xit-java
/
xit-egov-springboot
23
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix: spring security 설정 fix

Browse Source
main
Jonguk. Lim 12 months ago
parent 406a545729
commit d637b38980
1 changed files with 50 additions and 32 deletions
Show Stats Download Patch File Download Diff File

82
src/main/java/egovframework/com/security/SecurityConfig.java
Unescape Escape View File

@ -1,31 +1,29 @@
package egovframework.com.security;
import egovframework.com.cmm.filter.HTMLTagFilter;
import egovframework.com.jwt.JwtAuthenticationEntryPoint;
import egovframework.com.jwt.JwtAuthenticationFilter;
import java.nio.charset.*;
import java.util.*;
import org.springframework.boot.web.servlet.MultipartConfigFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpMethod;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.config.http.SessionCreationPolicy;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.access.channel.ChannelProcessingFilter;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.csrf.CsrfFilter;
import org.springframework.util.unit.DataSize;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
import org.springframework.web.filter.CharacterEncodingFilter;
import org.springframework.web.multipart.support.MultipartFilter;
import javax.servlet.*;
import java.util.Arrays;
import org.springframework.boot.autoconfigure.security.servlet.*;
import org.springframework.boot.web.servlet.*;
import org.springframework.context.annotation.*;
import org.springframework.http.*;
import org.springframework.security.config.annotation.web.builders.*;
import org.springframework.security.config.annotation.web.configuration.*;
import org.springframework.security.config.annotation.web.configurers.*;
import org.springframework.security.config.http.*;
import org.springframework.security.web.*;
import org.springframework.security.web.access.channel.*;
import org.springframework.security.web.authentication.*;
import org.springframework.security.web.csrf.*;
import org.springframework.util.unit.*;
import org.springframework.web.cors.*;
import org.springframework.web.filter.*;
import org.springframework.web.multipart.support.*;
import javax.servlet.MultipartConfigElement;
import egovframework.com.cmm.filter.*;
import egovframework.com.jwt.*;
/**
* fileName : SecurityConfig
@ -84,10 +82,10 @@ public class SecurityConfig {
protected CorsConfigurationSource corsConfigurationSource() {
CorsConfiguration configuration = new CorsConfiguration();
configuration.setAllowedOriginPatterns(Arrays.asList("*"));
configuration.setAllowedOriginPatterns(Collections.singletonList("*"));
configuration.setAllowedMethods(Arrays.asList("HEAD","POST","GET","DELETE","PUT","PATCH"));
configuration.setAllowedOrigins(Arrays.asList(ORIGINS_WHITELIST));
configuration.setAllowedHeaders(Arrays.asList("*"));
configuration.setAllowedHeaders(Collections.singletonList("*"));
configuration.setAllowCredentials(true);
UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource();
@ -125,18 +123,38 @@ public class SecurityConfig {
@Bean
protected SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
CharacterEncodingFilter filter = new CharacterEncodingFilter();
filter.setEncoding(StandardCharsets.UTF_8.displayName());
filter.setForceEncoding(true);
return http
// token 방식이기 때문에 csrf disable
.formLogin().disable()
.httpBasic().disable()
.csrf(AbstractHttpConfigurer::disable)
.authorizeHttpRequests(authorize -> authorize
.antMatchers("/members/**").hasRole("ADMIN") //ROLE_생략=자동으로 입력됨
.antMatchers(AUTH_WHITELIST).permitAll()
.antMatchers(HttpMethod.GET,AUTH_GET_WHITELIST).permitAll()
.anyRequest().authenticated()
).sessionManagement((sessionManagement) ->
.headers(headers ->
headers.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)
)
.sessionManagement((sessionManagement) ->
sessionManagement.sessionCreationPolicy(SessionCreationPolicy.STATELESS)
)
.cors().and()
.authorizeHttpRequests(authorize -> authorize
// GET, POST 요청시 : OPTIONS preflight 요청 - 실제 서버가 살아있는지를 사전에 확인하는 요청
// Spring에서 OPTIONS에 대한 요청을 막고 있어 OPTIONS 요청이 왔을 때도 오류를 리턴하지 않도록 설정
.requestMatchers(CorsUtils::isPreFlightRequest).permitAll()
.mvcMatchers(HttpMethod.OPTIONS, "/**").permitAll()
.requestMatchers(PathRequest.toStaticResources().atCommonLocations()).permitAll()
// h2-console 요청 인증 무시
//.requestMatchers(PathRequest.toH2Console()).permitAll()
// favicon.ico 요청 인증 무시
.antMatchers("/favicon.ico").permitAll()
//ROLE_생략=자동으로 입력됨
.antMatchers("/members/**").hasRole("ADMIN")
.antMatchers(HttpMethod.GET,AUTH_GET_WHITELIST).permitAll()
.antMatchers(AUTH_WHITELIST).permitAll()
.anyRequest().authenticated()
)
.addFilterBefore(characterEncodingFilter(), ChannelProcessingFilter.class)
.addFilterBefore(authenticationTokenFilterBean(), UsernamePasswordAuthenticationFilter.class)
.addFilterBefore(multipartFilter(), CsrfFilter.class)

Write Preview
Loading…
Cancel
Save