18 rest 로그아웃구현

build.gradle

@@ -20,11 +20,14 @@ configurations {
 repositories {
     mavenCentral()
 }
-
+//FIXME
 dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-security'
     implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'org.springframework.boot:spring-boot-starter-data-jpa:'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-thymeleaf', version: '3.2.2'
+    implementation group: 'org.thymeleaf.extras', name: 'thymeleaf-extras-springsecurity6', version: '3.1.2.RELEASE'
+    implementation 'org.modelmapper:modelmapper:3.1.0'
     compileOnly 'org.projectlombok:lombok'
     runtimeOnly 'org.postgresql:postgresql'
     annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor'

src/main/java/io/security/springsecuritymaster/controller/DashboardController.java → src/main/java/io/security/springsecuritymaster/controller/HomeController.java

@@ -5,7 +5,7 @@
 import org.springframework.web.bind.annotation.GetMapping;
 
 @Controller
-public class DashboardController {
+public class HomeController {
 	@GetMapping(value="/")
 	public String dashboard() {
 		return "/dashboard";
@@ -25,4 +25,9 @@ public String manager() {
 	public String admin() {
 		return "/admin";
 	}
+
+	@GetMapping(value="/api")
+	public String restDashboard() {
+		return "rest/dashboard";
+	}
 }

src/main/java/io/security/springsecuritymaster/domain/dto/AccountContext.java

@@ -0,0 +1,47 @@
+package io.security.springsecuritymaster.domain.dto;
+
+import lombok.Data;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import java.util.Collection;
+import java.util.List;
+
+@Data
+public class AccountContext implements UserDetails {
+    private AccountDto accountDto;
+    private final List<GrantedAuthority> roles;
+
+    public AccountContext(AccountDto accountDto, List<GrantedAuthority> roles) {
+      this.accountDto = accountDto;
+      this.roles = roles;
+    }
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return roles;
+    }
+    @Override
+    public String getPassword() {
+        return accountDto.getPassword();
+    }
+    @Override
+    public String getUsername() {
+        return accountDto.getUsername();
+    }
+    @Override
+    public boolean isAccountNonExpired() {
+        return true;
+    }
+    @Override
+    public boolean isAccountNonLocked() {
+        return true;
+    }
+    @Override
+    public boolean isCredentialsNonExpired() {
+        return true;
+    }
+    @Override
+    public boolean isEnabled() {
+        return true;
+    }
+}

src/main/java/io/security/springsecuritymaster/domain/dto/AccountDto.java

@@ -0,0 +1,20 @@
+package io.security.springsecuritymaster.domain.dto;
+
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import java.util.List;
+
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class AccountDto {
+    private String id;
+    private String username;
+    private String password;
+    private int age;
+    private String roles;
+}

src/main/java/io/security/springsecuritymaster/domain/entity/Account.java

@@ -0,0 +1,18 @@
+package io.security.springsecuritymaster.domain.entity;
+
+import jakarta.persistence.*;
+import lombok.Data;
+import java.io.Serializable;
+
+@Entity
+@Data
+public class Account implements Serializable {
+
+    @Id
+    @GeneratedValue
+    private Long id;
+    private String username;
+    private String password;
+    private String roles;
+    private int age;
+}

src/main/java/io/security/springsecuritymaster/security/configs/AuthConfig.java

@@ -0,0 +1,15 @@
+package io.security.springsecuritymaster.security.configs;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class AuthConfig {
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
+    }
+
+}

src/main/java/io/security/springsecuritymaster/security/configs/SecurityConfig.java

@@ -1,34 +1,98 @@
 package io.security.springsecuritymaster.security.configs;
 
+import io.security.springsecuritymaster.security.entrypoint.RestAuthenticationEntryPoint;
+import io.security.springsecuritymaster.security.filters.RestAuthenticationFilter;
+import io.security.springsecuritymaster.security.handler.*;
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.Customizer;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
 
 @EnableWebSecurity
 @Configuration
+@RequiredArgsConstructor
 public class SecurityConfig {
 
+    private final AuthenticationProvider authenticationProvider;
+    private final AuthenticationProvider restAuthenticationProvider;
+    private final AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> authenticationDetailsSource;
+    private final FormAuthenticationSuccessHandler successHandler;
+    private final FormAuthenticationFailureHandler failureHandler;
+    private final RestAuthenticationSuccessHandler restSuccessHandler;
+    private final RestAuthenticationFailureHandler restFailureHandler;
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+
         http
                 .authorizeHttpRequests(auth -> auth
-                        .requestMatchers("/").permitAll()
+                        .requestMatchers("/css/**", "/images/**", "/js/**", "/favicon.*", "/*/icon-*").permitAll()
+                        .requestMatchers("/","/signup","/login*").permitAll()
+                        .requestMatchers("/user").hasAuthority("ROLE_USER")
+                        .requestMatchers("/manager").hasAuthority("ROLE_MANAGER")
+                        .requestMatchers("/admin").hasAuthority("ROLE_ADMIN")
                         .anyRequest().authenticated())
-                .formLogin(Customizer.withDefaults())
+
+                .formLogin(form -> form
+                        .loginPage("/login")
+                        .authenticationDetailsSource(authenticationDetailsSource)
+                        .successHandler(successHandler)
+                        .failureHandler(failureHandler)
+                        .permitAll())
+                .authenticationProvider(authenticationProvider)
+                .exceptionHandling(exception -> exception
+                        .accessDeniedHandler(new FormAccessDeniedHandler("/denied"))
+                )
         ;
         return http.build();
     }
 
+
     @Bean
-    public UserDetailsService userDetailsService(){
-        UserDetails user = User.withUsername("user").password("{noop}1111").roles("USER").build();
-        return  new InMemoryUserDetailsManager(user);
+    @Order(1)
+    public SecurityFilterChain restSecurityFilterChain(HttpSecurity http) throws Exception {
+
+        AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
+        authenticationManagerBuilder.authenticationProvider(restAuthenticationProvider);
+        AuthenticationManager authenticationManager = authenticationManagerBuilder.build();            // build() 는 최초 한번 만 호출해야 한다
+
+        http
+                .securityMatcher("/api/**")
+                .authorizeHttpRequests(auth -> auth
+                        .requestMatchers("/css/**", "/images/**", "/js/**", "/favicon.*", "/*/icon-*").permitAll()
+                        .requestMatchers("/api","/api/login").permitAll()
+                        .requestMatchers("/api/user").hasAuthority("ROLE_USER")
+                        .requestMatchers("/api/manager").hasAuthority("ROLE_MANAGER")
+                        .requestMatchers("/api/admin").hasAuthority("ROLE_ADMIN")
+                        .anyRequest().authenticated())
+                .csrf(AbstractHttpConfigurer::disable)
+                .addFilterBefore(restAuthenticationFilter(http, authenticationManager), UsernamePasswordAuthenticationFilter.class)
+                .authenticationManager(authenticationManager)
+                .exceptionHandling(exception -> exception
+                        .authenticationEntryPoint(new RestAuthenticationEntryPoint())
+                        .accessDeniedHandler(new RestAccessDeniedHandler())
+                )
+        ;
+        return http.build();
+    }
+
+    private RestAuthenticationFilter restAuthenticationFilter(HttpSecurity http, AuthenticationManager authenticationManager) {
+
+        RestAuthenticationFilter restAuthenticationFilter = new RestAuthenticationFilter(http);
+        restAuthenticationFilter.setAuthenticationManager(authenticationManager);
+        restAuthenticationFilter.setAuthenticationSuccessHandler(restSuccessHandler);
+        restAuthenticationFilter.setAuthenticationFailureHandler(restFailureHandler);
+
+        return restAuthenticationFilter;
     }
-}
+}

src/main/java/io/security/springsecuritymaster/security/details/FormWebAuthenticationDetails.java

@@ -0,0 +1,16 @@
+package io.security.springsecuritymaster.security.details;
+
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.Getter;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
+
+@Getter
+public class FormWebAuthenticationDetails extends WebAuthenticationDetails {
+
+    private final String secretKey;
+
+    public FormWebAuthenticationDetails(HttpServletRequest request) {
+        super(request);
+        secretKey = request.getParameter("secret_key");
+    }
+}

src/main/java/io/security/springsecuritymaster/security/details/FormWebAuthenticationDetailsSource.java

@@ -0,0 +1,14 @@
+package io.security.springsecuritymaster.security.details;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
+import org.springframework.stereotype.Component;
+
+@Component
+public class FormWebAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> {
+    @Override
+    public WebAuthenticationDetails buildDetails(HttpServletRequest request) {
+        return new FormWebAuthenticationDetails(request);
+    }
+}

src/main/java/io/security/springsecuritymaster/security/entrypoint/RestAuthenticationEntryPoint.java

@@ -0,0 +1,24 @@
+package io.security.springsecuritymaster.security.entrypoint;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.AuthenticationEntryPoint;
+
+import java.io.IOException;
+
+public class RestAuthenticationEntryPoint implements AuthenticationEntryPoint {
+    private final ObjectMapper mapper = new ObjectMapper();
+
+    @Override
+    public void commence(HttpServletRequest request, HttpServletResponse response, AuthenticationException authException) throws IOException, ServletException {
+
+        response.setContentType(MediaType.APPLICATION_JSON_VALUE);
+        response.setStatus(HttpStatus.UNAUTHORIZED.value());
+        response.getWriter().write(mapper.writeValueAsString(HttpServletResponse.SC_UNAUTHORIZED));
+    }
+}

src/main/java/io/security/springsecuritymaster/security/exception/SecretException.java

@@ -0,0 +1,9 @@
+package io.security.springsecuritymaster.security.exception;
+
+import org.springframework.security.core.AuthenticationException;
+
+public class SecretException extends AuthenticationException {
+    public SecretException(String msg) {
+        super(msg);
+    }
+}

src/main/java/io/security/springsecuritymaster/security/filters/RestAuthenticationFilter.java

@@ -0,0 +1,59 @@
+package io.security.springsecuritymaster.security.filters;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.security.springsecuritymaster.domain.dto.AccountDto;
+import io.security.springsecuritymaster.security.token.RestAuthenticationToken;
+import io.security.springsecuritymaster.util.WebUtil;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.context.DelegatingSecurityContextRepository;
+import org.springframework.security.web.context.HttpSessionSecurityContextRepository;
+import org.springframework.security.web.context.RequestAttributeSecurityContextRepository;
+import org.springframework.security.web.context.SecurityContextRepository;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.util.StringUtils;
+
+import java.io.IOException;
+
+public class RestAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
+    private final ObjectMapper objectMapper = new ObjectMapper();
+    public RestAuthenticationFilter(HttpSecurity http) {
+        super(new AntPathRequestMatcher("/api/login", "POST"));
+        setSecurityContextRepository(getSecurityContextRepository(http));
+    }
+
+    private SecurityContextRepository getSecurityContextRepository(HttpSecurity http) {
+        SecurityContextRepository securityContextRepository = http.getSharedObject(SecurityContextRepository.class);
+        if (securityContextRepository == null) {
+            securityContextRepository = new DelegatingSecurityContextRepository(
+                    new RequestAttributeSecurityContextRepository(), new HttpSessionSecurityContextRepository());
+        }
+        return securityContextRepository;
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
+            throws AuthenticationException, IOException {
+
+        if (!HttpMethod.POST.name().equals(request.getMethod()) || !WebUtil.isAjax(request)) {
+            throw new IllegalArgumentException("Authentication method not supported");
+        }
+
+        AccountDto accountDto = objectMapper.readValue(request.getReader(), AccountDto.class);
+
+        if (!StringUtils.hasText(accountDto.getUsername()) || !StringUtils.hasText(accountDto.getPassword())) {
+            throw new AuthenticationServiceException("Username or Password not provided");
+        }
+        RestAuthenticationToken token = new RestAuthenticationToken(accountDto.getUsername(),accountDto.getPassword());
+
+        return this.getAuthenticationManager().authenticate(token);
+    }
+}