtil = jwtUtil;
this.userDetailsService = userDetailsService;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
String bearerToken = request.getHeader("Authorization");
if(StringUtils.hasText(bearerToken)) {
String token = jwtUtil.substringToken(bearerToken);
if(!jwtUtil.validateToken(token)) {
log.error("Token is not valid");
return;
}
Claims claims = jwtUtil.extractClaims(token);
try {
setAuthentication(claims.get("email", String.class));
} catch (Exception e) {
log.error(e.getMessage());
return;
}
}
filterChain.doFilter(request, response);
}
// 인증 처리
public void setAuthentication(String email) {
SecurityContext context = SecurityContextHolder.createEmptyContext();
Authentication authentication = createAuthentication(email);
context.setAuthentication(authentication);
SecurityContextHolder.setContext(context);
}
// 인증 객체 생성
private Authentication createAuthentication(String email) {
UserDetails userDetails = userDetailsService.loadUserByUsername(email);
return new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities());
}
}
[JwtAuthenticationFilter.java]
package org.example.expert.security;
import com.fasterxml.jackson.databind.ObjectMapper;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.extern.slf4j.Slf4j;
import org.example.expert.config.JwtUtil;
import org.example.expert.domain.auth.dto.request.SigninRequest;
import org.example.expert.domain.user.enums.UserRole;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.AuthenticationException;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import java.io.IOException;
@Slf4j(topic = "Sing in & Create JWT token")
public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
private final JwtUtil jwtUtil;
public JwtAuthenticationFilter(JwtUtil jwtUtil) {
this.jwtUtil = jwtUtil;
setFilterProcessesUrl("/auth/signin");
}
@Override
public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response) throws AuthenticationException {
log.info("Attempting authentication");
try {
SigninRequest requestDto = new ObjectMapper().readValue(request.getInputStream(), SigninRequest.class);
return getAuthenticationManager().authenticate(
new UsernamePasswordAuthenticationToken(
requestDto.getEmail(),
requestDto.getPassword(),
null
)
);
} catch (IOException e) {
throw new RuntimeException(e);
}
}
@Override
protected void successfulAuthentication(HttpServletRequest request, HttpServletResponse response, FilterChain chain, Authentication authResult) throws IOException, ServletException {
log.info("Successful authentication");
Long id = ((UserDetailsImpl) authResult.getPrincipal()).getId();
String email = ((UserDetailsImpl) authResult.getPrincipal()).getEmail();
UserRole userRole = UserRole.of(((UserDetailsImpl) authResult.getPrincipal()).getUserRole());
String nickname = ((UserDetailsImpl) authResult.getPrincipal()).getNickname();
String token = jwtUtil.createToken(id, email, userRole, nickname);
response.addHeader("Authorization", token);
}
@Override
protected void unsuccessfulAuthentication(HttpServletRequest request, HttpServletResponse response, AuthenticationException failed) throws IOException, ServletException {
log.info("Unsuccessful authentication");
response.sendError(HttpServletResponse.SC_UNAUTHORIZED, failed.getMessage());
}
}
[UserDetailsImpl.java]
package org.example.expert.security;
import lombok.Getter;
import org.example.expert.domain.user.entity.User;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.security.core.authority.SimpleGrantedAuthority;
import org.springframework.security.core.userdetails.UserDetails;
import java.util.ArrayList;
import java.util.Collection;
@Getter
public class UserDetailsImpl implements UserDetails {
private final User user;
public UserDetailsImpl(User user) {
this.user = user;
}
@Override
public Collection<? extends GrantedAuthority> getAuthorities() {
String authority = user.getUserRole().getAuthority();
Collection<GrantedAuthority> authorities = new ArrayList<>();
authorities.add(new SimpleGrantedAuthority(authority));
return authorities;
}
public Long getId() {
return user.getId();
}
public String getEmail() {
return user.getEmail();
}
public String getUserRole() {
return user.getUserRole().name();
}
public String getNickname() {
return user.getNickname();
}
@Override
public String getPassword() {
return user.getPassword();
}
@Override
public String getUsername() {
return user.getNickname();
}
@Override
public boolean isAccountNonExpired() {
return true;
}
@Override
public boolean isAccountNonLocked() {
return true;
}
@Override
public boolean isCredentialsNonExpired() {
return true;
}
@Override
public boolean isEnabled() {
return true;
}
}
[UserDetailsServiceImpl.java]
package org.example.expert.security;
import lombok.RequiredArgsConstructor;
import org.example.expert.domain.user.entity.User;
import org.example.expert.domain.user.repository.UserRepository;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.core.userdetails.UsernameNotFoundException;
import org.springframework.stereotype.Service;
@Service
@RequiredArgsConstructor
public class UserDetailsServiceImpl implements UserDetailsService {
private final UserRepository userRepository;
@Override
public UserDetails loadUserByUsername(String email) throws UsernameNotFoundException {
User user = userRepository.findByEmail(email).orElseThrow(() -> new UsernameNotFoundException("Not Found : " + email));
return new UserDetailsImpl(user);
}
}
Stateless 방식
Spring Security는 2003년부터 개발되었고 반면 JWT는 2015년 공식적으로 표준화된 기술이다. 그렇기에 어쩔 수 없이 JSP, Thymeleaf 등의 SSR 방식과 연관된 스펙이 매우 많고, 대부분이 세션 방식을 기반으로 개발되었다. 이로 인해 기존의 세션 방식과 JWT가 결합된 Spring Security 사용 방법이 퍼지게 되었는데, 이는 JWT의 특징인 Stateless 특징을 잘 살려주지 못한 방법이다.
@Service
public class UserDetailsServiceImpl implements UserDetailsService {
private final UserRepository userRepository;
public UserDetailsServiceImpl(UserRepository userRepository) {
this.userRepository = userRepository;
}
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
User user = userRepository.findByUsername(username)
.orElseThrow(() -> new UsernameNotFoundException("Not Found " + username));
return new UserDetailsImpl(user);
}
}(마치 이런 코드... jwt에 모든 정보 욱여넣어서 용량 크게 기껏 보냈더니 왜 굳이 디비에서 다시 찾고 있냐? stateless하지 않음.)
서버는 정보를 갖고 있을 필요가 없다. 아무것도 몰라도 된다. 그렇기에 백엔드단에서 무언가를 많이 해줄 필요가 없는 것이다.
이를 보완해서 세션 방식을 완전히 제거한 코드는 다음과 같다.
[SecurityConfig.java]
package org.example.statelessspringsecurity.config;
import lombok.RequiredArgsConstructor;
import org.example.statelessspringsecurity.enums.UserRole;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter;
@Configuration
@RequiredArgsConstructor
@EnableWebSecurity
@EnableMethodSecurity(securedEnabled = true)
public class SecurityConfig {
private final JwtSecurityFilter jwtSecurityFilter;
@Bean
public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
return http
.csrf(AbstractHttpConfigurer::disable)
.sessionManagement(session -> session
.sessionCreationPolicy(SessionCreationPolicy.STATELESS) // SessionManagementFilter, SecurityContextPersistenceFilter
)
.addFilterBefore(jwtSecurityFilter, SecurityContextHolderAwareRequestFilter.class)
.formLogin(AbstractHttpConfigurer::disable) // UsernamePasswordAuthenticationFilter, DefaultLoginPageGeneratingFilter 비활성화
.anonymous(AbstractHttpConfigurer::disable) // AnonymousAuthenticationFilter 비활성화
.httpBasic(AbstractHttpConfigurer::disable) // BasicAuthenticationFilter 비활성화
.logout(AbstractHttpConfigurer::disable) // LogoutFilter 비활성화
.authorizeHttpRequests(auth -> auth
.requestMatchers("/auth/signin", "/auth/signup").permitAll()
.requestMatchers("/test").hasAuthority(UserRole.Authority.ADMIN)
.anyRequest().authenticated()
)
.build();
}
}
[JwtSecurityFilter.java]
package org.example.statelessspringsecurity.config;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.ExpiredJwtException;
import io.jsonwebtoken.MalformedJwtException;
import io.jsonwebtoken.UnsupportedJwtException;
import jakarta.servlet.FilterChain;
import jakarta.servlet.ServletException;
import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import lombok.NonNull;
import lombok.RequiredArgsConstructor;
import lombok.extern.slf4j.Slf4j;
import org.example.statelessspringsecurity.enums.UserRole;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.WebAuthenticationDetailsSource;
import org.springframework.stereotype.Component;
import org.springframework.web.filter.OncePerRequestFilter;
import java.io.IOException;
@Slf4j
@Component
@RequiredArgsConstructor
public class JwtSecurityFilter extends OncePerRequestFilter {
private final JwtUtil jwtUtil;
@Override
protected void doFilterInternal(
HttpServletRequest httpRequest,
@NonNull HttpServletResponse httpResponse,
@NonNull FilterChain chain
) throws ServletException, IOException {
String authorizationHeader = httpRequest.getHeader("Authorization");
if (authorizationHeader != null && authorizationHeader.startsWith("Bearer ")) {
String jwt = jwtUtil.substringToken(authorizationHeader);
try {
Claims claims = jwtUtil.extractClaims(jwt);
String userId = claims.getSubject();
String email = claims.get("email", String.class);
UserRole userRole = UserRole.of(claims.get("userRole", String.class));
if (userId != null && SecurityContextHolder.getContext().getAuthentication() == null) {
AuthUser authUser = new AuthUser(userId, email, userRole);
JwtAuthenticationToken authenticationToken = new JwtAuthenticationToken(authUser);
authenticationToken.setDetails(new WebAuthenticationDetailsSource().buildDetails(httpRequest));
SecurityContextHolder.getContext().setAuthentication(authenticationToken);
}
} catch (SecurityException | MalformedJwtException e) {
log.error("Invalid JWT signature, 유효하지 않는 JWT 서명 입니다.", e);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "유효하지 않는 JWT 서명입니다.");
} catch (ExpiredJwtException e) {
log.error("Expired JWT token, 만료된 JWT token 입니다.", e);
httpResponse.sendError(HttpServletResponse.SC_UNAUTHORIZED, "만료된 JWT 토큰입니다.");
} catch (UnsupportedJwtException e) {
log.error("Unsupported JWT token, 지원되지 않는 JWT 토큰 입니다.", e);
httpResponse.sendError(HttpServletResponse.SC_BAD_REQUEST, "지원되지 않는 JWT 토큰입니다.");
} catch (Exception e) {
log.error("Internal server error", e);
httpResponse.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
}
}
chain.doFilter(httpRequest, httpResponse);
}
}
securityConfig.java에서 .addFilterBefore(jwtSecurityFilter,SecurityContextHolderAwareRequestFilter.class) 로 security filter chain에 등록해 주었다.
[JwtAuthenticationToken.java]
package org.example.statelessspringsecurity.config;
import org.springframework.security.authentication.AbstractAuthenticationToken;
public class JwtAuthenticationToken extends AbstractAuthenticationToken {
private final AuthUser authUser;
public JwtAuthenticationToken(AuthUser authUser) {
super(authUser.getAuthorities());
this.authUser = authUser;
setAuthenticated(true);
}
@Override
public Object getCredentials() {
return null;
}
@Override
public Object getPrincipal() {
return authUser;
}
}
기존에 사용했던 Argument Resolver를 대체한다.
getPrincipal() 메소드로 컨트롤러 파라미터에서 @AuthenticationPrincipal를 이용해 어떤 인증 객체를 받을지 설정한다.
[참고 자료]
https://suhyeon-developer.tistory.com/42
[SpringBoot] Spring Security Config에서 permitAll()에 대한 진실과 오해
사용 기술 스택 - Spring Boot 3.x.x - Spring Security 6 ( + jwt token 방식) - Spring Data Jpa 문제 발생 Spring Security를 적용하면서 인증이 필요하지 않은 경로를 직접 지정해주어 인증을 안하도록 설정하였다. 대
suhyeon-developer.tistory.com
'내배캠 > TIL' 카테고리의 다른 글
| [AWS] RDS 생성 및 연동하기 (4) | 2024.10.09 |
|---|---|
| 락(Lock) 이란? (1) | 2024.10.09 |
| [스프링] 트랜잭션 활용과 주의사항 (1) | 2024.10.01 |
| [AWS] Identity and Access Management (0) | 2024.09.30 |
| [AWS] AWS 시작하기 (2) | 2024.09.30 |
