inflearn logo
강의

Course
Instructor

Spring Security Complete Mastery [6.x Revised Edition]

Persisting Rest Authentication State - Setting up SecurityContextRepository

회원 권한이 있어도 deinied로 가는데 이유가 뭘까요? ㅠㅠ

207

hmmi8175

45 asked

0

package io.security.springsecuritymaster.security.config;

import io.security.springsecuritymaster.security.filter.RestAuthenticationFilter;
import io.security.springsecuritymaster.security.handler.FormAuthenticationSuccessHandler;
import io.security.springsecuritymaster.security.handler.FromAuthenticationFailureHandler;
import io.security.springsecuritymaster.security.handler.FromAccessDeniedHandler;
import io.security.springsecuritymaster.security.handler.RestAuthenticationFailureHandler;
import io.security.springsecuritymaster.security.handler.RestAuthenticationSuccessHandler;
import io.security.springsecuritymaster.security.provider.RestAuthenticationProvider;
import io.security.springsecuritymaster.security.token.RestAuthenticationToken;
import jakarta.servlet.http.HttpServletRequest;
import lombok.RequiredArgsConstructor;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.core.annotation.Order;
import org.springframework.security.authentication.AuthenticationDetailsSource;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.AuthenticationProvider;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.core.userdetails.User;
import org.springframework.security.core.userdetails.UserDetails;
import org.springframework.security.core.userdetails.UserDetailsService;
import org.springframework.security.crypto.factory.PasswordEncoderFactories;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.security.provisioning.InMemoryUserDetailsManager;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.authentication.AuthenticationFailureHandler;
import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
import org.springframework.security.web.authentication.WebAuthenticationDetails;

@EnableWebSecurity
@Configuration
@RequiredArgsConstructor
public class SecurityConfig {

//    private final UserDetailsService userDetailsService;
    private final AuthenticationProvider authenticationProvider;
    private final RestAuthenticationProvider restAuthenticationProvider;
    private final FormAuthenticationSuccessHandler formAuthenticationSuccessHandler;
    private final FromAuthenticationFailureHandler fromAuthenticationFailureHandler;
    private final RestAuthenticationSuccessHandler restAuthenticationSuccessHandler;
    private final RestAuthenticationFailureHandler restAuthenticationFailureHandler;
    private final AuthenticationDetailsSource<HttpServletRequest, WebAuthenticationDetails> authenticationDetailsSource;

    @Bean
    public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception {
        http
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/css/**", "/images/**", "/js/**", "/favicon.*", "/*/icon-*").permitAll() // 정적 자원 설정
                        .requestMatchers("/", "/signup", "/login*").permitAll()
                        .requestMatchers("/user").hasAuthority("ROLE_USER")
                        .requestMatchers("/manager").hasAuthority("ROLE_MANAGER")
                        .requestMatchers("/admin").hasAuthority("ROLE_ADMIN")
                        .anyRequest().authenticated()
                )
                .formLogin(form -> form
                        .loginPage("/login").permitAll()
                        .authenticationDetailsSource(authenticationDetailsSource)
                        .successHandler(formAuthenticationSuccessHandler)
                        .failureHandler(fromAuthenticationFailureHandler)
                )
//                .userDetailsService(userDetailsService)
                .authenticationProvider(authenticationProvider)
                .exceptionHandling(exception -> exception.accessDeniedHandler(new FromAccessDeniedHandler("/denied")))
        ;

        return http.build();
    }
    @Bean
    @Order(1)
    public SecurityFilterChain restSecurityFilterChain(HttpSecurity http) throws Exception {

        AuthenticationManagerBuilder authenticationManagerBuilder = http.getSharedObject(AuthenticationManagerBuilder.class);
        authenticationManagerBuilder.authenticationProvider(restAuthenticationProvider);
        AuthenticationManager authenticationManager = authenticationManagerBuilder .build();

        http
                .securityMatcher("/api/login")
                .authorizeHttpRequests(auth -> auth
                        .requestMatchers("/css/**", "/images/**", "/js/**", "/favicon.*", "/*/icon-*").permitAll() // 정적 자원 설정
                        .anyRequest().permitAll()
                )
                .csrf(AbstractHttpConfigurer::disable)
                .addFilterBefore(restAuthenticationFilter(http, authenticationManager), UsernamePasswordAuthenticationFilter.class)
                .authenticationManager(authenticationManager)
        ;

        return http.build();
    }

    private RestAuthenticationFilter restAuthenticationFilter(HttpSecurity http, AuthenticationManager authenticationManager) {
        RestAuthenticationFilter restAuthenticationFilter = new RestAuthenticationFilter(http);
        restAuthenticationFilter.setAuthenticationManager(authenticationManager);
        restAuthenticationFilter.setAuthenticationSuccessHandler(restAuthenticationSuccessHandler);
        restAuthenticationFilter.setAuthenticationFailureHandler(restAuthenticationFailureHandler);
        return restAuthenticationFilter;
    }


//    @Bean
//    public UserDetailsService userDetailsService() {
//        UserDetails user = User.withUsername("user").password("{noop}1111").roles("USER").build();
//        return new InMemoryUserDetailsManager(user);
//    }
}

spring spring-boot spring-security security web-security

Answer 1

0

hmmi8175 

return new RestAuthenticationToken(accountContext.getAuthorities(), accountContext.getAccountDto(), null);


으로 되어 있는게 문제였습니다!

return new RestAuthenticationToken(accountContext.getAuthorities(), accountContext.getAccountDto(), null);

으로 수정했습니다

로그아웃-logout()-2 강에서 겟방식 로그아웃 호출 후 화면이동 질문입니다.

0

27

2

단원별 소스코드

0

57

2

CustomAuthenticationProvider 추가 관련 문의

0

67

2

AOP 의존성 명칭 변경

0

61

1

빈 1개 등록 시 다른 해결 방법

0

63

1

@Bean으로 AuthenticationProvider를 등록 시 http.authenticationProvider 함수를 이용해서 추가해줘야되나요?

0

84

2

OIDC의 id token에 담긴 데이터에 대해

0

72

1

loginPage("/loginPage") 질문드립니다.

0

66

1

@EnableWebSecurity

0

145

1

트랜잭션과 롤백

0

97

1

68. 인증 이벤트 - AuthenticationEventPublisher 활용 강좌 음성 문제

0

86

2

AuthenticationManager 사용 방법

0

146

2

HttpSecurity.authorizeHttpRequests() - 2 강의 부분에 대한 질문

0

100

2

spring security 6.3에서는 HttpSecurity가 만들어지기 전 WebSecurity가 먼저 만들어지는게 맞나요??

0

188

1

init(B Builder), configure(B builder) 에 대하여 질문 드립니다.

0

103

2

메타 주석 질문

0

66

1

동시세션제어 기능에서 로그아웃하기

0

143

3

로그인 후, redirect 에서 error

0

137

3

Session 생성 타이밍에 대한 질문

0

82

2

강의 참고 내용을 개발 로그로 작성해도 될지 문의드립니다.

0

130

2

customAuthentication 관련

0

125

2

authenticationManagerBuilder 주입받은거 vs 만든 거

0

108

1

UserDetailsService()에서 UserDetail이 아닌 타입을 반환할 수 있나요?

0

99

1

9:28 패턴 3의 경우 마지막으로 설정한 것만 적용되는 것 같습니다.

0

156

2