7주차 과제 - Spring Security 인가(Authorization) 구현하기

README.md

@@ -10,6 +10,12 @@ Spring Security를 이용해서 구현해 주세요.
 내부에서 비밀번호를 탈취를 하더라도 원래 비밀번호를 알아낼 수 없도록 비밀번호를 암호화하여
 저장해 주세요.
 
+### TODO
+
+1. 자신의 정보만 수정 가능하게
+2. 사용자 삭제는 관리자만 가능하게
+3. userId에 따라서 권한을 따로 부여
+
 ### 로그인이 필요없는 API
 
 * 로그인 - `POST /session`

app/build.gradle

@@ -69,6 +69,9 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     runtimeOnly 'com.h2database:h2'
 
+    // Spring Security
+    implementation 'org.springframework.boot:spring-boot-starter-security'
+
     // Spring Developer Tools
     developmentOnly 'org.springframework.boot:spring-boot-devtools'
 

app/src/main/java/com/codesoom/assignment/App.java

@@ -5,6 +5,8 @@
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 
 @SpringBootApplication
 public class App {
@@ -16,4 +18,9 @@ public static void main(String[] args) {
     public Mapper dozerMapper() {
         return DozerBeanMapperBuilder.buildDefault();
     }
+
+    @Bean
+    public PasswordEncoder passwordEncoder(){
+        return new BCryptPasswordEncoder();
+    }
 }

app/src/main/java/com/codesoom/assignment/application/AuthenticationService.java

@@ -5,15 +5,18 @@
 import com.codesoom.assignment.errors.LoginFailException;
 import com.codesoom.assignment.utils.JwtUtil;
 import io.jsonwebtoken.Claims;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 
 @Service
 public class AuthenticationService {
+    private final PasswordEncoder passwordEncoder;
     private final UserRepository userRepository;
     private final JwtUtil jwtUtil;
 
-    public AuthenticationService(UserRepository userRepository,
+    public AuthenticationService(PasswordEncoder passwordEncoder, UserRepository userRepository,
                                  JwtUtil jwtUtil) {
+        this.passwordEncoder = passwordEncoder;
         this.userRepository = userRepository;
         this.jwtUtil = jwtUtil;
     }
@@ -22,7 +25,7 @@ public String login(String email, String password) {
         User user = userRepository.findByEmail(email)
                 .orElseThrow(() -> new LoginFailException(email));
 
-        if (!user.authenticate(password)) {
+        if (!user.authenticate(password , passwordEncoder)) {
             throw new LoginFailException(email);
         }
 

app/src/main/java/com/codesoom/assignment/config/SecurityJavaConfig.java

@@ -0,0 +1,43 @@
+package com.codesoom.assignment.config;
+
+import com.codesoom.assignment.application.AuthenticationService;
+import com.codesoom.assignment.filters.AuthenticationErrorFilter;
+import com.codesoom.assignment.filters.JwtAuthenticationFilter;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+
+import javax.servlet.Filter;
+
+@Configuration
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class SecurityJavaConfig extends WebSecurityConfigurerAdapter {
+
+    private final AuthenticationService authenticationService;
+
+    public SecurityJavaConfig(AuthenticationService authenticationService) {
+        this.authenticationService = authenticationService;
+    }
+
+    @Override
+    public void configure(HttpSecurity http) throws Exception {
+        Filter authenticationFilter = new JwtAuthenticationFilter(authenticationManager(), authenticationService);
+        Filter authenticationErrorFilter = new AuthenticationErrorFilter();
+
+        http.csrf().disable()
+                .addFilter(authenticationFilter)
+                // authenticationFilter를 필터로 등록
+                // authenticationFilter의 전처리 필터 authenticationErrorFilter를 등록
+                .addFilterBefore(authenticationErrorFilter , JwtAuthenticationFilter.class)
+                .sessionManagement()
+                .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                .and()
+                .exceptionHandling()
+                .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
+//        super.configure(http);
+    }
+}

app/src/main/java/com/codesoom/assignment/config/WebJavaConfig.java

@@ -13,6 +13,7 @@ public class WebJavaConfig implements WebMvcConfigurer {
 
     @Override
     public void addInterceptors(InterceptorRegistry registry) {
-        registry.addInterceptor(authenticationInterceptor);
+        // SpringSecurity Filter 추가로 인해 주석 처리
+//        registry.addInterceptor(authenticationInterceptor);
     }
 }

app/src/main/java/com/codesoom/assignment/controllers/ControllerErrorAdvice.java

@@ -1,7 +1,11 @@
 package com.codesoom.assignment.controllers;
 
 import com.codesoom.assignment.dto.ErrorResponse;
-import com.codesoom.assignment.errors.*;
+import com.codesoom.assignment.errors.LoginFailException;
+import com.codesoom.assignment.errors.ProductNotFoundException;
+import com.codesoom.assignment.errors.UserEmailDuplicationException;
+import com.codesoom.assignment.errors.UserNotFoundException;
+import com.codesoom.assignment.filters.AuthenticationErrorFilter;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.bind.annotation.ExceptionHandler;
@@ -39,12 +43,6 @@ public ErrorResponse handleLoginFailException() {
         return new ErrorResponse("Log-in failed");
     }
 
-    @ResponseStatus(HttpStatus.UNAUTHORIZED)
-    @ExceptionHandler(InvalidTokenException.class)
-    public ErrorResponse handleInvalidAccessTokenException() {
-        return new ErrorResponse("Invalid access token");
-    }
-
     @ResponseBody
     @ResponseStatus(HttpStatus.BAD_REQUEST)
     @ExceptionHandler(ConstraintViolationException.class)

app/src/main/java/com/codesoom/assignment/controllers/ProductController.java

@@ -4,28 +4,35 @@
 
 package com.codesoom.assignment.controllers;
 
-import com.codesoom.assignment.application.AuthenticationService;
 import com.codesoom.assignment.application.ProductService;
 import com.codesoom.assignment.domain.Product;
 import com.codesoom.assignment.dto.ProductData;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.validation.Valid;
 import java.util.List;
 
+@Slf4j
 @RestController
 @RequestMapping("/products")
 @CrossOrigin
 public class ProductController {
     private final ProductService productService;
 
-    private final AuthenticationService authenticationService;
-
-    public ProductController(ProductService productService,
-                             AuthenticationService authenticationService) {
+    public ProductController(ProductService productService) {
         this.productService = productService;
-        this.authenticationService = authenticationService;
     }
 
     @GetMapping
@@ -40,26 +47,26 @@ public Product detail(@PathVariable Long id) {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @PreAuthorize("isAuthenticated() and hasAuthority('USER')")
     public Product create(
-            @RequestAttribute Long userId,
             @RequestBody @Valid ProductData productData
     ) {
         return productService.createProduct(productData);
     }
 
     @PatchMapping("{id}")
+    @PreAuthorize("isAuthenticated()")
     public Product update(
-            @RequestAttribute Long userId,
             @PathVariable Long id,
             @RequestBody @Valid ProductData productData
     ) {
         return productService.updateProduct(id, productData);
     }
 
     @DeleteMapping("{id}")
+    @PreAuthorize("isAuthenticated()")
     @ResponseStatus(HttpStatus.NO_CONTENT)
     public void destroy(
-            @RequestAttribute Long userId,
             @PathVariable Long id
     ) {
         productService.deleteProduct(id);

app/src/main/java/com/codesoom/assignment/controllers/SessionController.java

@@ -4,7 +4,12 @@
 import com.codesoom.assignment.dto.SessionRequestData;
 import com.codesoom.assignment.dto.SessionResponseData;
 import org.springframework.http.HttpStatus;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @RequestMapping("/session")

app/src/main/java/com/codesoom/assignment/controllers/UserController.java

@@ -6,7 +6,16 @@
 import com.codesoom.assignment.dto.UserRegistrationData;
 import com.codesoom.assignment.dto.UserResultData;
 import org.springframework.http.HttpStatus;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.validation.Valid;
 
@@ -28,6 +37,7 @@ UserResultData create(@RequestBody @Valid UserRegistrationData registrationData)
     }
 
     @PatchMapping("{id}")
+    @PreAuthorize("isAuthenticated()")
     UserResultData update(
             @PathVariable Long id,
             @RequestBody @Valid UserModificationData modificationData
@@ -37,6 +47,7 @@ UserResultData update(
     }
 
     @DeleteMapping("{id}")
+    @PreAuthorize("isAuthenticated()")
     @ResponseStatus(HttpStatus.NO_CONTENT)
     void destroy(@PathVariable Long id) {
         userService.deleteUser(id);

app/src/main/java/com/codesoom/assignment/domain/User.java

@@ -4,6 +4,8 @@
 import lombok.Builder;
 import lombok.Getter;
 import lombok.NoArgsConstructor;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 
 import javax.persistence.Entity;
 import javax.persistence.GeneratedValue;
@@ -19,25 +21,31 @@ public class User {
     @GeneratedValue
     private Long id;
 
-    private String email;
+    @Builder.Default
+    private String email = "";
 
-    private String name;
+    @Builder.Default
+    private String name = "";
 
-    private String password;
+    @Builder.Default
+    private String password = "";
 
     @Builder.Default
     private boolean deleted = false;
 
     public void changeWith(User source) {
-        name = source.name;
-        password = source.password;
+        this.name = source.name;
     }
 
     public void destroy() {
         deleted = true;
     }
 
-    public boolean authenticate(String password) {
-        return !deleted && password.equals(this.password);
+    public boolean authenticate(String password , PasswordEncoder passwordEncoder) {
+        return !deleted && passwordEncoder.matches(password , this.password);
+    }
+
+    public void changePassword(String password , PasswordEncoder passwordEncoder) {
+        this.password = passwordEncoder.encode(password);
     }
 }

app/src/main/java/com/codesoom/assignment/dto/ProductData.java

@@ -1,7 +1,11 @@
 package com.codesoom.assignment.dto;
 
 import com.github.dozermapper.core.Mapping;
-import lombok.*;
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Getter;
+import lombok.NoArgsConstructor;
+import lombok.Setter;
 
 import javax.validation.constraints.NotBlank;
 import javax.validation.constraints.NotNull;

app/src/main/java/com/codesoom/assignment/filters/AuthenticationErrorFilter.java

@@ -0,0 +1,24 @@
+package com.codesoom.assignment.filters;
+
+import com.codesoom.assignment.errors.InvalidTokenException;
+import org.springframework.http.HttpStatus;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpFilter;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class AuthenticationErrorFilter extends HttpFilter {
+
+    @Override
+    protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+        try {
+            chain.doFilter(request, response);
+        }
+        catch (InvalidTokenException e){
+            response.sendError(HttpStatus.UNAUTHORIZED.value());
+        }
+    }
+}