From 667a4c5f578012fa72e3dd0d1ff33245e3efb209 Mon Sep 17 00:00:00 2001 From: bjkim Date: Mon, 1 Sep 2025 19:21:14 +0900 Subject: [PATCH] =?UTF-8?q?[MOD]=20jwt=20cors=20=EC=88=98=EC=A0=95?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../autoflow/common/WebConfiguration.java | 8 +- .../autoflow/security/WebSecurityConfig.java | 113 ++++++++---------- 2 files changed, 52 insertions(+), 69 deletions(-) diff --git a/src/main/java/kr/re/etri/autoflow/common/WebConfiguration.java b/src/main/java/kr/re/etri/autoflow/common/WebConfiguration.java index 4ad7332..ec1a9e6 100644 --- a/src/main/java/kr/re/etri/autoflow/common/WebConfiguration.java +++ b/src/main/java/kr/re/etri/autoflow/common/WebConfiguration.java @@ -12,20 +12,20 @@ public class WebConfiguration implements WebMvcConfigurer { @Override public void addCorsMappings(CorsRegistry registry) { registry.addMapping("/**") - .allowedOrigins("*") + .allowedOriginPatterns("*") // allowedOrigins 대신 사용 .allowedMethods( HttpMethod.GET.name(), HttpMethod.HEAD.name(), HttpMethod.POST.name(), HttpMethod.PUT.name(), - HttpMethod.DELETE.name()) + HttpMethod.DELETE.name() + ) .allowedHeaders("cuuva-jwt", "Content-Type", "Authorization") - .exposedHeaders("cuuva-jwt") // 응답에서 노출 필요 시 + .exposedHeaders("cuuva-jwt") // 응답 헤더 노출 .allowCredentials(true) .maxAge(3600); } - @Override public void addInterceptors(InterceptorRegistry registry) { registry.addInterceptor(new LoggingInterceptor()) diff --git a/src/main/java/kr/re/etri/autoflow/security/WebSecurityConfig.java b/src/main/java/kr/re/etri/autoflow/security/WebSecurityConfig.java index 4214640..8afebf0 100644 --- a/src/main/java/kr/re/etri/autoflow/security/WebSecurityConfig.java +++ b/src/main/java/kr/re/etri/autoflow/security/WebSecurityConfig.java @@ -17,16 +17,11 @@ import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder; import org.springframework.security.crypto.password.PasswordEncoder; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter; -import org.springframework.web.cors.CorsConfiguration; -import org.springframework.web.cors.CorsConfigurationSource; -import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import kr.re.etri.autoflow.security.jwt.AuthEntryPointJwt; import kr.re.etri.autoflow.security.jwt.AuthTokenFilter; import kr.re.etri.autoflow.security.services.UserDetailsServiceImpl; -import java.util.Arrays; - @Configuration //@EnableWebSecurity @EnableMethodSecurity @@ -34,31 +29,31 @@ import java.util.Arrays; //jsr250Enabled = true, //prePostEnabled = true) // by default public class WebSecurityConfig { // extends WebSecurityConfigurerAdapter { - @Autowired - UserDetailsServiceImpl userDetailsService; + @Autowired + UserDetailsServiceImpl userDetailsService; - @Autowired - private AuthEntryPointJwt unauthorizedHandler; + @Autowired + private AuthEntryPointJwt unauthorizedHandler; - @Bean - public AuthTokenFilter authenticationJwtTokenFilter() { - return new AuthTokenFilter(); - } + @Bean + public AuthTokenFilter authenticationJwtTokenFilter() { + return new AuthTokenFilter(); + } // @Override // public void configure(AuthenticationManagerBuilder authenticationManagerBuilder) throws Exception { // authenticationManagerBuilder.userDetailsService(userDetailsService).passwordEncoder(passwordEncoder()); // } - @Bean - public DaoAuthenticationProvider authenticationProvider() { - DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); + @Bean + public DaoAuthenticationProvider authenticationProvider() { + DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider(); - authProvider.setUserDetailsService(userDetailsService); - authProvider.setPasswordEncoder(passwordEncoder()); + authProvider.setUserDetailsService(userDetailsService); + authProvider.setPasswordEncoder(passwordEncoder()); - return authProvider; - } + return authProvider; + } // @Bean // @Override @@ -66,15 +61,15 @@ public class WebSecurityConfig { // extends WebSecurityConfigurerAdapter { // return super.authenticationManagerBean(); // } - @Bean - public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception { - return authConfig.getAuthenticationManager(); - } + @Bean + public AuthenticationManager authenticationManager(AuthenticationConfiguration authConfig) throws Exception { + return authConfig.getAuthenticationManager(); + } - @Bean - public PasswordEncoder passwordEncoder() { - return new BCryptPasswordEncoder(); - } + @Bean + public PasswordEncoder passwordEncoder() { + return new BCryptPasswordEncoder(); + } // @Override // protected void configure(HttpSecurity http) throws Exception { @@ -88,50 +83,38 @@ public class WebSecurityConfig { // extends WebSecurityConfigurerAdapter { // http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class); // } + @Bean + public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { + http.csrf(AbstractHttpConfigurer::disable) + .exceptionHandling(exception -> exception.authenticationEntryPoint(unauthorizedHandler)) + .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) + .authorizeHttpRequests(auth -> + auth.requestMatchers("/api/auth/**").permitAll() + .requestMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html").permitAll() + .requestMatchers("/api/test/**").permitAll() + .anyRequest().authenticated() + ); + + http.authenticationProvider(authenticationProvider()); + + http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class); + + return http.build(); + } + + // 임시 설정 // @Bean // public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { // http.csrf(AbstractHttpConfigurer::disable) -// .exceptionHandling(exception -> exception.authenticationEntryPoint(unauthorizedHandler)) -// .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) -// .authorizeHttpRequests(auth -> -// auth.requestMatchers("/api/auth/**").permitAll() -// .requestMatchers("/v3/api-docs/**", "/swagger-ui/**", "/swagger-ui.html").permitAll() -// .requestMatchers("/api/test/**").permitAll() -// .anyRequest().authenticated() -// ); +// .exceptionHandling(exception -> exception.authenticationEntryPoint(unauthorizedHandler)) +// .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) +// .authorizeHttpRequests(auth -> +// auth.anyRequest().permitAll() // 모든 요청 허용 +// ); // // http.authenticationProvider(authenticationProvider()); -// // http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class); // // return http.build(); // } - - //임시 설정 - @Bean - public SecurityFilterChain filterChain(HttpSecurity http) throws Exception { - http.cors(cors -> cors.configurationSource(corsConfigurationSource())) - .csrf(AbstractHttpConfigurer::disable) - .exceptionHandling(exception -> exception.authenticationEntryPoint(unauthorizedHandler)) - .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS)) - .authorizeHttpRequests(auth -> - auth.anyRequest().permitAll() // 모든 요청 허용 - ); - - http.authenticationProvider(authenticationProvider()); - http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class); - - return http.build(); - } - - @Bean - CorsConfigurationSource corsConfigurationSource() { - CorsConfiguration configuration = new CorsConfiguration(); - configuration.setAllowedOrigins(Arrays.asList("*")); - configuration.setAllowedMethods(Arrays.asList("*")); - configuration.setAllowedHeaders(Arrays.asList("*")); - UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); - source.registerCorsConfiguration("/**", configuration); - return source; - } }