[security-db-method-auth] MapBasedSecurityMetadataSource(3)

Author: SeokRae

security-db-method-auth/src/main/java/kr/seok/security/config/MethodSecurityConfig.java

@@ -32,6 +32,7 @@ protected MethodSecurityMetadataSource customMethodSecurityMetadataSource() {
         return mapBasedMethodSecurityMetadataSource();
     }
 
+    /* 빈으로 등록된 Map 기반 Method MetadataSource */
     @Bean
     public MapBasedMethodSecurityMetadataSource mapBasedMethodSecurityMetadataSource() {
         /* 기본 생성자가 아니라 DB로 부터 가져온 ResourceMap을 전달 */

security-db-method-auth/src/main/java/kr/seok/security/config/SecurityConfig.java

@@ -1,9 +1,17 @@
 package kr.seok.security.config;
 
 
+import kr.seok.security.factory.UrlResourcesMapFactoryBean;
+import kr.seok.security.filter.PermitAllFilter;
+import kr.seok.security.form.common.FormAuthenticationDetailsSource;
+import kr.seok.security.form.handler.FormAccessDeniedHandler;
+import kr.seok.security.form.provider.FormAuthenticationProvider;
+import kr.seok.security.metadatasource.UrlFilterInvocationSecurityMetadataSource;
 import kr.seok.security.service.SecurityResourceService;
+import kr.seok.security.voter.IpAddressVoter;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.beans.factory.annotation.Qualifier;
+import org.springframework.boot.autoconfigure.security.servlet.PathRequest;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.security.access.AccessDecisionManager;

security-db-method-auth/src/main/java/kr/seok/security/factory/MethodResourceFactoryBean.java

@@ -7,6 +7,9 @@
 import java.util.LinkedHashMap;
 import java.util.List;
 
+/**
+ *
+ */
 public class MethodResourceFactoryBean implements FactoryBean<LinkedHashMap<String, List<ConfigAttribute>>> {
 
     private SecurityResourceService securityResourceService;

security-db-method-auth/src/main/java/kr/seok/security/factory/UrlResourcesMapFactoryBean.java

@@ -0,0 +1,42 @@
+package kr.seok.security.factory;
+
+import kr.seok.security.service.SecurityResourceService;
+import org.springframework.beans.factory.FactoryBean;
+import org.springframework.security.access.ConfigAttribute;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import java.util.LinkedHashMap;
+import java.util.List;
+
+public class UrlResourcesMapFactoryBean implements FactoryBean<LinkedHashMap<RequestMatcher, List<ConfigAttribute>>> {
+
+    private SecurityResourceService securityResourceService;
+    private LinkedHashMap<RequestMatcher, List<ConfigAttribute>> requestMap;
+
+    public void setSecurityResourceService(SecurityResourceService securityResourceService) {
+        this.securityResourceService = securityResourceService;
+    }
+
+    @Override
+    public LinkedHashMap<RequestMatcher, List<ConfigAttribute>> getObject() throws Exception {
+        if(requestMap == null) {
+            init();
+        }
+        return requestMap;
+    }
+
+    private void init() {
+        requestMap = securityResourceService.getResourceList();
+    }
+
+    @Override
+    public Class<?> getObjectType() {
+        return LinkedHashMap.class;
+    }
+
+    @Override
+    public boolean isSingleton() {
+        return true;
+    }
+
+}

security-db-method-auth/src/main/java/kr/seok/security/filter/PermitAllFilter.java

@@ -0,0 +1,77 @@
+package kr.seok.security.filter;
+
+import org.springframework.security.access.intercept.InterceptorStatusToken;
+import org.springframework.security.web.FilterInvocation;
+import org.springframework.security.web.access.intercept.FilterSecurityInterceptor;
+import org.springframework.security.web.util.matcher.AntPathRequestMatcher;
+import org.springframework.security.web.util.matcher.RequestMatcher;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * 권한이 없어 인가처리가 필요하지 않은 resource에 대해서 permit All 처리하는 Filter
+ */
+public class PermitAllFilter extends FilterSecurityInterceptor {
+
+    private static final String FILTER_APPLIED = "__spring_security_filterSecurityInterceptor_filterApplied";
+    private boolean observeOncePerRequest = true;
+
+    public List<RequestMatcher> permitAllRequestMatcher = new ArrayList<>();
+
+    public PermitAllFilter(String... permitAllResources) {
+        for(String resource : permitAllResources) {
+            permitAllRequestMatcher.add(new AntPathRequestMatcher(resource));
+        }
+    }
+
+    /**
+     *
+     * @param object FilterInvocation (사용자 정보를 가져올 수 있음)
+     * @return
+     */
+    @Override
+    protected InterceptorStatusToken beforeInvocation(Object object) {
+        boolean permitAll = false;
+        HttpServletRequest request = ((FilterInvocation) object).getRequest();
+        for(RequestMatcher requestMatcher : permitAllRequestMatcher) {
+            /* 허용한 resource */
+            if(requestMatcher.matches(request)) {
+                permitAll = true;
+                break;
+            }
+        }
+        /* 해당 경로가 permitAll에 해당하는 경로인 경우 return null; 처리 */
+        if(permitAll) {
+            return null;
+        }
+        /* 사용자 정의로 작성된 resource 경로 처리 후 상위 클래스로 이동하여 처리 */
+        return super.beforeInvocation(object);
+    }
+
+    public void invoke(FilterInvocation fi) throws IOException, ServletException {
+        if ((fi.getRequest() != null)
+                && (fi.getRequest().getAttribute(FILTER_APPLIED) != null)
+                && observeOncePerRequest) {
+            // filter already applied to this request and user wants us to observe
+            // once-per-request handling, so don't re-do security checking
+            fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+        }
+        else {
+            // first time this request being called, so perform security checking
+            if (fi.getRequest() != null && observeOncePerRequest) {
+                fi.getRequest().setAttribute(FILTER_APPLIED, Boolean.TRUE);
+            }
+            InterceptorStatusToken token = beforeInvocation(fi);
+            try {
+                fi.getChain().doFilter(fi.getRequest(), fi.getResponse());
+            } finally {
+                super.finallyInvocation(token);
+            }
+            super.afterInvocation(token, null);
+        }
+    }
+}

security-db-method-auth/src/main/java/kr/seok/security/form/common/FormAuthenticationDetailsSource.java

@@ -0,0 +1,18 @@
+package kr.seok.security.form.common;
+
+import org.springframework.security.authentication.AuthenticationDetailsSource;
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * AuthenticationDetails 를 생성하는 Bean 클래스
+ */
+@Component
+public class FormAuthenticationDetailsSource implements AuthenticationDetailsSource<HttpServletRequest , WebAuthenticationDetails> {
+    @Override
+    public WebAuthenticationDetails buildDetails(HttpServletRequest context) {
+        return new FormWebAuthenticationDetails(context);
+    }
+}

security-db-method-auth/src/main/java/kr/seok/security/form/common/FormWebAuthenticationDetails.java

@@ -0,0 +1,22 @@
+package kr.seok.security.form.common;
+
+import org.springframework.security.web.authentication.WebAuthenticationDetails;
+
+import javax.servlet.http.HttpServletRequest;
+
+/**
+ * 사용자가 요청한 request 에 추가적인 값을 설정 할 수 있는 클래스
+ */
+public class FormWebAuthenticationDetails extends WebAuthenticationDetails {
+
+    private String secretKey;
+
+    public FormWebAuthenticationDetails(HttpServletRequest request) {
+        super(request);
+        secretKey = request.getParameter("secret_key");
+    }
+
+    public String getSecretKey() {
+        return  secretKey;
+    }
+}

security-db-method-auth/src/main/java/kr/seok/security/form/handler/FormAccessDeniedHandler.java

@@ -0,0 +1,30 @@
+package kr.seok.security.form.handler;
+
+import lombok.extern.slf4j.Slf4j;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.web.access.AccessDeniedHandler;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Slf4j
+public class FormAccessDeniedHandler implements AccessDeniedHandler {
+
+    private String errorPage;
+
+    @Override
+    public void handle(
+            HttpServletRequest request, HttpServletResponse response, AccessDeniedException accessDeniedException
+    ) throws IOException {
+
+        log.debug("예외 : {} ", accessDeniedException.getMessage());
+        String deniedUrl = errorPage + "?exception=" + accessDeniedException.getMessage();
+        response.setHeader("Content-Type", "application/json;charset=UTF-8");
+        response.sendRedirect(deniedUrl);
+    }
+
+    public void setErrorPage(String errorPage) {
+        this.errorPage = errorPage;
+    }
+}

security-db-method-auth/src/main/java/kr/seok/security/form/handler/FormAuthenticationFailureHandler.java

@@ -0,0 +1,36 @@
+package kr.seok.security.form.handler;
+
+import org.springframework.security.authentication.BadCredentialsException;
+import org.springframework.security.authentication.InsufficientAuthenticationException;
+import org.springframework.security.core.AuthenticationException;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Component
+public class FormAuthenticationFailureHandler extends SimpleUrlAuthenticationFailureHandler {
+    /* 인증 실패 처리 Handler */
+
+    @Override
+    public void onAuthenticationFailure(
+            HttpServletRequest request, HttpServletResponse response, AuthenticationException exception
+    ) throws IOException, ServletException {
+
+        /* Failure Handler */
+        String errorMsg = "Invalid Username or Password";
+
+        if(exception instanceof BadCredentialsException) {
+            errorMsg = "Invalid Username or Password";
+        } else if(exception instanceof InsufficientAuthenticationException) {
+            errorMsg = "Invalid Secret Key";
+        }
+
+        setDefaultFailureUrl("/login?error=true&exception=" + errorMsg);
+
+        super.onAuthenticationFailure(request, response, exception);
+    }
+}

security-db-method-auth/src/main/java/kr/seok/security/form/handler/FormAuthenticationSuccessHandler.java

@@ -0,0 +1,39 @@
+package kr.seok.security.form.handler;
+
+import org.springframework.security.core.Authentication;
+import org.springframework.security.web.DefaultRedirectStrategy;
+import org.springframework.security.web.RedirectStrategy;
+import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler;
+import org.springframework.security.web.savedrequest.HttpSessionRequestCache;
+import org.springframework.security.web.savedrequest.RequestCache;
+import org.springframework.security.web.savedrequest.SavedRequest;
+import org.springframework.stereotype.Component;
+
+import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
+import java.io.IOException;
+
+@Component
+public class FormAuthenticationSuccessHandler extends SimpleUrlAuthenticationSuccessHandler {
+
+    private RequestCache requestCache = new HttpSessionRequestCache();
+    private RedirectStrategy redirectStrategy = new DefaultRedirectStrategy();
+
+    @Override
+    public void onAuthenticationSuccess(
+            HttpServletRequest request, HttpServletResponse response, Authentication authentication
+    ) throws IOException {
+
+        /* 이전 요청이 없는 경우 이동할 기본 URL*/
+        setDefaultTargetUrl("/");
+
+        SavedRequest savedRequest = requestCache.getRequest(request, response);
+        /* 이전에 resource를 요청하지 않은 경우가 있을 수 있음 */
+        if(savedRequest != null) {
+            String targetUrl = savedRequest.getRedirectUrl();
+            redirectStrategy.sendRedirect(request, response, targetUrl);
+        } else {
+            redirectStrategy.sendRedirect(request, response, getDefaultTargetUrl());
+        }
+    }
+}