Merge pull request #81 from init-cloud/feature/#80-security-exception

feat: handle Jwt Exception on Security filter

Author: Floodnut

src/main/java/scanner/common/dto/CommonResponse.java

@@ -1,5 +1,7 @@
 package scanner.common.dto;
 
+import javax.naming.AuthenticationException;
+
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.lang.Nullable;
@@ -8,6 +10,7 @@
 import lombok.Builder;
 import lombok.Getter;
 import scanner.common.enums.ResponseCode;
+import scanner.common.exception.ApiAuthException;
 import scanner.common.exception.ApiException;
 
 @AllArgsConstructor
@@ -33,6 +36,25 @@ public static ResponseEntity<Object> toException(ApiException e) {
 				.build());
 	}
 
+	// JWT, 인가 관련 ExceptionDto
+	public static ResponseEntity<Object> toException(ApiAuthException e) {
+		return ResponseEntity.status(e.getResponseCode().getHttpStatus())
+			.body(CommonResponse.builder()
+				.success(false)
+				.data(null)
+				.error(new ExceptionDto(e.getResponseCode()))
+				.build());
+	}
+
+	// JWT, 인가 관련 ExceptionDto
+	public static ResponseEntity<Object> toException(AuthenticationException e) {
+		return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
+			.body(CommonResponse.builder()
+				.success(false)
+				.data(null)
+				.error(new ExceptionDto(ResponseCode.INVALID_TOKEN)).build());
+	}
+
 	public static ResponseEntity<Object> toException(Exception e) {
 		return ResponseEntity.status(HttpStatus.INTERNAL_SERVER_ERROR)
 			.body(CommonResponse.builder()

src/main/java/scanner/common/enums/ResponseCode.java

@@ -10,29 +10,38 @@
 public enum ResponseCode {
 
 	/* Invalid Request */
-	TOKEN_EXPIRED(4001, HttpStatus.UNAUTHORIZED, "Expired Token."), INVALID_TOKEN(4002, HttpStatus.UNAUTHORIZED,
-		"Invalid Token."), INVALID_PROVIDER(4003, HttpStatus.BAD_REQUEST, "Invalid Scan Provider."), UNSUPPORTED_FORMAT(
-		4004, HttpStatus.BAD_REQUEST, "Invalid File Format."), DATA_MISSING(4005, HttpStatus.BAD_REQUEST,
-		"Data missing. or File missing."), INVALID_REQUEST(4007, HttpStatus.BAD_REQUEST,
-		"Invalid Request."), INVALID_USER(4008, HttpStatus.BAD_REQUEST, "Invalid User."), INVALID_PASSWORD_LENGTH(4009,
-		HttpStatus.BAD_REQUEST, "Password too short."), INVALID_PASSWORD_FORMAT(4010, HttpStatus.BAD_REQUEST,
-		"Invalid Password Create rule."), EXISTED_USER(4011, HttpStatus.BAD_REQUEST,
-		"User exist."), INVALID_AUTHORIIY_TYPE(4012, HttpStatus.BAD_REQUEST, "Invalid Authority."), INVALID_AUTHORIIY(
-		4013, HttpStatus.UNAUTHORIZED, "Have no Authority."), INVALID_JSON_FORMAT(4014, HttpStatus.UNAUTHORIZED,
-		"Error During Parse JSON."), NO_SCAN_RESULT(4015, HttpStatus.BAD_REQUEST, "There are no Scan results."),
+	TOKEN_EXPIRED(4001, HttpStatus.UNAUTHORIZED, "Expired Token."),
+	INVALID_TOKEN(4002, HttpStatus.UNAUTHORIZED, "Invalid Token."),
+	INVALID_PROVIDER(4003, HttpStatus.BAD_REQUEST, "Invalid Scan Provider."),
+	UNSUPPORTED_FORMAT(4004, HttpStatus.BAD_REQUEST, "Invalid File Format."),
+	DATA_MISSING(4005, HttpStatus.BAD_REQUEST, "Data missing. or File missing."),
+	INVALID_REQUEST(4007, HttpStatus.BAD_REQUEST, "Invalid Request."),
+	INVALID_USER(4008, HttpStatus.BAD_REQUEST, "Invalid User."),
+	INVALID_PASSWORD_LENGTH(4009, HttpStatus.BAD_REQUEST, "Password too short."),
+	INVALID_PASSWORD_FORMAT(4010, HttpStatus.BAD_REQUEST, "Invalid Password Create rule."),
+	EXISTED_USER(4011, HttpStatus.BAD_REQUEST, "User exist."),
+	INVALID_AUTHORIIY_TYPE(4012, HttpStatus.BAD_REQUEST, "Invalid Authority."),
+	INVALID_AUTHORIIY(4013, HttpStatus.UNAUTHORIZED, "Have no Authority."),
+	INVALID_JSON_FORMAT(4014, HttpStatus.UNAUTHORIZED, "Error During Parse JSON."),
+	NO_SCAN_RESULT(4015, HttpStatus.BAD_REQUEST, "There are no Scan results."),
+	INVALID_TOKEN_FORMAT(4016, HttpStatus.UNAUTHORIZED, "Invalid Token format."),
+	UNSUPPORTED_TOKEN(4017, HttpStatus.UNAUTHORIZED, "Unsupported Token."),
+	INVALID_TOKEN_SIGNATURE(4018, HttpStatus.UNAUTHORIZED, "Invalid Token signature."),
+	EMPTY_TOKEN_CLAIMS(4019, HttpStatus.UNAUTHORIZED, "Empty Token Claims."),
+	NULL_TOKEN(4020, HttpStatus.UNAUTHORIZED, "Token is null"),
 
 	/* Server Error. */
-	SERVER_BUSY(5001, HttpStatus.INTERNAL_SERVER_ERROR, "Server busy."), SCAN_ERROR(5002,
-		HttpStatus.INTERNAL_SERVER_ERROR, "Scan Error."), SERVER_STORE_ERROR(5003, HttpStatus.INTERNAL_SERVER_ERROR,
-		"Could not store the file."), SERVER_DECOMPRESS_ERROR(5004, HttpStatus.INTERNAL_SERVER_ERROR,
-		"Could not decompress the file."), SERVER_CREATE_DIR_ERROR(5005, HttpStatus.INTERNAL_SERVER_ERROR,
-		"Could not create upload directory."),
+	SERVER_BUSY(5001, HttpStatus.INTERNAL_SERVER_ERROR, "Server busy."),
+	SCAN_ERROR(5002, HttpStatus.INTERNAL_SERVER_ERROR, "Scan Error."),
+	SERVER_STORE_ERROR(5003, HttpStatus.INTERNAL_SERVER_ERROR, "Could not store the file."),
+	SERVER_DECOMPRESS_ERROR(5004, HttpStatus.INTERNAL_SERVER_ERROR, "Could not decompress the file."),
+	SERVER_CREATE_DIR_ERROR(5005, HttpStatus.INTERNAL_SERVER_ERROR, "Could not create upload directory."),
 
-	SERVER_LOAD_FILE_ERROR(5006, HttpStatus.INTERNAL_SERVER_ERROR, "Could not load file."), SERVER_LOAD_VISUALIZE_ERROR(
-		5007, HttpStatus.INTERNAL_SERVER_ERROR, "Could not load Visualize data."), SERVER_UPDATE_USER_ERROR(5008,
-		HttpStatus.INTERNAL_SERVER_ERROR, "Could not update User."), SERVER_PASSWORD_ERROR(5009,
-		HttpStatus.INTERNAL_SERVER_ERROR, "Could not change password."), SERVER_ERROR(5100,
-		HttpStatus.INTERNAL_SERVER_ERROR, "Unknown error.");
+	SERVER_LOAD_FILE_ERROR(5006, HttpStatus.INTERNAL_SERVER_ERROR, "Could not load file."),
+	SERVER_LOAD_VISUALIZE_ERROR(5007, HttpStatus.INTERNAL_SERVER_ERROR, "Could not load Visualize data."),
+	SERVER_UPDATE_USER_ERROR(5008, HttpStatus.INTERNAL_SERVER_ERROR, "Could not update User."),
+	SERVER_PASSWORD_ERROR(5009, HttpStatus.INTERNAL_SERVER_ERROR, "Could not change password."),
+	SERVER_ERROR(5100, HttpStatus.INTERNAL_SERVER_ERROR, "Unknown error.");
 
 	private final int code;
 	private final HttpStatus httpStatus;

src/main/java/scanner/common/exception/ApiAuthException.java

@@ -0,0 +1,12 @@
+package scanner.common.exception;
+
+import lombok.Getter;
+import lombok.RequiredArgsConstructor;
+import scanner.common.enums.ResponseCode;
+
+@Getter
+@RequiredArgsConstructor
+public class ApiAuthException extends RuntimeException {
+	private final ResponseCode responseCode;
+}
+

src/main/java/scanner/common/exception/handler/AuthenticationExceptionHandler.java

@@ -0,0 +1,32 @@
+package scanner.common.exception.handler;
+
+import javax.naming.AuthenticationException;
+
+import org.springframework.http.ResponseEntity;
+import org.springframework.web.bind.annotation.ExceptionHandler;
+import org.springframework.web.bind.annotation.ResponseBody;
+import org.springframework.web.bind.annotation.RestControllerAdvice;
+import org.springframework.web.servlet.mvc.method.annotation.ResponseEntityExceptionHandler;
+
+import lombok.extern.slf4j.Slf4j;
+import scanner.common.dto.CommonResponse;
+import scanner.common.exception.ApiAuthException;
+
+@RestControllerAdvice(value = "authenticationExceptionAdvice")
+@Slf4j
+public class AuthenticationExceptionHandler extends ResponseEntityExceptionHandler {
+
+	@ExceptionHandler(value = ApiAuthException.class)
+	@ResponseBody
+	public ResponseEntity<Object> handleJwtException(ApiAuthException e) {
+		log.error("handleJwtException throw JwtException : {}", e.getResponseCode().getMessage());
+		return CommonResponse.toException(e);
+	}
+
+	@ExceptionHandler(value = AuthenticationException.class)
+	@ResponseBody
+	public ResponseEntity<Object> handleAuthenticateException(AuthenticationException e) {
+		log.error("handleAuthenticateException throw AuthenticateException : {}", e.getMessage());
+		return CommonResponse.toException(e);
+	}
+}

src/main/java/scanner/security/config/SecurityConfig.java

@@ -14,13 +14,17 @@
 import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
 
 import scanner.security.filter.JwtAuthenticationFilter;
+import scanner.security.filter.JwtExceptionFilter;
+import scanner.security.filter.JwtGlobalEntryPoint;
 import scanner.security.provider.JwtTokenProvider;
 
 @Configuration
 @EnableWebSecurity
 @RequiredArgsConstructor
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
 
+	private final JwtGlobalEntryPoint jwtGlobalEntryPoint;
+	private final JwtExceptionFilter jwtExceptionFilter;
 	private final JwtTokenProvider jwtTokenProvider;
 	private final Properties properties;
 
@@ -32,10 +36,8 @@ public AuthenticationManager authenticationManagerBean()
 	}
 
 	@Override
-	public void configure(HttpSecurity http)
-		throws Exception {
-		http.csrf()
-			.disable();
+	public void configure(HttpSecurity http) throws Exception {
+		http.csrf().disable();
 
 		http.httpBasic()
 			.disable()
@@ -48,25 +50,20 @@ public void configure(HttpSecurity http)
 			.antMatchers("/swagger-ui/**").permitAll()
 			.and()
 			.authorizeRequests()
-			.antMatchers("/api/v1/**").permitAll()
-			.and()
-			.authorizeRequests()
 			.antMatchers("/api/v1").permitAll()
 			.antMatchers("/api/v1/user/signin").permitAll()
 			.antMatchers("/api/v1/user/signup").permitAll()
 			.and()
-			.authorizeRequests()
-			.antMatchers("/api/v1/app/**").permitAll()
-			.and()
-			.authorizeRequests()
-			.antMatchers("/api/v1/admin/**").hasRole("ADMIN")
+			.authorizeRequests().antMatchers("/api/v1/admin/**").hasRole("ADMIN")
 			.and()
 			.authorizeRequests()
 			.anyRequest().authenticated()
 			.and()
-			.addFilterBefore(
-				new JwtAuthenticationFilter(jwtTokenProvider, properties),
-				UsernamePasswordAuthenticationFilter.class);
+			.exceptionHandling().authenticationEntryPoint(jwtGlobalEntryPoint)
+			.and()
+			.addFilterBefore(new JwtAuthenticationFilter(jwtTokenProvider, properties),
+				UsernamePasswordAuthenticationFilter.class)
+			.addFilterBefore(jwtExceptionFilter, JwtAuthenticationFilter.class);
 	}
 
 	@Bean

src/main/java/scanner/security/filter/JwtAuthenticationFilter.java

@@ -4,38 +4,41 @@
 
 import javax.servlet.FilterChain;
 import javax.servlet.ServletException;
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter;
+import org.springframework.web.filter.OncePerRequestFilter;
 
 import lombok.RequiredArgsConstructor;
+
+import scanner.common.enums.ResponseCode;
+import scanner.common.exception.ApiAuthException;
 import scanner.security.config.Properties;
 import scanner.security.provider.JwtTokenProvider;
 
 @RequiredArgsConstructor
-public class JwtAuthenticationFilter extends UsernamePasswordAuthenticationFilter {
+public class JwtAuthenticationFilter extends OncePerRequestFilter {
 
 	private final JwtTokenProvider jwtTokenProvider;
 	private final Properties properties;
 
 	@Override
-	public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws
+	public void doFilterInternal(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws
 		IOException,
 		ServletException {
 
-		String token = jwtTokenProvider.resolve((HttpServletRequest)request);
+		String token = jwtTokenProvider.resolve(request);
 
 		if (token == null)
-			SecurityContextHolder.getContext().setAuthentication(null);
+			throw new ApiAuthException(ResponseCode.NULL_TOKEN);
+
+		if (!jwtTokenProvider.validate(token, properties.getSecret()))
+			throw new ApiAuthException(ResponseCode.INVALID_TOKEN);
 
-		else if (jwtTokenProvider.validate(token, properties.getSecret())) {
-			Authentication authentication = jwtTokenProvider.getAuthentication(token, properties.getSecret());
-			SecurityContextHolder.getContext().setAuthentication(authentication);
-		}
+		Authentication authentication = jwtTokenProvider.getAuthentication(token, properties.getSecret());
+		SecurityContextHolder.getContext().setAuthentication(authentication);
 
 		chain.doFilter(request, response);
 	}

src/main/java/scanner/security/filter/JwtExceptionFilter.java

@@ -0,0 +1,43 @@
+package scanner.security.filter;
+
+import java.io.IOException;
+
+import javax.servlet.FilterChain;
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.springframework.stereotype.Component;
+import org.springframework.web.filter.OncePerRequestFilter;
+
+import io.jsonwebtoken.ExpiredJwtException;
+import io.jsonwebtoken.MalformedJwtException;
+import io.jsonwebtoken.UnsupportedJwtException;
+import lombok.extern.slf4j.Slf4j;
+import scanner.common.enums.ResponseCode;
+
+@Slf4j
+@Component
+public class JwtExceptionFilter extends OncePerRequestFilter {
+	@Override
+	protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response,
+		FilterChain filterChain) throws ServletException, IOException {
+		try {
+			filterChain.doFilter(request, response);
+		} catch (SecurityException e) {
+			request.setAttribute("exception", ResponseCode.INVALID_TOKEN_SIGNATURE.getCode());
+		} catch (MalformedJwtException e) {
+			request.setAttribute("exception", ResponseCode.INVALID_TOKEN_FORMAT.getCode());
+		} catch (ExpiredJwtException e) {
+			request.setAttribute("exception", ResponseCode.TOKEN_EXPIRED.getCode());
+		} catch (UnsupportedJwtException e) {
+			request.setAttribute("exception", ResponseCode.UNSUPPORTED_TOKEN.getCode());
+		} catch (IllegalArgumentException e) {
+			request.setAttribute("exception", ResponseCode.EMPTY_TOKEN_CLAIMS.getCode());
+		} catch (Exception e) {
+			request.setAttribute("exception", ResponseCode.INVALID_TOKEN.getCode());
+		}
+
+		filterChain.doFilter(request, response);
+	}
+}

src/main/java/scanner/security/filter/JwtGlobalEntryPoint.java

@@ -0,0 +1,61 @@
+package scanner.security.filter;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+
+import org.json.simple.JSONObject;
+import org.springframework.http.HttpStatus;
+import org.springframework.security.web.AuthenticationEntryPoint;
+import org.springframework.stereotype.Component;
+
+import lombok.extern.slf4j.Slf4j;
+import scanner.common.enums.ResponseCode;
+
+@Slf4j
+@Component("jwtGlobalEntryPoint")
+public class JwtGlobalEntryPoint implements AuthenticationEntryPoint {
+
+	@Override
+	public void commence(HttpServletRequest request, HttpServletResponse response,
+		org.springframework.security.core.AuthenticationException authException) throws IOException {
+		Integer exception = (Integer)request.getAttribute("exception");
+
+		if (exception == null) {
+			setResponse(response, ResponseCode.INVALID_REQUEST);
+		} else if (exception.equals(ResponseCode.EMPTY_TOKEN_CLAIMS.getCode())) {
+			setResponse(response, ResponseCode.EMPTY_TOKEN_CLAIMS);
+		} else if (exception.equals(ResponseCode.INVALID_TOKEN_SIGNATURE.getCode())) {
+			setResponse(response, ResponseCode.INVALID_TOKEN_SIGNATURE);
+		} else if (exception.equals(ResponseCode.INVALID_TOKEN.getCode())) {
+			setResponse(response, ResponseCode.INVALID_TOKEN);
+		} else if (exception.equals(ResponseCode.TOKEN_EXPIRED.getCode())) {
+			setResponse(response, ResponseCode.TOKEN_EXPIRED);
+		} else if (exception.equals(ResponseCode.UNSUPPORTED_TOKEN.getCode())) {
+			setResponse(response, ResponseCode.UNSUPPORTED_TOKEN);
+		} else if (exception.equals(ResponseCode.INVALID_TOKEN_FORMAT.getCode())) {
+			setResponse(response, ResponseCode.INVALID_TOKEN_FORMAT);
+		}
+	}
+
+	private void setResponse(HttpServletResponse response, ResponseCode code) throws IOException {
+		response.setStatus(HttpStatus.UNAUTHORIZED.value());
+		response.setContentType("application/json");
+
+		Map<String, Object> errorMap = new HashMap<>();
+		errorMap.put("code", code.getCode());
+		errorMap.put("message", code.getMessage());
+
+		Map<String, Object> responseMap = new HashMap<>();
+		responseMap.put("success", false);
+		responseMap.put("data", null);
+		responseMap.put("error", errorMap);
+
+		JSONObject responseJson = new JSONObject(responseMap);
+
+		response.getWriter().print(responseJson);
+	}
+}