7주차 : 보안

app/build.gradle

@@ -76,6 +76,8 @@ dependencies {
     testImplementation('org.springframework.boot:spring-boot-starter-test') {
         exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
     }
+    // Spring Security
+    implementation 'org.springframework.boot:spring-boot-starter-security'
 }
 
 application {

app/src/main/java/com/codesoom/assignment/application/AuthenticationService.java

@@ -4,7 +4,6 @@
 import com.codesoom.assignment.domain.UserRepository;
 import com.codesoom.assignment.errors.LoginFailException;
 import com.codesoom.assignment.utils.JwtUtil;
-import io.jsonwebtoken.Claims;
 import org.springframework.stereotype.Service;
 
 @Service
@@ -26,11 +25,7 @@ public String login(String email, String password) {
             throw new LoginFailException(email);
         }
 
-        return jwtUtil.encode(1L);
+        return jwtUtil.encode(user.getId());
     }
 
-    public Long parseToken(String accessToken) {
-        Claims claims = jwtUtil.decode(accessToken);
-        return claims.get("userId", Long.class);
-    }
 }

app/src/main/java/com/codesoom/assignment/config/SecurityJavaConfig.java

@@ -0,0 +1,110 @@
+package com.codesoom.assignment.config;
+
+import com.codesoom.assignment.filters.AuthenticationErrorFilter;
+import com.codesoom.assignment.filters.JwtAuthenticationFilter;
+import com.codesoom.assignment.utils.JwtUtil;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.web.authentication.HttpStatusEntryPoint;
+
+import javax.servlet.Filter;
+import javax.servlet.http.HttpServletRequest;
+
+@Configuration
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class SecurityJavaConfig extends WebSecurityConfigurerAdapter {
+    private final JwtUtil jwtUtil;
+    public SecurityJavaConfig(JwtUtil jwtUtil) {
+        this.jwtUtil = jwtUtil;
+    }
+
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        Filter authenticationFilter = new JwtAuthenticationFilter(authenticationManager(), jwtUtil);
+        Filter authenticationErrorFilter = new AuthenticationErrorFilter();
+
+        configureAuthorizations(http);
+
+        http
+                .csrf().disable()
+                .addFilter(authenticationFilter)
+                .addFilterBefore(authenticationErrorFilter,
+                        JwtAuthenticationFilter.class)
+                .sessionManagement()
+                    .sessionCreationPolicy(SessionCreationPolicy.STATELESS)
+                .and()
+                .exceptionHandling()
+                .authenticationEntryPoint(
+                        new HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED));
+    }
+
+    private void configureAuthorizations(HttpSecurity http) throws Exception {
+        http.authorizeRequests()
+                .requestMatchers(this::matchesPostProductRequest).authenticated()
+                .and()
+                .authorizeRequests()
+                .requestMatchers(this::matchesPatchProductRequest).authenticated()
+                .and()
+                .authorizeRequests()
+                .requestMatchers(this::matchesDeleteProductRequest).authenticated()
+                .and()
+                .authorizeRequests()
+                .requestMatchers(this::matchesPostUserRequest).authenticated()
+                .and()
+                .authorizeRequests()
+                .requestMatchers(this::matchesDeleteUserRequest).authenticated();
+    }
+    /**
+     * POST /products or /products/{상품아이디} 요청에 대해서만 인증을 요구합니다.
+     * @param req
+     * @return
+     */
+    private boolean matchesPostProductRequest(HttpServletRequest req) {
+        return req.getMethod().equals("POST") &&
+                (req.getRequestURI().matches("^/products$") ||
+                        req.getRequestURI().matches("^/products/[0-9]+$"));
+    }
+
+    /**
+     * PATCH /products or /products/{상품아이디} 요청에 대해서만 인증을 요구합니다.
+     * @param req
+     * @return
+     */
+    private boolean matchesPatchProductRequest(HttpServletRequest req) {
+        return req.getMethod().equals("PATCH") &&
+                        req.getRequestURI().matches("^/products/[0-9]+$");
+    }
+
+    /**
+     * DELETE /products or /products/{상품아이디} 요청에 대해서만 인증을 요구합니다.
+     * @param req
+     * @return
+     */
+    private boolean matchesDeleteProductRequest(HttpServletRequest req) {
+        return req.getMethod().equals("DELETE") &&
+                req.getRequestURI().matches("^/products/[0-9]+$");
+    }
+
+    /**
+     * POST /users/{유저아이디} 요청에 대해서만 인증을 요구합니다.
+     * @param req
+     * @return
+     */
+    private boolean matchesPostUserRequest(HttpServletRequest req) {
+        return req.getMethod().equals("POST") && req.getRequestURI().matches("^/users/[0-9]+$");
+    }
+
+    /**
+     * DELETE /users/{유저아이디} 요청에 대해서만 인증을 요구합니다.
+     * @param req
+     * @return
+     */
+    private boolean matchesDeleteUserRequest(HttpServletRequest req) {
+        return req.getMethod().equals("DELETE") && req.getRequestURI().matches("^/users/[0-9]+$");
+    }
+}

app/src/main/java/com/codesoom/assignment/controllers/ControllerErrorAdvice.java

@@ -39,12 +39,6 @@ public ErrorResponse handleLoginFailException() {
         return new ErrorResponse("Log-in failed");
     }
 
-    @ResponseStatus(HttpStatus.UNAUTHORIZED)
-    @ExceptionHandler(InvalidTokenException.class)
-    public ErrorResponse handleInvalidAccessTokenException() {
-        return new ErrorResponse("Invalid access token");
-    }
-
     @ResponseBody
     @ResponseStatus(HttpStatus.BAD_REQUEST)
     @ExceptionHandler(ConstraintViolationException.class)

app/src/main/java/com/codesoom/assignment/controllers/ProductController.java

@@ -4,11 +4,12 @@
 
 package com.codesoom.assignment.controllers;
 
-import com.codesoom.assignment.application.AuthenticationService;
 import com.codesoom.assignment.application.ProductService;
 import com.codesoom.assignment.domain.Product;
 import com.codesoom.assignment.dto.ProductData;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
 import org.springframework.web.bind.annotation.*;
 
 import javax.validation.Valid;
@@ -20,12 +21,8 @@
 public class ProductController {
     private final ProductService productService;
 
-    private final AuthenticationService authenticationService;
-
-    public ProductController(ProductService productService,
-                             AuthenticationService authenticationService) {
+    public ProductController(ProductService productService) {
         this.productService = productService;
-        this.authenticationService = authenticationService;
     }
 
     @GetMapping
@@ -40,16 +37,17 @@ public Product detail(@PathVariable Long id) {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @PreAuthorize("isAuthenticated() and hasAuthority('USER')")
     public Product create(
-            @RequestAttribute Long userId,
-            @RequestBody @Valid ProductData productData
+            @RequestBody @Valid ProductData productData,
+            Authentication authentication
     ) {
         return productService.createProduct(productData);
     }
 
     @PatchMapping("{id}")
     public Product update(
-            @RequestAttribute Long userId,
+            Authentication authentication,
             @PathVariable Long id,
             @RequestBody @Valid ProductData productData
     ) {
@@ -59,7 +57,7 @@ public Product update(
     @DeleteMapping("{id}")
     @ResponseStatus(HttpStatus.NO_CONTENT)
     public void destroy(
-            @RequestAttribute Long userId,
+            Authentication authentication,
             @PathVariable Long id
     ) {
         productService.deleteProduct(id);

app/src/main/java/com/codesoom/assignment/dto/SessionRequestData.java

@@ -1,8 +1,10 @@
 package com.codesoom.assignment.dto;
 
+import lombok.Builder;
 import lombok.Getter;
 
 @Getter
+@Builder
 public class SessionRequestData {
     private String email;
     private String password;

app/src/main/java/com/codesoom/assignment/filters/AuthenticationErrorFilter.java

@@ -0,0 +1,22 @@
+package com.codesoom.assignment.filters;
+
+import com.codesoom.assignment.errors.InvalidTokenException;
+import org.springframework.http.HttpStatus;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpFilter;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class AuthenticationErrorFilter extends HttpFilter {
+    @Override
+    protected void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+        try {
+            chain.doFilter(request,response);
+        }catch (InvalidTokenException e){
+            response.sendError(HttpStatus.UNAUTHORIZED.value());
+        }
+    }
+}

app/src/main/java/com/codesoom/assignment/filters/JwtAuthenticationFilter.java

@@ -0,0 +1,52 @@
+package com.codesoom.assignment.filters;
+
+import com.codesoom.assignment.errors.InvalidTokenException;
+import com.codesoom.assignment.security.UserAuthentication;
+import com.codesoom.assignment.utils.JwtUtil;
+import io.jsonwebtoken.Claims;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.context.SecurityContext;
+import org.springframework.security.core.context.SecurityContextHolder;
+import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+public class JwtAuthenticationFilter extends BasicAuthenticationFilter {
+    private JwtUtil jwtUtil;
+
+    public JwtAuthenticationFilter(AuthenticationManager authenticationManager, JwtUtil jwtUtil) {
+        super(authenticationManager);
+        this.jwtUtil = jwtUtil;
+    }
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
+
+        String authorization = request.getHeader("Authorization");
+
+        if (authorization != null) {
+            String accessToken = authorization.substring("Bearer ".length());
+            Claims claims = jwtUtil.decode(accessToken);
+
+            if(claims == null){
+                throw new InvalidTokenException(accessToken);
+            }
+
+            Long userId = claims.get("userId", Long.class);
+            Authentication authentication = new UserAuthentication(userId);
+
+
+            SecurityContext context = SecurityContextHolder.getContext();
+            context.setAuthentication(authentication);
+        }
+
+        chain.doFilter(request, response);
+
+    }
+
+}