From ed2135ef0e07bcd4e73504c4a30692fa85c000d6 Mon Sep 17 00:00:00 2001 From: YONGWOOK CHOI <60510921+CYY1007@users.noreply.github.com> Date: Tue, 20 Feb 2024 19:06:50 +0900 Subject: [PATCH] =?UTF-8?q?:bug:=20Fix=20:=20jwt=20=EC=9D=B8=EC=A6=9D=20?= =?UTF-8?q?=ED=9D=90=EB=A6=84=20=EC=88=98=EC=A0=95=20(#191)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../security/config/SecurityConfig.java | 16 ++++++++++------ .../security/filter/JwtRequestFilter.java | 15 +++++++++++++++ .../annotation/AuthUserArgumentResolver.java | 3 +++ Briefing-Api/src/main/resources/application.yml | 5 ++++- 4 files changed, 32 insertions(+), 7 deletions(-) diff --git a/Briefing-Api/src/main/java/com/example/briefingapi/security/config/SecurityConfig.java b/Briefing-Api/src/main/java/com/example/briefingapi/security/config/SecurityConfig.java index a1cb924..339e502 100644 --- a/Briefing-Api/src/main/java/com/example/briefingapi/security/config/SecurityConfig.java +++ b/Briefing-Api/src/main/java/com/example/briefingapi/security/config/SecurityConfig.java @@ -36,7 +36,7 @@ import lombok.extern.slf4j.Slf4j; @Slf4j -@EnableWebSecurity +@EnableWebSecurity(debug = true) @RequiredArgsConstructor @Configuration public class SecurityConfig { @@ -62,6 +62,12 @@ public class SecurityConfig { @Value("${swagger.login.password}") private String swaggerPass; + private static final String[] JWT_WHITE_LIST ={ + "/pushs","/members/auth","/v2/members/auth", + "briefings", "/v2/briefings","/chattings", + "/briefings/temp" + }; + @Bean public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(); @@ -77,13 +83,11 @@ public WebSecurityCustomizer webSecurityCustomizer() { return (web) -> web.ignoring() .requestMatchers( - "", - "/", + "","/", "/schedule", "/v3/api-docs", "/v3/api-docs/**", - "/docs/**","/fcms/**","/members/auth/**","/v2/members/auth/**", - "/briefings/temp"); + "/docs/**"); } @Bean @@ -147,7 +151,7 @@ public SecurityFilterChain JwtFilterChain(HttpSecurity http) throws Exception { .authenticationEntryPoint(jwtAuthenticationEntryPoint) .accessDeniedHandler(jwtAccessDeniedHandler)) .addFilterBefore( - new JwtRequestFilter(tokenProvider), + new JwtRequestFilter(tokenProvider,JWT_WHITE_LIST), UsernamePasswordAuthenticationFilter.class) .addFilterBefore(jwtAuthenticationExceptionHandler, JwtRequestFilter.class) .build(); diff --git a/Briefing-Api/src/main/java/com/example/briefingapi/security/filter/JwtRequestFilter.java b/Briefing-Api/src/main/java/com/example/briefingapi/security/filter/JwtRequestFilter.java index 0fed31b..6bbd2cb 100644 --- a/Briefing-Api/src/main/java/com/example/briefingapi/security/filter/JwtRequestFilter.java +++ b/Briefing-Api/src/main/java/com/example/briefingapi/security/filter/JwtRequestFilter.java @@ -1,6 +1,7 @@ package com.example.briefingapi.security.filter; import java.io.IOException; +import java.util.Arrays; import com.example.briefingapi.security.provider.TokenProvider; import jakarta.servlet.FilterChain; @@ -22,6 +23,7 @@ public class JwtRequestFilter extends OncePerRequestFilter { private final TokenProvider tokenProvider; + private final String[] whiteList; @Override protected void doFilterInternal( HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) @@ -39,4 +41,17 @@ protected void doFilterInternal( } filterChain.doFilter(httpServletRequest, response); } + + /** + * 필터를 무시할 대상 지정 + * @param request current HTTP request + * @return 화이트 리스트 포함 여부 + * @throws ServletException + */ + + @Override + protected boolean shouldNotFilter(HttpServletRequest request) throws ServletException { + String path = request.getRequestURI(); + return Arrays.stream(whiteList).anyMatch(path::startsWith); + } } diff --git a/Briefing-Api/src/main/java/com/example/briefingapi/security/handler/annotation/AuthUserArgumentResolver.java b/Briefing-Api/src/main/java/com/example/briefingapi/security/handler/annotation/AuthUserArgumentResolver.java index 1be7254..c26e069 100644 --- a/Briefing-Api/src/main/java/com/example/briefingapi/security/handler/annotation/AuthUserArgumentResolver.java +++ b/Briefing-Api/src/main/java/com/example/briefingapi/security/handler/annotation/AuthUserArgumentResolver.java @@ -6,6 +6,9 @@ import jakarta.servlet.http.HttpServletRequest; import org.springframework.core.MethodParameter; +import org.springframework.security.authentication.UsernamePasswordAuthenticationToken; +import org.springframework.security.core.Authentication; +import org.springframework.security.core.context.SecurityContextHolder; import org.springframework.stereotype.Component; import org.springframework.util.StringUtils; import org.springframework.web.bind.support.WebDataBinderFactory; diff --git a/Briefing-Api/src/main/resources/application.yml b/Briefing-Api/src/main/resources/application.yml index 8dd35fb..71dd1ed 100644 --- a/Briefing-Api/src/main/resources/application.yml +++ b/Briefing-Api/src/main/resources/application.yml @@ -24,6 +24,9 @@ fcm: topic: daily-push : dailyPush --- +logging: + level: + org.springframework.security.web.FilterChainProxy: DEBUG spring: config: activate: @@ -66,7 +69,7 @@ jwt: # dev server secret: ${JWT_SECRET} authorities-key: authoritiesKey - access-token-validity-in-seconds: 1200000 + access-token-validity-in-seconds: 3000 refresh-token-validity-in-seconds: 1210000000 # 14 d openai: