๐Ÿ’ Spring/Spring Security

๐Ÿ’ Spring/Spring Security

CORS์ด๋ž€ ๋ฌด์—‡์ด๊ณ , Spring-boot์—์„œ ํ•ด๊ฒฐํ•˜๊ธฐ ์œ„ํ•œ ๋ฐฉ๋ฒ•

CORS (Cross-Origin Resource Sharing) ์ด๋ž€? A๋ผ๋Š” ๋„๋ฉ”์ธ์—์„œ ์ œ๊ณต๋˜๋Š” FE์—์„œ → B๋ผ๋Š” ๋„๋ฉ”์ธ์œผ๋กœ ์ œ๊ณต๋˜๋Š” BE์— HTTP ์š”์ฒญ์„ ํ–ˆ์„ ๊ฒฝ์šฐ, ๋ธŒ๋ผ์šฐ์ €๋Š” ์ด๋ฅผ ์„œ๋กœ ๋‹ค๋ฅธ ๋„๋ฉ”์ธ์—์„œ ๋ฆฌ์†Œ์Šค๋ฅผ ๊ณต์œ ํ•˜๋Š” ๊ฒƒ์ด๋ผ ํŒ๋‹จํ•˜๊ณ  ๊ทธ๊ฒƒ์„ ๋ฐฉ์ง€ํ•˜๊ธฐ ์œ„ํ•ด ํ˜ธ์ถœ์„ ๊ธˆ์ง€ํ•˜๋Š” ๊ฒƒ์ด๋‹ค. Preflight Request ๋ธŒ๋ผ์šฐ์ €์—์„œ ์‹ค์ œ HTTP ์š”์ฒญ์„ ๋ณด๋‚ด๊ธฐ ์ „ ๋ธŒ๋ผ์šฐ์ € ์Šค์Šค๋กœ ์ด ์š”์ฒญ์„ ๋ณด๋‚ด๋Š” ๊ฒƒ์ด ์•ˆ์ „ํ•œ์ง€ ์˜ˆ๋น„ ์š”์ฒญ์„ ํ•˜๊ฒŒ ๋˜๋Š”๋ฐ ์ด๊ฒŒ ๋ฐ”๋กœ Preflight Request๋ผ๊ณ  ํ•ฉ๋‹ˆ๋‹ค. ์ด Preflight Request๋Š” OPTION ๋ฉ”์†Œ๋“œ๋ฅผ ์ด์šฉํ•ด ์š”์ฒญํ•˜๋Š”๋ฐ ์„œ๋ฒ„์—์„œ ๋ณด๋‚ด์ค€ ์‘๋‹ต ํ—ค๋”์— Access-Controller-* ํ—ค๋”๋“ค์ด ์ž˜ ๊ตฌ์„ฑ๋˜์–ด์žˆ๋Š”์ง€ ํ™•์ธํ•ฉ๋‹ˆ๋‹ค. GET, POST, HEAD ์š”์ฒญ..

๐Ÿ’ Spring/Spring Security

(Deprecated) WebSecurityConfigurerAdapter์— ๋Œ€์‘ํ•˜๊ธฐ

Spring Boot 2.7 (Spring 5.7.0-M2) ๋ถ€ํ„ฐ WebSecurityConfigurerAdapter๋Š” Deprecated๊ฐ€ ๋˜์—ˆ๋‹ค. Spring Security without the WebSecurityConfigurerAdapter In Spring Security 5.7.0-M2 we deprecated the WebSecurityConfigurerAdapter, as we encourage users to move towards a component-based security configuration. authz .anyRequest().authenticated() ) .httpBasic(withDefaults()); } } ์Šคํ”„๋ง์€ SecurityFilterChain ๋นˆ์„ ๋“ฑ๋กํ•˜..

๐Ÿ’ Spring/Spring Security

Spring Security Error Code ๋ณ„ ํŽ˜์ด์ง€ ์ฒ˜๋ฆฌํ•˜๊ธฐ

Spring boot + Security ๋ฅผ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๋Š”๋ฐ ์—๋Ÿฌ ์ฝ”๋“œ ๋งˆ๋‹ค ํŽ˜์ด์ง€๋ฅผ ๋ณด์—ฌ์ฃผ๊ณ  ์‹ถ์€๋ฐ ์–ด๋–ป๊ฒŒ ํ•ด์•ผํ•˜๋Š”์ง€ ๋ฐฉ๋ฒ•์„ ์ƒ๊ฐํ•ด๋ณด๋‹ค๊ฐ€ ๋‘๊ฐ€์ง€ ๋ฐฉ๋ฒ•์ด ์ƒ๊ฐ๋‚ฌ์Šต๋‹ˆ๋‹ค. 1. EntryPoint, Handler ์‚ฌ์šฉ authenticationEntryPoint, accessDeniedHandler์—์„œ ์‚ฌ์šฉ์ž์—๊ฒŒ ํ•ด๋‹น ์—๋Ÿฌ ํŽ˜์ด์ง€๋กœ ๋ฆฌ๋‹ค์ด๋ ‰์…˜์„ ์‹œํ‚ค๋Š” ๋ฐฉ๋ฒ•์ž…๋‹ˆ๋‹ค. Security Config /* Security Config */ @Override protected void configure(HttpSecurity http) throws Exception { http // .. .exceptionHandling() .authenticationEntryPoint(new MyAuthenticationEntryP..

๐Ÿ’ Spring/Spring Security

12. JWT ํ† ํฐ Authorization์„ ์œ„ํ•œ ์ปค์Šคํ…€ ํ•„ํ„ฐ ์ƒ์„ฑ

์ด ํฌ์ŠคํŠธ๋Š” ๋ฐ์–ด ํ”„๋กœ๊ทธ๋ž˜๋ฐ๋‹˜์˜ ์œ ํŠœ๋ธŒ ๊ฐ•์˜๋ฅผ ๋“ฃ๊ณ  ๋‚˜์„œ ์ •๋ฆฌํ•œ ๊ธ€์ž…๋‹ˆ๋‹ค. ๋กœ๊ทธ์ธ ์š”์ฒญ์ด ์˜ค๋ฉด ์‚ฌ์šฉ์ž ์ธ์ฆ ํ›„ JWT ํ† ํฐ์„ ์ƒ์„ฑํ•˜์—ฌ ํด๋ผ์ด์–ธํŠธ์—๊ฒŒ ์‘๋‹ตํ•ด์คฌ์Šต๋‹ˆ๋‹ค. ์ด์ œ ์‚ฌ์šฉ์ž๋Š” ๋งค๋ฒˆ ๋กœ๊ทธ์ธ์„ ํ•˜๋Š” ๊ฒƒ์ด ์•„๋‹ˆ๋ผ, ์ด์ „์— ๋ฐœ๊ธ‰ ๋ฐ›์€ JWT ํ† ํฐ์„ ๋“ค๊ณ  ์„œ๋ฒ„๋กœ ์š”์ฒญ์„ ํ•˜๋ฉด ์„œ๋ฒ„๋Š” ํ•ด๋‹น JWT ํ† ํฐ์„ ๊ฒ€์ฆํ•˜์—ฌ ์œ ํšจํ•œ ํ† ํฐ์ธ์ง€ ํ™•์ธ ํ›„ ํด๋ผ์ด์–ธํŠธ ์š”์ฒญ์„ ์ฒ˜๋ฆฌํ•ด์ฃผ๋ฉด ๋ฉ๋‹ˆ๋‹ค. ์ด๋ฒˆ ์‹œ๊ฐ„์—๋Š” JWT ํ† ํฐ์„ ๊ฒ€์ฆํ•  ์ˆ˜ ์žˆ๋Š” Filter๋ฅผ ์ƒ์„ฑํ•ด๋ณด๋„๋ก ํ•˜๊ฒ ์Šต๋‹ˆ๋‹ค. BasicAuthenticationFilter ์ƒ์† ํ—ค๋”์— Authorization : Basic *** ๋ฐฉ์‹์œผ๋กœ ์ธ์ฆ์„ ์‹œ๋„ํ•˜๋ฉด BasicAuthenticationFilter์—์„œ ํ•ด๋‹น ํ† ํฐ์„ ๊ฒ€์ฆํ•˜์—ฌ ์ธ์ฆ์„ ์ฒ˜๋ฆฌํ•˜๋Š”๋ฐ, ์šฐ๋ฆฌ๋Š” Basic ๋ฐฉ์‹์ด ์•„๋‹Œ, JWT..

๐Ÿ’ Spring/Spring Security

11. JWT ๋กœ๊ทธ์ธ์„ ์œ„ํ•œ UsernamePasswordAuthenticationFilter ์ƒ์†

์ด ํฌ์ŠคํŠธ๋Š” ๋ฐ์–ด ํ”„๋กœ๊ทธ๋ž˜๋ฐ๋‹˜์˜ ์œ ํŠœ๋ธŒ ๊ฐ•์˜๋ฅผ ๋“ฃ๊ณ  ๋‚˜์„œ ์ •๋ฆฌํ•œ ๊ธ€์ž…๋‹ˆ๋‹ค. UsernamePasswordAuthenticationFilter์— ๋Œ€ํ•ด์„œ๋Š” ์•„๋ž˜ ํฌ์ŠคํŒ…์„ ์ฐธ์กฐํ•˜์‹œ๊ธธ ๋ฐ”๋ž๋‹ˆ๋‹ค. UsernamePasswordAuthenticationFilter ๋™์ž‘ ๋ฐฉ์‹์— ๋Œ€ํ•ด์„œ SpringSecurity Filterchain ์—๋Š” ์—ฌ๋Ÿฌ ์ข…๋ฅ˜์— ํ•„ํ„ฐ๊ฐ€ ์กด์žฌํ•˜์ง€๋งŒ, ์ด๋ฒˆ ์‹œ๊ฐ„์—๋Š” ๋กœ๊ทธ์ธ ์ธ์ฆ์„ ์ฒ˜๋ฆฌํ•˜๋Š” UsernamePasswordAuthenticationFilter์— ๋Œ€ํ•ด์„œ ์•Œ์•„๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค. Login ์ธ์ฆ ๋กœ์ง flow POST "/login".. iseunghan.tistory.com ๋กœ๊ทธ์ธ ์š”์ฒญ์„ ์ฒ˜๋ฆฌํ•˜๊ธฐ ์œ„ํ•ด์„œ๋Š” SpringSecurityFilterChain ์ค‘์— ๋กœ๊ทธ์ธ ์ธ์ฆ์„ ์ฒ˜๋ฆฌํ•˜๋Š” ํ•„ํ„ฐ์ธ Userna..

๐Ÿ’ Spring/Spring Security

UsernamePasswordAuthenticationFilter ๋™์ž‘ ๋ฐฉ์‹์— ๋Œ€ํ•ด์„œ

SpringSecurity Filterchain ์—๋Š” ์—ฌ๋Ÿฌ ์ข…๋ฅ˜์— ํ•„ํ„ฐ๊ฐ€ ์กด์žฌํ•˜์ง€๋งŒ, ์ด๋ฒˆ ์‹œ๊ฐ„์—๋Š” ๋กœ๊ทธ์ธ ์ธ์ฆ์„ ์ฒ˜๋ฆฌํ•˜๋Š” UsernamePasswordAuthenticationFilter์— ๋Œ€ํ•ด์„œ ์•Œ์•„๋ณด๊ฒ ์Šต๋‹ˆ๋‹ค. Login ์ธ์ฆ ๋กœ์ง flow POST "/login" ์œผ๋กœ ์š”์ฒญ์„ ๋ณด๋‚ด๋ฉด? Postman์œผ๋กœ body์— username, password๋ฅผ ๋„ฃ๊ณ  "/login"์œผ๋กœ ์š”์ฒญ์„ ๋ณด๋‚ด๋ฉด, UsernamePasswordAuthenticationFilter๊ฐ€ ์š”์ฒญ์„ ๋‚š์•„์ฑ„๊ณ  username, password๋ฅผ ๊ฒ€์ฆํ•ฉ๋‹ˆ๋‹ค. ๊ทธ ๊ณผ์ •์—์„œ ์šฐ๋ฆฌ๊ฐ€ ์˜ค๋ฒ„๋ผ์ด๋”ฉํ•œ UsernamePasswordAuthenticationFilter.attemptAuthentication ๋ฉ”์†Œ๋“œ๊ฐ€ ํ˜ธ์ถœ์ด ๋ฉ๋‹ˆ๋‹ค. POST๋กœ ์š”์ฒญ์ด ์™”..

iseunghan
'๐Ÿ’ Spring/Spring Security' ์นดํ…Œ๊ณ ๋ฆฌ์˜ ๊ธ€ ๋ชฉ๋ก