[security-db-auth] FilterInvocationSecurityMetaaataSource 설정 (1)

SeokRae · SeokRae · commit 248444a824ac · 2020-11-17T12:10:33.000+09:00
diff --git a/security-db-auth/build.gradle b/security-db-auth/build.gradle
@@ -1,5 +1,5 @@
 plugins {
-    id 'org.springframework.boot' version '2.2.11.RELEASE'
+    id 'org.springframework.boot' version '2.3.3.RELEASE'
     id 'io.spring.dependency-management' version '1.0.10.RELEASE'
     id 'java'
 }
@@ -30,6 +30,8 @@ dependencies {
     // https://mvnrepository.com/artifact/org.modelmapper/modelmapper
     implementation 'org.modelmapper:modelmapper:2.3.0'
 
+    developmentOnly 'org.springframework.boot:spring-boot-devtools'
+
     compileOnly 'org.projectlombok:lombok'
     annotationProcessor 'org.projectlombok:lombok'
 
diff --git a/security-db-auth/src/main/java/kr/seok/security/config/SecurityConfig.java b/security-db-auth/src/main/java/kr/seok/security/config/SecurityConfig.java
@@ -3,11 +3,17 @@
 import kr.seok.security.form.common.FormAuthenticationDetailsSource;
 import kr.seok.security.form.handler.FormAccessDeniedHandler;
 import kr.seok.security.form.provider.FormAuthenticationProvider;
+import kr.seok.security.metadatasource.UrlFilterInvocationSecurityMetadataSource;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
 import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.security.access.AccessDecisionManager;
+import org.springframework.security.access.AccessDecisionVoter;
+import org.springframework.security.access.vote.AffirmativeBased;
+import org.springframework.security.access.vote.RoleVoter;
+import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.AuthenticationProvider;
 import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -17,9 +23,14 @@
 import org.springframework.security.crypto.factory.PasswordEncoderFactories;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.security.web.access.AccessDeniedHandler;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
 import org.springframework.security.web.authentication.AuthenticationFailureHandler;
 import org.springframework.security.web.authentication.AuthenticationSuccessHandler;
 
+import java.util.Arrays;
+import java.util.List;
+
 @Configuration
 @EnableWebSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
@@ -57,27 +68,26 @@ public void configure(WebSecurity web) {
     protected void configure(HttpSecurity http) throws Exception {
         http
                 .authorizeRequests()
-                .antMatchers("/", "/users", "/user/login/**").permitAll()
-                .antMatchers("/mypage").hasRole("USER")
-                .antMatchers("/messages").hasRole("MANAGER")
-                .antMatchers("/config").hasRole("ADMIN")
-                .anyRequest().authenticated()
+                .antMatchers("/**").permitAll()
+                .anyRequest().authenticated();
 
-                .and()
+        http
                 .formLogin()
                 .loginPage("/login")
-                /* form 태그의 action url */
-                .loginProcessingUrl("/login_proc")
-                /* request의 상세 값을 Details로 추가 하기 위한 작업 */
-                .authenticationDetailsSource(formAuthenticationDetailsSource)
-                /* 사용자 정의 Success Handler */
-                .successHandler(formAuthenticationSuccessHandler)
+                .loginProcessingUrl("/login_proc")                                  /* form 태그의 action url */
+                .authenticationDetailsSource(formAuthenticationDetailsSource)       /* request의 상세 값을 Details로 추가 하기 위한 작업 */
+                .successHandler(formAuthenticationSuccessHandler)                   /* 사용자 정의 Success Handler */
                 .failureHandler(formAuthenticationFailureHandler)
                 .permitAll()
         ;
         http
                 .exceptionHandling()
                 .accessDeniedHandler(accessDeniedHandler());
+
+        /* FilterSecurityInterceptor 사용자 정의 */
+        http
+                .addFilterBefore(customFilterSecurityInterceptor(), FilterSecurityInterceptor.class);
+
         http.csrf().disable();
     }
 
@@ -96,4 +106,32 @@ protected void configure(AuthenticationManagerBuilder auth) {
                 /* 사용자 정의된 Provider 처리 */
                 .authenticationProvider(authenticationProvider());
     }
+
+    @Override
+    public AuthenticationManager authenticationManagerBean() throws Exception {
+        return super.authenticationManagerBean();
+    }
+
+    @Bean
+    public FilterInvocationSecurityMetadataSource urlFilterInvocationSecurityMetadataSource() {
+        return new UrlFilterInvocationSecurityMetadataSource();
+    }
+
+    @Bean
+    public FilterSecurityInterceptor customFilterSecurityInterceptor() throws Exception {
+        FilterSecurityInterceptor filterSecurityInterceptor = new FilterSecurityInterceptor();
+        filterSecurityInterceptor.setSecurityMetadataSource(urlFilterInvocationSecurityMetadataSource());
+        filterSecurityInterceptor.setAccessDecisionManager(affirmativeBased());
+        filterSecurityInterceptor.setAuthenticationManager(authenticationManagerBean());
+        return filterSecurityInterceptor;
+    }
+
+    private AccessDecisionManager affirmativeBased() {
+        return new AffirmativeBased(getAccessDecisionVoters());
+    }
+
+    private List<AccessDecisionVoter<?>> getAccessDecisionVoters() {
+        return Arrays.asList(new RoleVoter());
+    }
+
 }
diff --git a/security-db-auth/src/main/java/kr/seok/security/metadatasource/UrlFilterInvocationSecurityMetadataSource.java b/security-db-auth/src/main/java/kr/seok/security/metadatasource/UrlFilterInvocationSecurityMetadataSource.java
@@ -0,0 +1,57 @@
+package kr.seok.security.metadatasource;
+
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.access.SecurityConfig;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterInvocationSecurityMetadataSource;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import javax.servlet.http.HttpServletRequest;
+import java.util.*;
+
+/**
+ * Resource와 매핑된 권한 정보 확인용
+ */
+public class UrlFilterInvocationSecurityMetadataSource implements FilterInvocationSecurityMetadataSource {
+    private LinkedHashMap<RequestMatcher, List<ConfigAttribute>> requestMap = new LinkedHashMap<>();
+
+    /**
+     *
+     * @param object FilterInvocation
+     * @return
+     * @throws IllegalArgumentException
+     */
+    @Override
+    public Collection<ConfigAttribute> getAttributes(Object object) throws IllegalArgumentException {
+        HttpServletRequest request = ((FilterInvocation)object).getRequest();
+
+        requestMap.put(new AntPathRequestMatcher("/mypage"), Arrays.asList(new SecurityConfig("ROLE_USER")));
+        if(requestMap != null) {
+            for(Map.Entry<RequestMatcher, List<ConfigAttribute>> entry : requestMap.entrySet()) {
+                RequestMatcher matcher = entry.getKey();
+                if(matcher.matches(request)) {
+                    /* 권한 정보 */
+                    return entry.getValue();
+                }
+            }
+        }
+        return null;
+    }
+
+    @Override
+    public Collection<ConfigAttribute> getAllConfigAttributes() {
+        Set<ConfigAttribute> allAttributes = new HashSet<>();
+
+        for (Map.Entry<RequestMatcher, List<ConfigAttribute>> entry : requestMap.entrySet()) {
+            allAttributes.addAll(entry.getValue());
+        }
+
+        return allAttributes;
+    }
+
+    @Override
+    public boolean supports(Class<?> clazz) {
+        return FilterInvocation.class.isAssignableFrom(clazz);
+    }
+}
diff --git a/security-db-auth/src/main/resources/application.yml b/security-db-auth/src/main/resources/application.yml
@@ -6,6 +6,9 @@ spring:
         enabled: true
       restart:
         enabled: true
+  thymeleaf:
+    cache: false
+
   profiles:
     # db 설정 파일, local (logback 설정 파일)
     include: db, local
