접근 허용 url 설정(permitAccess) 추가

1 year ago · 1ceb84b343
parent 46c4614704
commit 1ceb84b343
1 changed files with 36 additions and 9 deletions
--- a/src/main/java/cokr/xit/base/boot/SecurityConfig.java
+++ b/src/main/java/cokr/xit/base/boot/SecurityConfig.java
@ -1,5 +1,11 @@
 package cokr.xit.base.boot;

+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.stream.Collectors;
+import java.util.stream.Stream;
+
 import javax.annotation.Resource;

 import org.springframework.beans.factory.annotation.Autowired;
@ -24,6 +30,7 @@ import cokr.xit.base.security.authentication.web.AuthenticationExtraDetailsSourc
 import cokr.xit.base.security.authentication.web.AuthenticationFailure;
 import cokr.xit.base.security.authentication.web.AuthenticationSuccess;
 import cokr.xit.base.security.authentication.web.LogoutSuccess;
+import cokr.xit.foundation.AbstractComponent;
 import cokr.xit.foundation.boot.StaticResourceConfig;
 import cokr.xit.foundation.web.ExceptionController;

@ -32,7 +39,7 @@ import cokr.xit.foundation.web.ExceptionController;
 */
@Configuration
@EnableWebSecurity
-public class SecurityConfig {
+public class SecurityConfig extends AbstractComponent {
 	@Autowired
 	private ExceptionController exceptionController;
 	@Resource(name = "staticResource")
@ -55,13 +62,9 @@ public class SecurityConfig {
 	 */
 	@Bean
 	public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+		String[] permitAccess = getPermittedAccess(false);
 		http.authorizeHttpRequests(conf ->
-				conf.antMatchers(
-						"/login.do",
-						"/logout.do",
-						"/error/*.do",
-						"/api/**/*.do"
-					).permitAll()
+				conf.antMatchers(permitAccess).permitAll()
 					.antMatchers("/**/*.do").access(authorizationManager())
 					.anyRequest().authenticated()
 			)
@ -94,15 +97,39 @@ public class SecurityConfig {
 		return http.build();
 	}

+	private String[] getPermittedAccess(boolean ignoringOnly) {
+		String str = properties.getString("permitAccess", "");
+		List<String> ignoring = !str.isEmpty() ? Stream.of(str.split(",")).map(String::trim).toList() : Collections.emptyList();
+		if (ignoringOnly) {
+			return ignoring.toArray(new String[ignoring.size()]);
+		}
+
+		List<String> urls = Stream.of("/login.do", "/logout.do", "/error/*.do")
+			.collect(Collectors.toCollection(() -> new ArrayList<>()));
+		if (!ignoring.isEmpty())
+			ignoring.forEach(s -> {
+				s = s.trim();
+				if (!s.isEmpty())
+					urls.add(s);
+			});
+
+		return urls.toArray(new String[urls.size()]);
+	}
+
 	/**WebSecurityCustomizer를 반환한다.<br />
 	 * 모든 정적 파일에 대한 접근 url은 /resources/**로 한다.
 	 * @return WebSecurityCustomizer
 	 */
 	@Bean
 	public WebSecurityCustomizer webSecurityCustomizer() {
-		return conf -> conf.ignoring()
-			.antMatchers("/api/**/*.do")
+		String[] urls = getPermittedAccess(true);
+		return conf -> {
+			conf.ignoring()
 			.antMatchers(staticResource.getURLs(null));
+			if (urls.length > 0)
+				conf.ignoring()
+					.antMatchers(urls);
+		};
 	}

 	/**AuthenticationSuccess(로그인 성공 핸들러)를 반환한다.