7주차 과제 - Spring Security 인가(Authorization) 구현하기

README.md

@@ -10,6 +10,12 @@ Spring Security를 이용해서 구현해 주세요.
 내부에서 비밀번호를 탈취를 하더라도 원래 비밀번호를 알아낼 수 없도록 비밀번호를 암호화하여
 저장해 주세요.
 
+### TODO
+
+1. 자신의 정보만 수정 가능하게
+2. 사용자 삭제는 관리자만 가능하게
+3. userId에 따라서 권한을 따로 부여
+
 ### 로그인이 필요없는 API
 
 * 로그인 - `POST /session`

app/build.gradle

@@ -51,9 +51,6 @@ dependencies {
     compileOnly 'org.projectlombok:lombok:1.18.16'
     annotationProcessor 'org.projectlombok:lombok:1.18.16'
 
-    // DozerMapper
-    implementation 'com.github.dozermapper:dozer-core:6.4.0'
-
     // JWT
     implementation 'io.jsonwebtoken:jjwt-api:0.11.2'
     runtime 'io.jsonwebtoken:jjwt-impl:0.11.2'
@@ -69,6 +66,9 @@ dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-data-jpa'
     runtimeOnly 'com.h2database:h2'
 
+    // Spring Security
+    implementation 'org.springframework.boot:spring-boot-starter-security'
+
     // Spring Developer Tools
     developmentOnly 'org.springframework.boot:spring-boot-devtools'
 

app/src/main/java/com/codesoom/assignment/App.java

@@ -1,10 +1,10 @@
 package com.codesoom.assignment;
 
-import com.github.dozermapper.core.DozerBeanMapperBuilder;
-import com.github.dozermapper.core.Mapper;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
 import org.springframework.context.annotation.Bean;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
 
 @SpringBootApplication
 public class App {
@@ -13,7 +13,7 @@ public static void main(String[] args) {
     }
 
     @Bean
-    public Mapper dozerMapper() {
-        return DozerBeanMapperBuilder.buildDefault();
+    public PasswordEncoder passwordEncoder(){
+        return new BCryptPasswordEncoder();
     }
 }

app/src/main/java/com/codesoom/assignment/application/AuthenticationService.java

@@ -1,28 +1,37 @@
 package com.codesoom.assignment.application;
 
+import com.codesoom.assignment.domain.RoleRepository;
 import com.codesoom.assignment.domain.User;
 import com.codesoom.assignment.domain.UserRepository;
 import com.codesoom.assignment.errors.LoginFailException;
+import com.codesoom.assignment.domain.Role;
 import com.codesoom.assignment.utils.JwtUtil;
 import io.jsonwebtoken.Claims;
+import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 
+import java.util.List;
+
 @Service
 public class AuthenticationService {
+    private final PasswordEncoder passwordEncoder;
     private final UserRepository userRepository;
+    private final RoleRepository roleRepository;
     private final JwtUtil jwtUtil;
 
-    public AuthenticationService(UserRepository userRepository,
-                                 JwtUtil jwtUtil) {
+    public AuthenticationService(PasswordEncoder passwordEncoder, UserRepository userRepository,
+                                 RoleRepository roleRepository, JwtUtil jwtUtil) {
+        this.passwordEncoder = passwordEncoder;
         this.userRepository = userRepository;
+        this.roleRepository = roleRepository;
         this.jwtUtil = jwtUtil;
     }
 
     public String login(String email, String password) {
         User user = userRepository.findByEmail(email)
                 .orElseThrow(() -> new LoginFailException(email));
 
-        if (!user.authenticate(password)) {
+        if (!user.authenticate(password , passwordEncoder)) {
             throw new LoginFailException(email);
         }
 
@@ -33,4 +42,8 @@ public Long parseToken(String accessToken) {
         Claims claims = jwtUtil.decode(accessToken);
         return claims.get("userId", Long.class);
     }
+
+    public List<Role> roles(Long userId) {
+        return roleRepository.findAllByUserId(userId);
+    }
 }

app/src/main/java/com/codesoom/assignment/application/ProductService.java

@@ -4,7 +4,6 @@
 import com.codesoom.assignment.domain.ProductRepository;
 import com.codesoom.assignment.dto.ProductData;
 import com.codesoom.assignment.errors.ProductNotFoundException;
-import com.github.dozermapper.core.Mapper;
 import org.springframework.stereotype.Service;
 
 import javax.transaction.Transactional;
@@ -13,14 +12,9 @@
 @Service
 @Transactional
 public class ProductService {
-    private final Mapper mapper;
     private final ProductRepository productRepository;
 
-    public ProductService(
-            Mapper dozerMapper,
-            ProductRepository productRepository
-    ) {
-        this.mapper = dozerMapper;
+    public ProductService(ProductRepository productRepository) {
         this.productRepository = productRepository;
     }
 
@@ -33,14 +27,14 @@ public Product getProduct(Long id) {
     }
 
     public Product createProduct(ProductData productData) {
-        Product product = mapper.map(productData, Product.class);
+        Product product = productData.toProduct();
         return productRepository.save(product);
     }
 
     public Product updateProduct(Long id, ProductData productData) {
         Product product = findProduct(id);
 
-        product.changeWith(mapper.map(productData, Product.class));
+        product.changeWith(productData.toProduct());
 
         return product;
     }

app/src/main/java/com/codesoom/assignment/application/UserService.java

@@ -6,19 +6,18 @@
 import com.codesoom.assignment.dto.UserRegistrationData;
 import com.codesoom.assignment.errors.UserEmailDuplicationException;
 import com.codesoom.assignment.errors.UserNotFoundException;
-import com.github.dozermapper.core.Mapper;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.stereotype.Service;
 
 import javax.transaction.Transactional;
+import java.util.Objects;
 
 @Service
 @Transactional
 public class UserService {
-    private final Mapper mapper;
     private final UserRepository userRepository;
 
-    public UserService(Mapper dozerMapper, UserRepository userRepository) {
-        this.mapper = dozerMapper;
+    public UserService(UserRepository userRepository) {
         this.userRepository = userRepository;
     }
 
@@ -28,14 +27,17 @@ public User registerUser(UserRegistrationData registrationData) {
             throw new UserEmailDuplicationException(email);
         }
 
-        User user = mapper.map(registrationData, User.class);
+        User user = registrationData.toUser();
         return userRepository.save(user);
     }
 
-    public User updateUser(Long id, UserModificationData modificationData) {
+    public User updateUser(Long id, UserModificationData modificationData , Long userId) throws AccessDeniedException {
+        if(!Objects.equals(id, userId)){
+            throw new AccessDeniedException("자원 접근이 거부되었습니다.");
+        }
         User user = findUser(id);
 
-        User source = mapper.map(modificationData, User.class);
+        User source = modificationData.toUser();
         user.changeWith(source);
 
         return user;

app/src/main/java/com/codesoom/assignment/config/SecurityJavaConfig.java

@@ -0,0 +1,41 @@
+package com.codesoom.assignment.config;
+
+import com.codesoom.assignment.application.AuthenticationService;
+import com.codesoom.assignment.filters.AuthenticationErrorFilter;
+import com.codesoom.assignment.filters.JwtAuthenticationFilter;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+
+import javax.servlet.Filter;
+
+@Configuration
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class SecurityJavaConfig extends WebSecurityConfigurerAdapter {
+
+    private final AuthenticationService authenticationService;
+
+    public SecurityJavaConfig(AuthenticationService authenticationService) {
+        this.authenticationService = authenticationService;
+    }
+
+    @Override
+    public void configure(HttpSecurity http) throws Exception {
+        Filter authenticationFilter = new JwtAuthenticationFilter(authenticationManager(), authenticationService);
+        Filter authenticationErrorFilter = new AuthenticationErrorFilter();
+        http.csrf()
+                .disable()
+            .headers()
+                .frameOptions()
+                    .disable()
+                .and()
+            .addFilter(authenticationFilter)
+                .addFilterBefore(authenticationErrorFilter , JwtAuthenticationFilter.class)
+            .exceptionHandling()
+                .authenticationEntryPoint(new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
+    }
+}

app/src/main/java/com/codesoom/assignment/config/WebJavaConfig.java

@@ -13,6 +13,7 @@ public class WebJavaConfig implements WebMvcConfigurer {
 
     @Override
     public void addInterceptors(InterceptorRegistry registry) {
-        registry.addInterceptor(authenticationInterceptor);
+        // SpringSecurity Filter 추가로 인해 주석 처리
+//        registry.addInterceptor(authenticationInterceptor);
     }
 }

app/src/main/java/com/codesoom/assignment/controllers/ControllerErrorAdvice.java

@@ -1,7 +1,11 @@
 package com.codesoom.assignment.controllers;
 
 import com.codesoom.assignment.dto.ErrorResponse;
-import com.codesoom.assignment.errors.*;
+import com.codesoom.assignment.errors.LoginFailException;
+import com.codesoom.assignment.errors.ProductNotFoundException;
+import com.codesoom.assignment.errors.UserEmailDuplicationException;
+import com.codesoom.assignment.errors.UserNotFoundException;
+import com.codesoom.assignment.filters.AuthenticationErrorFilter;
 import org.springframework.http.HttpStatus;
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.bind.annotation.ExceptionHandler;
@@ -39,12 +43,6 @@ public ErrorResponse handleLoginFailException() {
         return new ErrorResponse("Log-in failed");
     }
 
-    @ResponseStatus(HttpStatus.UNAUTHORIZED)
-    @ExceptionHandler(InvalidTokenException.class)
-    public ErrorResponse handleInvalidAccessTokenException() {
-        return new ErrorResponse("Invalid access token");
-    }
-
     @ResponseBody
     @ResponseStatus(HttpStatus.BAD_REQUEST)
     @ExceptionHandler(ConstraintViolationException.class)

app/src/main/java/com/codesoom/assignment/controllers/ProductController.java

@@ -4,28 +4,35 @@
 
 package com.codesoom.assignment.controllers;
 
-import com.codesoom.assignment.application.AuthenticationService;
 import com.codesoom.assignment.application.ProductService;
 import com.codesoom.assignment.domain.Product;
 import com.codesoom.assignment.dto.ProductData;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.GetMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.validation.Valid;
 import java.util.List;
 
+@Slf4j
 @RestController
 @RequestMapping("/products")
 @CrossOrigin
 public class ProductController {
     private final ProductService productService;
 
-    private final AuthenticationService authenticationService;
-
-    public ProductController(ProductService productService,
-                             AuthenticationService authenticationService) {
+    public ProductController(ProductService productService) {
         this.productService = productService;
-        this.authenticationService = authenticationService;
     }
 
     @GetMapping
@@ -40,26 +47,26 @@ public Product detail(@PathVariable Long id) {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @PreAuthorize("isAuthenticated()")
     public Product create(
-            @RequestAttribute Long userId,
             @RequestBody @Valid ProductData productData
     ) {
         return productService.createProduct(productData);
     }
 
     @PatchMapping("{id}")
+    @PreAuthorize("hasRole('ADMIN')")
     public Product update(
-            @RequestAttribute Long userId,
             @PathVariable Long id,
             @RequestBody @Valid ProductData productData
     ) {
         return productService.updateProduct(id, productData);
     }
 
     @DeleteMapping("{id}")
+    @PreAuthorize("isAuthenticated()")
     @ResponseStatus(HttpStatus.NO_CONTENT)
     public void destroy(
-            @RequestAttribute Long userId,
             @PathVariable Long id
     ) {
         productService.deleteProduct(id);

app/src/main/java/com/codesoom/assignment/controllers/SessionController.java

@@ -4,7 +4,12 @@
 import com.codesoom.assignment.dto.SessionRequestData;
 import com.codesoom.assignment.dto.SessionResponseData;
 import org.springframework.http.HttpStatus;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestController;
 
 @RestController
 @RequestMapping("/session")

app/src/main/java/com/codesoom/assignment/controllers/UserController.java

@@ -6,9 +6,20 @@
 import com.codesoom.assignment.dto.UserRegistrationData;
 import com.codesoom.assignment.dto.UserResultData;
 import org.springframework.http.HttpStatus;
-import org.springframework.web.bind.annotation.*;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
+import org.springframework.web.bind.annotation.CrossOrigin;
+import org.springframework.web.bind.annotation.DeleteMapping;
+import org.springframework.web.bind.annotation.PatchMapping;
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.ResponseStatus;
+import org.springframework.web.bind.annotation.RestController;
 
 import javax.validation.Valid;
+import java.nio.file.AccessDeniedException;
 
 @RestController
 @RequestMapping("/users")
@@ -28,15 +39,19 @@ UserResultData create(@RequestBody @Valid UserRegistrationData registrationData)
     }
 
     @PatchMapping("{id}")
+    @PreAuthorize("isAuthenticated()")
     UserResultData update(
+            Authentication authentication,
             @PathVariable Long id,
             @RequestBody @Valid UserModificationData modificationData
     ) {
-        User user = userService.updateUser(id, modificationData);
+        Long userId = (Long) authentication.getPrincipal();
+        User user = userService.updateUser(id, modificationData , userId);
         return getUserResultData(user);
     }
 
     @DeleteMapping("{id}")
+    @PreAuthorize("isAuthenticated() and hasAuthority('ADMIN')")
     @ResponseStatus(HttpStatus.NO_CONTENT)
     void destroy(@PathVariable Long id) {
         userService.deleteUser(id);