default

boorownie · boorownie · commit 5ab767eda628 · 2025-01-24T17:08:53.000+09:00
diff --git a/build.gradle b/build.gradle
@@ -1,22 +1,22 @@
 plugins {
-    id 'org.springframework.boot' version '2.7.1'
-    id 'io.spring.dependency-management' version '1.0.11.RELEASE'
+    id 'org.springframework.boot' version '3.3.0'
+    id 'io.spring.dependency-management' version '1.1.5'
     id 'java'
 }
 
-group = 'nextstep'
+group = 'com.example'
 version = '0.0.1-SNAPSHOT'
-sourceCompatibility = '11'
+sourceCompatibility = '17'
 
 repositories {
     mavenCentral()
 }
 
 dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-web'
-    testImplementation 'org.springframework.boot:spring-boot-starter-test'
+    testImplementation('org.springframework.boot:spring-boot-starter-test')
 }
 
-tasks.named('test') {
+test {
     useJUnitPlatform()
-}
+}
diff --git a/gradle/wrapper/gradle-wrapper.properties b/gradle/wrapper/gradle-wrapper.properties
@@ -1,5 +1,7 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-7.4.1-bin.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-8.7-bin.zip
+networkTimeout=10000
+validateDistributionUrl=true
 zipStoreBase=GRADLE_USER_HOME
-zipStorePath=wrapper/dists
+zipStorePath=wrapper/dists
diff --git a/settings.gradle b/settings.gradle
@@ -1 +1 @@
-rootProject.name = 'spring-security-authorization'
+rootProject.name = 'spring-security'
diff --git a/src/main/java/nextstep/app/SecurityConfig.java b/src/main/java/nextstep/app/SecurityConfig.java
@@ -5,6 +5,7 @@
 import nextstep.security.authentication.AuthenticationException;
 import nextstep.security.authentication.BasicAuthenticationFilter;
 import nextstep.security.authentication.UsernamePasswordAuthenticationFilter;
+import nextstep.security.authorization.CheckAuthenticationFilter;
 import nextstep.security.config.DefaultSecurityFilterChain;
 import nextstep.security.config.DelegatingFilterProxy;
 import nextstep.security.config.FilterChainProxy;
@@ -16,6 +17,7 @@
 import org.springframework.context.annotation.Configuration;
 
 import java.util.List;
+import java.util.Set;
 
 @Configuration
 public class SecurityConfig {
@@ -42,7 +44,8 @@ public SecurityFilterChain securityFilterChain() {
                 List.of(
                         new SecurityContextHolderFilter(),
                         new UsernamePasswordAuthenticationFilter(userDetailsService()),
-                        new BasicAuthenticationFilter(userDetailsService())
+                        new BasicAuthenticationFilter(userDetailsService()),
+                        new CheckAuthenticationFilter()
                 )
         );
     }
@@ -63,6 +66,11 @@ public String getUsername() {
                 public String getPassword() {
                     return member.getPassword();
                 }
+
+                @Override
+                public Set<String> getAuthorities() {
+                    return member.getRoles();
+                }
             };
         };
     }
diff --git a/src/main/java/nextstep/app/domain/Member.java b/src/main/java/nextstep/app/domain/Member.java
@@ -36,4 +36,8 @@ public String getImageUrl() {
     public Set<String> getRoles() {
         return roles;
     }
+
+    public boolean matchPassword(String password) {
+        return this.password.equals(password);
+    }
 }
diff --git a/src/main/java/nextstep/app/infrastructure/InmemoryMemberRepository.java b/src/main/java/nextstep/app/infrastructure/InmemoryMemberRepository.java
@@ -9,15 +9,8 @@
 
 @Repository
 public class InmemoryMemberRepository implements MemberRepository {
-    public static final Member ADMIN_MEMBER = new Member("a@a.com", "password", "a", "", Set.of("ADMIN"));
-    public static final Member USER_MEMBER = new Member("b@b.com", "password", "b", "", Collections.emptySet());
     private static final Map<String, Member> members = new HashMap<>();
 
-    static {
-        members.put(ADMIN_MEMBER.getEmail(), ADMIN_MEMBER);
-        members.put(USER_MEMBER.getEmail(), USER_MEMBER);
-    }
-
     @Override
     public Optional<Member> findByEmail(String email) {
         return Optional.ofNullable(members.get(email));
diff --git a/src/main/java/nextstep/app/ui/MemberController.java b/src/main/java/nextstep/app/ui/MemberController.java
@@ -2,10 +2,7 @@
 
 import nextstep.app.domain.Member;
 import nextstep.app.domain.MemberRepository;
-import nextstep.security.authentication.AuthenticationException;
-import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.web.bind.annotation.ExceptionHandler;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
 
@@ -25,9 +22,4 @@ public ResponseEntity<List<Member>> list() {
         List<Member> members = memberRepository.findAll();
         return ResponseEntity.ok(members);
     }
-
-    @ExceptionHandler(AuthenticationException.class)
-    public ResponseEntity<Void> handleAuthenticationException() {
-        return ResponseEntity.status(HttpStatus.UNAUTHORIZED).build();
-    }
 }
diff --git a/src/main/java/nextstep/security/authentication/Authentication.java b/src/main/java/nextstep/security/authentication/Authentication.java
@@ -1,7 +1,11 @@
 package nextstep.security.authentication;
 
+import java.util.Set;
+
 public interface Authentication {
 
+    Set<String> getAuthorities();
+
     Object getCredentials();
 
     Object getPrincipal();
diff --git a/src/main/java/nextstep/security/authentication/AuthenticationException.java b/src/main/java/nextstep/security/authentication/AuthenticationException.java
@@ -1,6 +1,10 @@
 package nextstep.security.authentication;
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
 
+@ResponseStatus(code = HttpStatus.UNAUTHORIZED)
 public class AuthenticationException extends RuntimeException {
+
     public AuthenticationException() {
         super("인증에 실패하였습니다.");
     }
diff --git a/src/main/java/nextstep/security/authentication/BasicAuthenticationFilter.java b/src/main/java/nextstep/security/authentication/BasicAuthenticationFilter.java
@@ -1,15 +1,15 @@
 package nextstep.security.authentication;
 
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import nextstep.security.context.SecurityContext;
 import nextstep.security.context.SecurityContextHolder;
 import nextstep.security.userdetails.UserDetailsService;
 import org.springframework.http.HttpHeaders;
 import org.springframework.util.StringUtils;
 import org.springframework.web.filter.OncePerRequestFilter;
 
-import javax.servlet.FilterChain;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.nio.charset.StandardCharsets;
 import java.util.Base64;
 import java.util.List;
diff --git a/src/main/java/nextstep/security/authentication/DaoAuthenticationProvider.java b/src/main/java/nextstep/security/authentication/DaoAuthenticationProvider.java
@@ -18,7 +18,7 @@ public Authentication authenticate(Authentication authentication) throws Authent
         if (!Objects.equals(userDetails.getPassword(), authentication.getCredentials())) {
             throw new AuthenticationException();
         }
-        return UsernamePasswordAuthenticationToken.authenticated(userDetails.getUsername(), userDetails.getPassword());
+        return UsernamePasswordAuthenticationToken.authenticated(userDetails.getUsername(), userDetails.getPassword(), userDetails.getAuthorities());
     }
 
     @Override
diff --git a/src/main/java/nextstep/security/authentication/UsernamePasswordAuthenticationFilter.java b/src/main/java/nextstep/security/authentication/UsernamePasswordAuthenticationFilter.java
@@ -1,17 +1,17 @@
 package nextstep.security.authentication;
 
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
 import nextstep.security.context.HttpSessionSecurityContextRepository;
 import nextstep.security.context.SecurityContext;
 import nextstep.security.context.SecurityContextHolder;
 import nextstep.security.userdetails.UserDetailsService;
 import org.springframework.web.filter.GenericFilterBean;
 
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
 import java.io.IOException;
 import java.util.List;
 import java.util.Map;
diff --git a/src/main/java/nextstep/security/authentication/UsernamePasswordAuthenticationToken.java b/src/main/java/nextstep/security/authentication/UsernamePasswordAuthenticationToken.java
@@ -1,24 +1,33 @@
 package nextstep.security.authentication;
 
+import java.util.Set;
+
 public class UsernamePasswordAuthenticationToken implements Authentication {
 
     private final Object principal;
     private final Object credentials;
     private final boolean authenticated;
+    private final Set<String> authorities;
 
-    private UsernamePasswordAuthenticationToken(Object principal, Object credentials, boolean authenticated) {
+    private UsernamePasswordAuthenticationToken(Object principal, Object credentials, boolean authenticated, Set<String> authorities) {
         this.principal = principal;
         this.credentials = credentials;
         this.authenticated = authenticated;
+        this.authorities = authorities;
     }
 
     public static UsernamePasswordAuthenticationToken unauthenticated(String principal, String credentials) {
-        return new UsernamePasswordAuthenticationToken(principal, credentials, false);
+        return new UsernamePasswordAuthenticationToken(principal, credentials, false, Set.of());
     }
 
 
-    public static UsernamePasswordAuthenticationToken authenticated(String principal, String credentials) {
-        return new UsernamePasswordAuthenticationToken(principal, credentials, true);
+    public static UsernamePasswordAuthenticationToken authenticated(String principal, String credentials, Set<String> authorities) {
+        return new UsernamePasswordAuthenticationToken(principal, credentials, true, authorities);
+    }
+
+    @Override
+    public Set<String> getAuthorities() {
+        return authorities;
     }
 
     @Override
diff --git a/src/main/java/nextstep/security/authorization/CheckAuthenticationFilter.java b/src/main/java/nextstep/security/authorization/CheckAuthenticationFilter.java
@@ -0,0 +1,32 @@
+package nextstep.security.authorization;
+
+import nextstep.security.authentication.Authentication;
+import nextstep.security.context.SecurityContextHolder;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import java.io.IOException;
+import java.util.Set;
+
+public class CheckAuthenticationFilter extends OncePerRequestFilter {
+
+    @Override
+    protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (authentication == null || !authentication.isAuthenticated()) {
+            response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
+            return;
+        }
+
+        Set<String> authorities = authentication.getAuthorities();
+        if (!authorities.contains("ADMIN")) {
+            response.setStatus(HttpServletResponse.SC_FORBIDDEN);
+            return;
+        }
+
+        filterChain.doFilter(request, response);
+    }
+}
diff --git a/src/main/java/nextstep/security/config/DefaultSecurityFilterChain.java b/src/main/java/nextstep/security/config/DefaultSecurityFilterChain.java
@@ -1,7 +1,7 @@
 package nextstep.security.config;
 
-import javax.servlet.Filter;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.Filter;
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.List;
 
 public class DefaultSecurityFilterChain implements SecurityFilterChain {
diff --git a/src/main/java/nextstep/security/config/DelegatingFilterProxy.java b/src/main/java/nextstep/security/config/DelegatingFilterProxy.java
@@ -2,7 +2,7 @@
 
 import org.springframework.web.filter.GenericFilterBean;
 
-import javax.servlet.*;
+import jakarta.servlet.*;
 import java.io.IOException;
 
 public class DelegatingFilterProxy extends GenericFilterBean {
diff --git a/src/main/java/nextstep/security/config/FilterChainProxy.java b/src/main/java/nextstep/security/config/FilterChainProxy.java
@@ -2,8 +2,8 @@
 
 import org.springframework.web.filter.GenericFilterBean;
 
-import javax.servlet.*;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.*;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 import java.util.List;
 
diff --git a/src/main/java/nextstep/security/config/SecurityFilterChain.java b/src/main/java/nextstep/security/config/SecurityFilterChain.java
@@ -1,7 +1,7 @@
 package nextstep.security.config;
 
-import javax.servlet.Filter;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.Filter;
+import jakarta.servlet.http.HttpServletRequest;
 import java.util.List;
 
 public interface SecurityFilterChain {
diff --git a/src/main/java/nextstep/security/context/HttpSessionSecurityContextRepository.java b/src/main/java/nextstep/security/context/HttpSessionSecurityContextRepository.java
@@ -1,8 +1,8 @@
 package nextstep.security.context;
 
-import javax.servlet.http.HttpServletRequest;
-import javax.servlet.http.HttpServletResponse;
-import javax.servlet.http.HttpSession;
+import jakarta.servlet.http.HttpServletRequest;
+import jakarta.servlet.http.HttpServletResponse;
+import jakarta.servlet.http.HttpSession;
 
 public class HttpSessionSecurityContextRepository {
     public static final String SPRING_SECURITY_CONTEXT_KEY = "SPRING_SECURITY_CONTEXT";
diff --git a/src/main/java/nextstep/security/context/SecurityContextHolderFilter.java b/src/main/java/nextstep/security/context/SecurityContextHolderFilter.java
@@ -2,11 +2,11 @@
 
 import org.springframework.web.filter.GenericFilterBean;
 
-import javax.servlet.FilterChain;
-import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
+import jakarta.servlet.FilterChain;
+import jakarta.servlet.ServletException;
+import jakarta.servlet.ServletRequest;
+import jakarta.servlet.ServletResponse;
+import jakarta.servlet.http.HttpServletRequest;
 import java.io.IOException;
 
 public class SecurityContextHolderFilter extends GenericFilterBean {
diff --git a/src/main/java/nextstep/security/userdetails/UserDetails.java b/src/main/java/nextstep/security/userdetails/UserDetails.java
@@ -1,7 +1,11 @@
 package nextstep.security.userdetails;
 
+import java.util.Set;
+
 public interface UserDetails {
     String getUsername();
 
     String getPassword();
+
+    Set<String> getAuthorities();
 }
diff --git a/src/test/java/nextstep/app/BasicAuthTest.java b/src/test/java/nextstep/app/BasicAuthTest.java
diff --git a/src/test/java/nextstep/app/FormLoginTest.java b/src/test/java/nextstep/app/FormLoginTest.java
diff --git a/src/test/java/nextstep/app/SecuredTest.java b/src/test/java/nextstep/app/SecuredTest.java

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-rootProject.name = 'spring-security-authorization'`
	`1`	`+rootProject.name = 'spring-security'`
Original file line number	Diff line number	Diff line change
`@@ -36,4 +36,8 @@ public String getImageUrl() {`
`36`	`36`	`public Set<String> getRoles() {`
`37`	`37`	`return roles;`
`38`	`38`	`}`
	`39`	`+`
	`40`	`+ public boolean matchPassword(String password) {`
	`41`	`+ return this.password.equals(password);`
	`42`	`+ }`
`39`	`43`	`}`