-
질문 & 답변
카테고리
-
세부 분야
백엔드
-
해결 여부
미해결
doFilterInternal 관련 질문있습니다.
22.12.28 19:53 작성 22.12.28 19:58 수정 조회수 711
0
안녕하세요. 제가 BasicAuthenticationFilter 상속받아서 doFilterInternal 메소드를 구현했는데 해당 필터의 해당 메소드는 인증이나 권한이 필요한 API를 호출했을 때만 동작을 하는 걸로 알고 있었는데 SecurityConfig에서 antMatcher에 permitAll로 지정한 경로의 API를 호출했는데 doFilterInternal 메소드가 동작하는 현상이 발생하는데 혹시 왜그런건지 궁금합니다. 해당부분에 관련된 코드는 아래와 같습니다.
SecurityConfig
@Configuration
@EnableWebSecurity
public class SecurityConfig {
private final CorsConfig corsConfig;
private final MemberRepository memberRepository;
private final JwtProvider jwtProvider;
public SecurityConfig(CorsConfig corsConfig, MemberRepository memberRepository, JwtProvider jwtProvider) {
this.corsConfig = corsConfig;
this.memberRepository = memberRepository;
this.jwtProvider = jwtProvider;
}
@Bean
BCryptPasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
@Bean
public SecurityFilterChain filterChain(HttpSecurity http) throws Exception {
return http
.csrf().disable()
.sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
.and()
.formLogin().disable()
.httpBasic().disable()
.apply(new MyFilters())
.and()
.authorizeRequests()
.antMatchers("/api/member/join").permitAll()
.antMatchers("/api/member/login").permitAll()
.anyRequest().authenticated()
.and().build();
}
public class MyFilters extends AbstractHttpConfigurer<MyFilters, HttpSecurity> {
@Override
public void configure(HttpSecurity builder) throws Exception {
AuthenticationManager authenticationManager = builder.getSharedObject(AuthenticationManager.class);
builder
.addFilter(corsConfig.corsFilter())
.addFilter(new JwtAuthenticationFilter(authenticationManager, jwtProvider))
.addFilter(new JwtAuthorizationFilter(authenticationManager, memberRepository, jwtProvider));
}
}
}
JwtAuthenticationFilter
package com.example.shop.jwt;
import com.example.shop.auth.PrincipalDetails;
import com.example.shop.model.Member;
import com.example.shop.repository.MemberRepository;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.io.Decoders;
import io.jsonwebtoken.security.Keys;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.web.authentication.www.BasicAuthenticationFilter;
import javax.crypto.SecretKey;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
public class JwtAuthorizationFilter extends BasicAuthenticationFilter {
private final MemberRepository memberRepository;
private final JwtProvider jwtProvider;
public JwtAuthorizationFilter(AuthenticationManager authenticationManager, MemberRepository memberRepository, JwtProvider jwtProvider) {
super(authenticationManager);
this.memberRepository = memberRepository;
this.jwtProvider = jwtProvider;
}
@Override
protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
String refreshToken = jwtProvider.getRefreshTokenInCookie(request);
String accessToken = "";
SecretKey jwtKey = Keys.hmacShaKeyFor(Decoders.BASE64.decode(JwtProperties.SECRET));
if (refreshToken == null) {
chain.doFilter(request, response);
return;
}
String jwtHeader = request.getHeader(JwtProperties.HEADER_STRING);
Claims claims = null;
try { // refreshToken 유효성 검증
jwtProvider.validRefreshToken(refreshToken);
} catch (Exception e) { // refreshToken 검증 결과에 따른 예외처리
e.printStackTrace();
chain.doFilter(request, response);
return;
}
Member member = memberRepository.findByRefreshToken(refreshToken);
Long memberId = member.getId();
try {
if (jwtHeader == null) { // 브라우저 새로고침 고려하여 accessToken 재발급
accessToken = jwtProvider.createAccessToken(memberId, jwtKey);
response.addHeader(JwtProperties.HEADER_STRING, accessToken);
} else { // 그 외의 경우 accessToken 유효성 검증
accessToken = jwtHeader.replace(JwtProperties.AUTH_TYPE, "");
claims = Jwts.parserBuilder().setSigningKey(JwtProperties.SECRET).build()
.parseClaimsJws(accessToken).getBody();
}
} catch (Exception e) { // accessToken 검증 결과에 따른 예외처리
e.printStackTrace();
chain.doFilter(request, response);
return;
}
// refreshToken, accessToken 검증 이후 작업
PrincipalDetails principalDetails = new PrincipalDetails(member);
Authentication authentication = new UsernamePasswordAuthenticationToken(principalDetails, null, principalDetails.getAuthorities());
SecurityContextHolder.getContext().setAuthentication(authentication);
chain.doFilter(request, response);
}
}
특이한 점은 api/member/login 경로의 API(UsernamePasswordAuthenticationFilter의 attemptAuthentication를 상속받아 구현했습니다.)를 호출했을 때에는 doFilterInternal이 동작을 하지 않지만 api/member/join 경로의 API를 호출했을 때에는 doFilterInternal이 동작을 합니다.
답변을 작성해보세요.
답변 1