15 rest 인증성공 실패 핸들러

build.gradle

@@ -20,11 +20,14 @@ configurations {
 repositories {
     mavenCentral()
 }
-
+//FIXME
 dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-security'
     implementation 'org.springframework.boot:spring-boot-starter-web'
+    implementation 'org.springframework.boot:spring-boot-starter-data-jpa:'
     implementation group: 'org.springframework.boot', name: 'spring-boot-starter-thymeleaf', version: '3.2.2'
+    implementation group: 'org.thymeleaf.extras', name: 'thymeleaf-extras-springsecurity6', version: '3.1.2.RELEASE'
+    implementation 'org.modelmapper:modelmapper:3.1.0'
     compileOnly 'org.projectlombok:lombok'
     runtimeOnly 'org.postgresql:postgresql'
     annotationProcessor 'org.springframework.boot:spring-boot-configuration-processor'

src/main/java/io/security/springsecuritymaster/controller/DashboardController.java → src/main/java/io/security/springsecuritymaster/controller/HomeController.java

@@ -5,7 +5,7 @@
 import org.springframework.web.bind.annotation.GetMapping;
 
 @Controller
-public class DashboardController {
+public class HomeController {
 	@GetMapping(value="/")
 	public String dashboard() {
 		return "/dashboard";

src/main/java/io/security/springsecuritymaster/domain/dto/AccountContext.java

@@ -0,0 +1,47 @@
+package io.security.springsecuritymaster.domain.dto;
+
+import lombok.Data;
+import org.springframework.security.core.GrantedAuthority;
+import org.springframework.security.core.userdetails.UserDetails;
+
+import java.util.Collection;
+import java.util.List;
+
+@Data
+public class AccountContext implements UserDetails {
+    private AccountDto accountDto;
+    private final List<GrantedAuthority> roles;
+
+    public AccountContext(AccountDto accountDto, List<GrantedAuthority> roles) {
+      this.accountDto = accountDto;
+      this.roles = roles;
+    }
+    @Override
+    public Collection<? extends GrantedAuthority> getAuthorities() {
+        return roles;
+    }
+    @Override
+    public String getPassword() {
+        return accountDto.getPassword();
+    }
+    @Override
+    public String getUsername() {
+        return accountDto.getUsername();
+    }
+    @Override
+    public boolean isAccountNonExpired() {
+        return true;
+    }
+    @Override
+    public boolean isAccountNonLocked() {
+        return true;
+    }
+    @Override
+    public boolean isCredentialsNonExpired() {
+        return true;
+    }
+    @Override
+    public boolean isEnabled() {
+        return true;
+    }
+}

src/main/java/io/security/springsecuritymaster/domain/dto/AccountDto.java

@@ -0,0 +1,20 @@
+package io.security.springsecuritymaster.domain.dto;
+
+import lombok.AllArgsConstructor;
+import lombok.Builder;
+import lombok.Data;
+import lombok.NoArgsConstructor;
+
+import java.util.List;
+
+@Data
+@Builder
+@NoArgsConstructor
+@AllArgsConstructor
+public class AccountDto {
+    private String id;
+    private String username;
+    private String password;
+    private int age;
+    private String roles;
+}

src/main/java/io/security/springsecuritymaster/domain/entity/Account.java

@@ -0,0 +1,18 @@
+package io.security.springsecuritymaster.domain.entity;
+
+import jakarta.persistence.*;
+import lombok.Data;
+import java.io.Serializable;
+
+@Entity
+@Data
+public class Account implements Serializable {
+
+    @Id
+    @GeneratedValue
+    private Long id;
+    private String username;
+    private String password;
+    private String roles;
+    private int age;
+}

src/main/java/io/security/springsecuritymaster/security/configs/AuthConfig.java

@@ -0,0 +1,15 @@
+package io.security.springsecuritymaster.security.configs;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.crypto.factory.PasswordEncoderFactories;
+import org.springframework.security.crypto.password.PasswordEncoder;
+
+@Configuration
+public class AuthConfig {
+    @Bean
+    public PasswordEncoder passwordEncoder() {
+        return PasswordEncoderFactories.createDelegatingPasswordEncoder();
+    }
+
+}

src/main/java/io/security/springsecuritymaster/security/configs/SecurityConfig.java

@@ -1,34 +1,90 @@
 package io.security.springsecuritymaster.security.configs;
 
+import io.security.springsecuritymaster.security.filters.RestAuthenticationFilter;
+import io.security.springsecuritymaster.security.handler.*;
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
-import org.springframework.security.config.Customizer;
+import org.springframework.core.annotation.Order;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.userdetails.User;
-import org.springframework.security.core.userdetails.UserDetails;
-import org.springframework.security.core.userdetails.UserDetailsService;
-import org.springframework.security.provisioning.InMemoryUserDetailsManager;
+import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
 import org.springframework.security.web.SecurityFilterChain;
+import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
 
 @EnableWebSecurity
 @Configuration
+@RequiredArgsConstructor
 public class SecurityConfig {
 
+    private final AuthenticationProvider authenticationProvider;
+    private final AuthenticationProvider restAuthenticationProvider;
+    private final AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> authenticationDetailsSource;
+    private final FormAuthenticationSuccessHandler successHandler;
+    private final FormAuthenticationFailureHandler failureHandler;
+    private final RestAuthenticationSuccessHandler restSuccessHandler;
+    private final RestAuthenticationFailureHandler restFailureHandler;
     @Bean
     public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
+
         http
                 .authorizeHttpRequests(auth -> auth
-                        .requestMatchers("/").permitAll()
+                        .requestMatchers("/css/**", "/images/**", "/js/**", "/favicon.*", "/*/icon-*").permitAll()
+                        .requestMatchers("/","/signup","/login*").permitAll()
+                        .requestMatchers("/user").hasAuthority("ROLE_USER")
+                        .requestMatchers("/manager").hasAuthority("ROLE_MANAGER")
+                        .requestMatchers("/admin").hasAuthority("ROLE_ADMIN")
                         .anyRequest().authenticated())
-                .formLogin(Customizer.withDefaults())
+
+                .formLogin(form -> form
+                        .loginPage("/login")
+                        .authenticationDetailsSource(authenticationDetailsSource)
+                        .successHandler(successHandler)
+                        .failureHandler(failureHandler)
+                        .permitAll())
+//                .csrf(AbstractHttpConfigurer::disable)
+                .authenticationProvider(authenticationProvider)
+                .exceptionHandling(exception -> exception
+                        .accessDeniedHandler(new FormAccessDeniedHandler("/denied"))
+                )
         ;
         return http.build();
     }
 
+
     @Bean
-    public UserDetailsService userDetailsService(){
-        UserDetails user = User.withUsername("user").password("{noop}1111").roles("USER").build();
-        return  new InMemoryUserDetailsManager(user);
+    @Order(1)
+    public SecurityFilterChain restSecurityFilterChain(HttpSecurity http) throws Exception {
+
+        AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
+        authenticationManagerBuilder.authenticationProvider(restAuthenticationProvider);
+        AuthenticationManager authenticationManager = authenticationManagerBuilder.build();            // build() 는 최초 한번 만 호출해야 한다
+
+        http
+                .securityMatcher("/api/**")
+                .authorizeHttpRequests(auth -> auth
+                        .requestMatchers("/css/**", "/images/**", "/js/**", "/favicon.*", "/*/icon-*").permitAll()
+                        .anyRequest().permitAll())
+                .csrf(AbstractHttpConfigurer::disable)
+                .addFilterBefore(restAuthenticationFilter(authenticationManager), UsernamePasswordAuthenticationFilter.class)
+                .authenticationManager(authenticationManager)
+        ;
+        return http.build();
+    }
+
+    private RestAuthenticationFilter restAuthenticationFilter(AuthenticationManager authenticationManager) {
+
+        RestAuthenticationFilter restAuthenticationFilter = new RestAuthenticationFilter();
+        restAuthenticationFilter.setAuthenticationManager(authenticationManager);
+        restAuthenticationFilter.setAuthenticationSuccessHandler(restSuccessHandler);
+        restAuthenticationFilter.setAuthenticationFailureHandler(restFailureHandler);
+
+        return restAuthenticationFilter;
     }
-}
+}

src/main/java/io/security/springsecuritymaster/security/details/FormWebAuthenticationDetails.java

@@ -0,0 +1,16 @@
+package io.security.springsecuritymaster.security.details;
+
+import jakarta.servlet.http.HttpServletRequest;
+import lombok.Getter;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
+
+@Getter
+public class FormWebAuthenticationDetails extends WebAuthenticationDetails {
+
+    private final String secretKey;
+
+    public FormWebAuthenticationDetails(HttpServletRequest request) {
+        super(request);
+        secretKey = request.getParameter("secret_key");
+    }
+}

src/main/java/io/security/springsecuritymaster/security/details/FormWebAuthenticationDetailsSource.java

@@ -0,0 +1,14 @@
+package io.security.springsecuritymaster.security.details;
+
+import jakarta.servlet.http.HttpServletRequest;
+import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
+import org.springframework.stereotype.Component;
+
+@Component
+public class FormWebAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> {
+    @Override
+    public WebAuthenticationDetails buildDetails(HttpServletRequest request) {
+        return new FormWebAuthenticationDetails(request);
+    }
+}

src/main/java/io/security/springsecuritymaster/security/exception/SecretException.java

@@ -0,0 +1,9 @@
+package io.security.springsecuritymaster.security.exception;
+
+import org.springframework.security.core.AuthenticationException;
+
+public class SecretException extends AuthenticationException {
+    public SecretException(String message) {
+        super(message);
+    }
+}

src/main/java/io/security/springsecuritymaster/security/filters/RestAuthenticationFilter.java

@@ -0,0 +1,44 @@
+package io.security.springsecuritymaster.security.filters;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import io.security.springsecuritymaster.domain.dto.AccountDto;
+import io.security.springsecuritymaster.security.token.RestAuthenticationToken;
+import io.security.springsecuritymaster.util.WebUtil;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.HttpMethod;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.AuthenticationServiceException;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.util.StringUtils;
+
+import java.io.IOException;
+
+public class RestAuthenticationFilter extends AbstractAuthenticationProcessingFilter {
+    private final ObjectMapper objectMapper = new ObjectMapper();
+    public RestAuthenticationFilter() {
+        super(new AntPathRequestMatcher("/api/login", "POST"));
+    }
+
+    @Override
+    public Authentication attemptAuthentication(HttpServletRequest request, HttpServletResponse response)
+            throws AuthenticationException, IOException {
+
+        if (!HttpMethod.POST.name().equals(request.getMethod()) || !WebUtil.isAjax(request)) {
+            throw new IllegalArgumentException("Authentication method not supported");
+        }
+
+        AccountDto accountDto = objectMapper.readValue(request.getReader(), AccountDto.class);
+
+        if (!StringUtils.hasText(accountDto.getUsername()) || !StringUtils.hasText(accountDto.getPassword())) {
+            throw new AuthenticationServiceException("Username or Password not provided");
+        }
+        RestAuthenticationToken token = new RestAuthenticationToken(accountDto.getUsername(),accountDto.getPassword());
+
+        return this.getAuthenticationManager().authenticate(token);
+    }
+}

src/main/java/io/security/springsecuritymaster/security/handler/FormAccessDeniedHandler.java

@@ -0,0 +1,33 @@
+package io.security.springsecuritymaster.security.handler;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
+import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.DefaultRedirectStrategy;
+import org.springframework.security.web.RedirectStrategy;
+import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+
+
+public class FormAccessDeniedHandler implements AccessDeniedHandler {
+	private final RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
+	private final String errorPage;
+
+	public FormAccessDeniedHandler(String errorPage) {
+		this.errorPage = errorPage;
+	}
+
+	@Override
+	public void handle(HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException) throws IOException {
+
+		String deniedUrl = errorPage + "?exception=" + accessDeniedException.getMessage();
+		redirectStrategy.sendRedirect(request, response, deniedUrl);
+
+	}
+}

src/main/java/io/security/springsecuritymaster/security/handler/FormAuthenticationFailureHandler.java

@@ -0,0 +1,42 @@
+package io.security.springsecuritymaster.security.handler;
+
+import io.security.springsecuritymaster.security.exception.SecretException;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.CredentialsExpiredException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.stereotype.Component;
+
+import java.io.IOException;
+
+@Component("failureHandler")
+public class FormAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
+
+    @Override
+    public void onAuthenticationFailure(final HttpServletRequest request, final HttpServletResponse response, final AuthenticationException exception) throws IOException, ServletException {
+
+        String errorMessage = "Invalid Username or Password";
+
+        if(exception instanceof BadCredentialsException) {
+            errorMessage = "Invalid Username or Password";
+        }
+        else if(exception instanceof UsernameNotFoundException) {
+            errorMessage = "User not exists";
+        }
+        else if(exception instanceof CredentialsExpiredException) {
+            errorMessage = "Expired password";
+
+        }else if(exception instanceof SecretException) {
+            errorMessage = "Invalid Secret key";
+        }
+
+        setDefaultFailureUrl("/login?error=true&exception=" + errorMessage);
+
+        super.onAuthenticationFailure(request, response, exception);
+
+    }
+}