default - aop

Author: boorownie

build.gradle

@@ -14,7 +14,8 @@ repositories {
 
 dependencies {
     implementation 'org.springframework.boot:spring-boot-starter-web'
-    testImplementation('org.springframework.boot:spring-boot-starter-test')
+    implementation 'org.springframework.boot:spring-boot-starter-aop'
+    testImplementation 'org.springframework.boot:spring-boot-starter-test'
 }
 
 test {

src/main/java/nextstep/app/SecurityConfig.java

@@ -6,6 +6,8 @@
 import nextstep.security.authentication.BasicAuthenticationFilter;
 import nextstep.security.authentication.UsernamePasswordAuthenticationFilter;
 import nextstep.security.authorization.CheckAuthenticationFilter;
+import nextstep.security.authorization.SecuredAspect;
+import nextstep.security.authorization.SecuredMethodInterceptor;
 import nextstep.security.config.DefaultSecurityFilterChain;
 import nextstep.security.config.DelegatingFilterProxy;
 import nextstep.security.config.FilterChainProxy;
@@ -15,10 +17,12 @@
 import nextstep.security.userdetails.UserDetailsService;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.context.annotation.EnableAspectJAutoProxy;
 
 import java.util.List;
 import java.util.Set;
 
+@EnableAspectJAutoProxy
 @Configuration
 public class SecurityConfig {
 
@@ -38,6 +42,15 @@ public FilterChainProxy filterChainProxy(List<SecurityFilterChain> securityFilte
         return new FilterChainProxy(securityFilterChains);
     }
 
+    @Bean
+    public SecuredMethodInterceptor securedMethodInterceptor() {
+        return new SecuredMethodInterceptor();
+    }
+//    @Bean
+//    public SecuredAspect securedAspect() {
+//        return new SecuredAspect();
+//    }
+
     @Bean
     public SecurityFilterChain securityFilterChain() {
         return new DefaultSecurityFilterChain(

src/main/java/nextstep/app/ui/MemberController.java

@@ -2,6 +2,7 @@
 
 import nextstep.app.domain.Member;
 import nextstep.app.domain.MemberRepository;
+import nextstep.security.authorization.Secured;
 import org.springframework.http.ResponseEntity;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RestController;
@@ -22,4 +23,11 @@ public ResponseEntity<List<Member>> list() {
         List<Member> members = memberRepository.findAll();
         return ResponseEntity.ok(members);
     }
+
+    @Secured("ADMIN")
+    @GetMapping("/search")
+    public ResponseEntity<List<Member>> search() {
+        List<Member> members = memberRepository.findAll();
+        return ResponseEntity.ok(members);
+    }
 }

src/main/java/nextstep/security/authentication/BasicAuthenticationFilter.java

@@ -34,9 +34,9 @@ protected void doFilterInternal(HttpServletRequest request, HttpServletResponse
                 return;
             }
 
-            Authentication authenticate = this.authenticationManager.authenticate(authentication);
+            Authentication authResult = this.authenticationManager.authenticate(authentication);
             SecurityContext context = SecurityContextHolder.createEmptyContext();
-            context.setAuthentication(authenticate);
+            context.setAuthentication(authResult);
             SecurityContextHolder.setContext(context);
 
             filterChain.doFilter(request, response);

src/main/java/nextstep/security/authorization/CheckAuthenticationFilter.java

@@ -12,9 +12,15 @@
 import java.util.Set;
 
 public class CheckAuthenticationFilter extends OncePerRequestFilter {
+    private static final String DEFAULT_REQUEST_URI = "/members";
 
     @Override
     protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain filterChain) throws ServletException, IOException {
+        if (!DEFAULT_REQUEST_URI.equals(request.getRequestURI())) {
+            filterChain.doFilter(request, response);
+            return;
+        }
+
         Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
         if (authentication == null || !authentication.isAuthenticated()) {
             response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);

src/main/java/nextstep/security/authorization/ForbiddenException.java

@@ -0,0 +1,8 @@
+package nextstep.security.authorization;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.FORBIDDEN)
+public class ForbiddenException extends RuntimeException {
+}

src/main/java/nextstep/security/authorization/Secured.java

@@ -0,0 +1,12 @@
+package nextstep.security.authorization;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+@Target(ElementType.METHOD)
+@Retention(RetentionPolicy.RUNTIME)
+public @interface Secured {
+    String value();
+}

src/main/java/nextstep/security/authorization/SecuredAspect.java

@@ -0,0 +1,36 @@
+package nextstep.security.authorization;
+
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authentication.AuthenticationException;
+import nextstep.security.context.SecurityContextHolder;
+import org.aspectj.lang.JoinPoint;
+import org.aspectj.lang.annotation.Aspect;
+import org.aspectj.lang.annotation.Before;
+import org.aspectj.lang.reflect.MethodSignature;
+
+import java.lang.reflect.Method;
+
+@Aspect
+public class SecuredAspect {
+
+    @Before("@annotation(nextstep.security.authorization.Secured)")
+    public void checkSecured(JoinPoint joinPoint) throws NoSuchMethodException {
+        Method method = getMethodFromJoinPoint(joinPoint);
+        String secured = method.getAnnotation(Secured.class).value();
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        if (authentication == null) {
+            throw new AuthenticationException();
+        }
+        if (!authentication.getAuthorities().contains(secured)) {
+            throw new ForbiddenException();
+        }
+    }
+
+    private Method getMethodFromJoinPoint(JoinPoint joinPoint) throws NoSuchMethodException {
+        Class<?> targetClass = joinPoint.getTarget().getClass();
+        String methodName = joinPoint.getSignature().getName();
+        Class<?>[] parameterTypes = ((MethodSignature) joinPoint.getSignature()).getParameterTypes();
+
+        return targetClass.getMethod(methodName, parameterTypes);
+    }
+}

src/main/java/nextstep/security/authorization/SecuredMethodInterceptor.java

@@ -0,0 +1,54 @@
+package nextstep.security.authorization;
+
+import nextstep.security.authentication.Authentication;
+import nextstep.security.authentication.AuthenticationException;
+import nextstep.security.context.SecurityContextHolder;
+import org.aopalliance.aop.Advice;
+import org.aopalliance.intercept.MethodInterceptor;
+import org.aopalliance.intercept.MethodInvocation;
+import org.springframework.aop.Pointcut;
+import org.springframework.aop.PointcutAdvisor;
+import org.springframework.aop.framework.AopInfrastructureBean;
+import org.springframework.aop.support.annotation.AnnotationMatchingPointcut;
+
+import java.lang.reflect.Method;
+
+public class SecuredMethodInterceptor implements MethodInterceptor, PointcutAdvisor, AopInfrastructureBean {
+
+    private final Pointcut pointcut;
+
+    public SecuredMethodInterceptor() {
+        this.pointcut = new AnnotationMatchingPointcut(null, Secured.class);
+    }
+
+    @Override
+    public Object invoke(MethodInvocation invocation) throws Throwable {
+        Method method = invocation.getMethod();
+        if (method.isAnnotationPresent(Secured.class)) {
+            Secured secured = method.getAnnotation(Secured.class);
+            Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+            if (authentication == null) {
+                throw new AuthenticationException();
+            }
+            if (!authentication.getAuthorities().contains(secured.value())) {
+                throw new ForbiddenException();
+            }
+        }
+        return invocation.proceed();
+    }
+
+    @Override
+    public Pointcut getPointcut() {
+        return pointcut;
+    }
+
+    @Override
+    public Advice getAdvice() {
+        return this;
+    }
+
+    @Override
+    public boolean isPerInstance() {
+        return true;
+    }
+}

src/test/java/nextstep/app/SecuredTest.java

@@ -17,6 +17,7 @@
 import java.util.Set;
 
 import static org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get;
+import static org.springframework.test.web.servlet.result.MockMvcResultHandlers.print;
 import static org.springframework.test.web.servlet.result.MockMvcResultMatchers.status;
 
 @SpringBootTest
@@ -45,7 +46,7 @@ void request_search_success_with_admin_user() throws Exception {
         ResultActions response = mockMvc.perform(get("/search")
                 .header("Authorization", "Basic " + token)
                 .contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE)
-        );
+        ).andDo(print());
 
         response.andExpect(status().isOk())
                 .andExpect(MockMvcResultMatchers.jsonPath("$.length()").value(2));
@@ -59,7 +60,7 @@ void request_search_fail_with_general_user() throws Exception {
         ResultActions response = mockMvc.perform(get("/search")
                 .header("Authorization", "Basic " + token)
                 .contentType(MediaType.APPLICATION_FORM_URLENCODED_VALUE)
-        );
+        ).andDo(print());
 
         response.andExpect(status().isForbidden());
     }